A shifting landscape? The outlook for data regulation in 2023
What is happening?
With a relatively new Information Commissioner in the UK and a renewed focus on getting post-Brexit data protection laws through Parliament, attention is turning to the ICO’s priorities and how they fit into this new landscape.
Although the government is keen to loosen GDPR requirements to reduce the burden on business, retailers should remember that the ICO still has a range of different enforcement powers and new approaches may even come to the fore. What does this mean for retail businesses processing large volumes of consumer data?
Why does it matter?
The ICO’s published outlook and strategy provides some insight to help businesses plan and prioritise their compliance. During an evening with the Information Commissioner John Edwards organised by the City of London Law Society in January 2023, Edwards set out the priorities for enforcement and his aim to reduce uncertainty for businesses in the UK. His views are of particular relevance to retailers, whose large consumer datasets and marketing and personalisation activities put them in a higher risk category for enforcement.
What action should you consider?
During a Q&A with RPC partner Jon Bartley, the Commissioner noted that one of the problems facing UK businesses is uncertainty in how data protection law applies to novel technologies. The ICO will be stepping up its innovation advice service with a focus on consumer health tech (such as smartwatches with health monitoring capabilities), immersive technology (such as virtual reality headsets), decentralised finance (such as cryptocurrency), and next generation Internet of Things (such as smart home appliances).
In line with the ICO25 strategic plan, the Commissioner confirmed that much more information about the ICO’s work would be published in future, including making the new database of reprimands searchable, so that they are more useful for businesses seeking guidance on what good looks like. The Commissioner also suggested he’d like to introduce a system of issuing binding rulings, which also marks a move away from after the fact enforcement such as fines. Businesses would be able to apply to the ICO for preliminary judgments on the application of data protection law to specific commercial issues.
The introduction of the GDPR regime in 2018 has brought data protection compliance into the boardroom as a priority for many retailers. A potential consequence of this however is an over-emphasis on technical compliance and checking all the right boxes, rather than pragmatically assessing risk. The ICO is keen to avoid this, challenging businesses to give consideration to the real human impact of their data processing and clarifying that the ICO is most concerned with clear and immediate harm. While it is key for retailers to maintain a robust privacy programme and comply with the law as it stands, they should take the Commissioner’s comments as a vote of confidence in prioritising investment in security measures, “privacy by design” processing and respecting data subjects’ rights.
Looking to the future, the Commissioner gave a positive indication that the Government reforms, in the form of the redrafted Data Protection and Digital Information Bill that has been moving through Parliament since March 2023, would not stray too far from the standards of the GDPR. In large part, this is because the Government is keen to avoid losing EU adequacy for data transfers originating in the UK, due to the practical restrictions this would place on UK businesses. The Government has also confirmed, through comments at events by representatives of DCMS, that businesses will be able to continue with an EU GDPR-based compliance programme, so retailers can take comfort that it is unlikely they will need to spend significant sums to come into compliance with the new UK data protection regime and that there is no intention to run a dual-track compliance process.
While the ICO’s comments provide an insight into future priorities, a look into current and recent enforcement actions can be just as valuable. The ICO has trebled the value of total fines issued from 2021 to 2022, with the caveat that this increase was comprised of two large multi-million pound fines to a software company and a construction firm. A key component of this is that the value of fines imposed on businesses specifically relating to personal data being compromised through a cyber-attack have almost quadrupled, from £1,285,000 in late 2021 to £4,998,000 in 2022. Whilst the ICO has expressed an intention to try different forms of enforcement going forward, retailers should remember that the regulator can of course still issue fines for breaches of the UK data protection law.