Following Data Privacy Day (28 January 2024), we take a look at data protection areas to watch in 2024:
- Data Protection and Digital Information Bill – will progress through parliament, and based on current timescales looks likely to be given Royal Assent in 2024. The Bill refines, tweaks and clarifies established GDPR principles with the aim of bringing more clarity and proportionality to the UK GDPR e.g. by listing legitimate interests where no balancing test is required, clarifying the meaning of ‘research’ purposes and giving more certainty to when data is capable of being personal data. The changes will not require a significant compliance effort akin to preparation for GDPR in 2018, but organisations will want to re-assess their accountability documents and privacy frameworks in light of the changes.
- AI, AI and more AI – 2024 will see a real focus on AI. The ICO was quoted in November 2023 as saying “2024 cannot be the year that consumers lose trust in AI”. And the ICO has been quick off the blocks – one consultation on the adequacy of the ICO’s current tools on AI has already closed in January and another on further AI guidance has just launched. This will actually be the first of a series, looking to provide more specific answers to commonly asked questions. One objective in the ICO’s ICO25 plan is to undertake consensual audits with organisations to understand use of AI in recruitment. So expect to see plenty of output from the ICO on privacy compliance when using AI.
- International transfers – one freedom that the UK government wanted to use post Brexit is the ability for the UK to make its own findings of adequacy to make free flow of data internationally friction-free where possible. In November 2022, the UK granted adequacy to the Republic of Korea. However, the UK is pushing for much bigger initiatives on a global scale. Over the last few years, the UK has helped negotiate the OECD’s Declaration on Government Access to Personal Data Held by Private Sector Entities and used its G7 Presidency to set out a Roadmap for Cooperation on Data Free Flow with Trust. Then in November 2023, the International Data Experts Council published its report on International Data Transfers which encourages a global initiative to create a future global framework for trusted and flows of personal data between countries for maximum ease and benefits for all. Given the development of data protection laws globally and current conflicting and overlapping regimes, a global structure with mutual recognition for equivalent transfer tools would be a very welcome solution.
- Digital identity – The Department for Digital, Culture, Media & Sport (DCMS)’s work to implement the Digital Identity and Attributes Framework continues. The aspiration is to enable organisations to verify data subjects’ identity digitally, without requiring an individual to physically present themselves and their documents to organisations like banks, healthcare providers, estate agents etc but instead by drawing on digital attributes provided by third parties and certified by an assurance provider. The UK Accreditation Services has launched its pilot assessment programme for certification bodies that wish to certify Digital Identity assurance providers under the Digital Identity and Attributes Framework. Complementary legislation (Draft Digital Government (Disclosure of Information)(Identity Verification Services) Regulations 2023) is currently with Parliament to facilitate data sharing between government departments. This framework could remove the headache of having to verify the identity of individuals for many different types of organisations.
- Cybersecurity – and ensuring that appropriate and technical and organisational measures are in place to protect data will remain a high priority for organisations in 2024. Cyber threats will continue to evolve, bringing new challenges and risks for business, with cyber criminals increasingly looking to use AI to help automate and optimise attacks, including through the use of deepfakes. Ransomware attacks in particular will continue to have severe consequences, such as financial losses, regulatory action, business disruption and reputational damage, for organisations that fall victim to such attacks. Supply chain threats remain a key risk, with the government concerned that a limited number of providers are carrying a disproportionately large amount of risk to businesses as a whole. Assuming that parliamentary time allows, we can expect updates to the Network and Information Systems Regulations in 2024 which, amongst other things, will bring managed service providers under greater regulatory scrutiny with the objective of improving the country’s cyber resilience.
If you have any questions, please contact Jocelyn Paulley or Helen Davenport.