2020 saw some high profile data breaches as a result of hacks, including: Twitter, Marriott Hotels, MGM, Blackbaud, Estee Lauder, and EasyJet among many others. All suffered data breaches for a significant number of data subjects as a result of hacks, either direct or through their supply chain.
Towards the end of the year it was also revealed that US Government agencies including the Pentagon had fallen victim as well (the so-called 'Solar Winds' attack). The Information Commissioner's Office (ICO) handed out fines to those caught by UK data laws and commented that where hacks and vulnerabilities are known and published on the National Cyber Security Centre website, organisations should be prepared.
In 2021 we expect to hear of more large scale hacks on big business and data breaches as a result. We also expect that hackers will target more public sector organisations such as universities, schools and hospitals for data.
As commented on in more detail in our other article this month, the UK has applied for a finding of adequacy, which, if granted, will mean that personal data can continue to flow freely from the EEA to the UK following Brexit. It had been hoped that the UK would have been granted adequacy prior to the end of the Brexit transition period. This hasn't happened but the UK and the EU have agreed that personal data can continue to flow for a period of up to six months to enable the EU to continue to assess the adequacy of UK data protection laws. If an adequacy finding is not forthcoming, then transfers of personal data from the EEA to the UK will be subject to additional restrictions.
We saw a continued increase in subject access requests in 2020 - particularly from students after the exam algorithm chaos and from aggrieved employees. However, we're starting to see an increase in the use of other rights, especially erasure requests. These requests are coming from unsuccessful job applicants, employees and students who have left an organisation, and dissatisfied customers. We expect a continued rise in the use of data protection rights through 2021 and we anticipate both the frequency and complexity of requests to increase.
We have also seen a greater public interest in privacy notices - particularly around the test and trace and coronavirus (COVID-19) data sharing. We expect greater scrutiny of privacy notices to continue and will continue advising our clients that their privacy notices really are their 'shop front' for demonstrating good data protection practice to clients and prospects.
The use of AI is becoming ever more prevalent. Often AI is used in the context of processing large quantities of personal data in order to generate insights about individuals (such as predicting the types of marketing an individual would best respond to).
The use of AI can have significant implications for data protection compliance, and is now attracting regulatory attention with the ICO having published its guidance on AI last year and with more guidance promised.
Children's data was a key focus of the ICO last year. The foundations were laid with a sandbox on children's data and the publication of the Age Appropriate Design Code. Organisations whose activities are caught by the Code have until September 2021 to ensure they comply. The ICO also completed an audit of the Department for Education with less than favourable comments. We expect the ICO to take a tough stance on those processing children's data and investigations from September onwards where businesses are not heeding the guidance set out in the Code and fines are predicted for early 2022. TikTok is also facing a legal challenge in relation to the use of children's data - the outcome of which may be illuminating.
With the continued prevalence of ed-tech and e-learning, this will be an area of great interest for the Commissioner as well as parents.