28 January 2020
Happy Data Protection Day 2020!
OK. Data Protection Day probably isn’t the first date in the calendar you look for at the start of the new year. But while you might save the cake and balloons for another day, it does provide us with a timely opportunity to take stock of how things stand in the world of data protection and consider what developments organisations should be looking out for in 2020.
Did you know? 2020 brings about the 14th edition of Data Protection Day (known as Data Privacy Day outside of Europe), which has taken place on 28 January every year since 2007. The date marks the anniversary of a Council of Europe treaty that was signed in 1981 and which has been a cornerstone of data protection for several decades.
It is now 20 months since the General Data Protection Regulation (GDPR) came into force, to great fanfare, as the biggest shake-up to data protection law in two decades.
Its implementation and effects have continued into year two: it hit the headlines again in July 2019 when the UK’s supervisory authority – the Information Commissioner’s Office (ICO) – announced its intention to levy fines against British Airways and Marriott International in excess of £183 million and £99 million respectively for infringements of the GDPR.
These are, of course, exceptional cases. But while the ICO has been keen to emphasise that financial penalties will continue to be a last resort, these examples show that the ICO is prepared to exercise its enhanced enforcement powers where serious breaches occur and serve as a reminder to organisations to keep on top of their data protection compliance.
Data protection: the year ahead
Looking ahead in 2020 and, unsurprisingly, Brexit takes centre stage.
In the short term at least, the status quo should be preserved – barring any last-minute hiccups the UK will leave the EU with a deal on Friday (31 January 2020), meaning that the GDPR will continue to apply in the UK during the transition period that is due to run through to 31 December 2020.
However, any respite is likely to be short-lived. Once the transition period is underway, negotiations over the future EU-UK relationship will begin and any implications for the existing data protection regime should start to become clearer.
The UK is likely to need to secure an adequacy decision (meaning that the European Commission EC has determined that a country offers an equivalent level of data protection to that in the EU) to ensure uninterrupted data flows following the end of the transition period. While the European Commission has indicated that it will seek to start its assessment as soon as possible and with a view to adopting a decision by the end of 2020, there are no guarantees that the assessment will be completed in time or the applicable conditions met. If not, there could be significant consequences for data flows between the EU and the UK.
ICO statutory codes
Under the Data Protection Act 2018, the ICO is required to produce four statutory codes of practice focussing on:
- age appropriate design;
- data sharing;
- direct marketing; and
- data protection and journalism.
Work on the codes has already begun and finalising them is a priority for the ICO in 2020. These statutory codes are important because the ICO, courts and tribunals are required to take account of their provisions in any matters brought before them. As such, organisations would be well advised to review all applicable codes once they have been issued.
Data protection case law
There are a number of cases in both the UK and Europe that are currently working their way through the courts and which consider data protection issues. Data protection law will continue to mature as judgments are made and there may be consequences for the application and interpretation of the GDPR.
Data protection compliance is an on-going challenge and the corporate and commercial team at B P Collins can help to ensure that you are prepared in a time of change.