Individuals at all levels of an organisation, play an important role in protecting personal data. Cisco’s annual Privacy Benchmark Study 2023 highlights the importance for firms to re-evaluate their privacy practices to ensure investment is being made in all relevant areas. Jackie Barlow, Senior Consultant Data Protection at Xcina Consulting reviews the key recommendations, including updates to the Data Protection and Digital Information Bill that were introduced last week, following several constructive discussions. It has been on quite a journey and there are specific aims that the new Bill sets out to achieve, but how far does it go in increasing public and business confidence and is this a welcome development for business leaders?
Data Privacy: Addressing the disconnect with customers
Cisco has released its annual Privacy Benchmark Study. The 2023 report considers the importance of data privacy on organisations.
Research has shown that despite economic conditions being less certain, businesses did not reduce their spending on privacy in 2022.
Companies have found that investment in data privacy has led to greater customer trust, increased business attractiveness, increased innovation, operational efficiency and a reduction in data breaches. The study highlights that the way that an organisation handles individuals’ data strongly indicates how it respects its customers.
A real concern for customers is the use of Artificial Intelligence (AI), and many have lost trust in organisations where data has been used for this purpose. Cisco’s study showed that 92% of respondents said organisations need to be doing more to reassure customers that their data is only being used for intended and legitimate purposes.
Their priorities in terms of handling personal data are not always in line with those of their clients, particularly where AI technology is in use and where automated decisions are being made that affect individuals.
Some suggested measures for firms to reassure consumers when AI is used include (i) ensuring a human is involved in the process (ii) explaining how the AI application works (iii) adopting AI ethics principles (iv) carrying out audits to check bias and (v) giving customers the opportunity to opt out of AI.
Why it matters
The Cisco Study has found that 95% of companies consider data privacy to be crucial to their business.
It has shown that clients will share personal data with organisations but expect them to be transparent about their practices and treat the personal data appropriately. In the 2022 study 76% said they would not make a purchase from an organisation they don’t trust with their data.
As AI technology develops, customers are becoming more anxious around how their data could be exploited and until there is sufficient trust, they want the option and flexibility to withdraw their details from such systems.
Organisations know the importance of being transparent, but they are also aware of how difficult it will be to explain exactly how the complex mathematics of algorithmic decision-making works to the individuals that are affected by it.
The study has shown that investment in privacy compliance is crucial and organisations should focus on improving transparency and increasing trust, for data protection but also for AI. The task is not going to be simple.
The UK’s 10 year ‘AI Action Plan’ is still in its early stages. The Alan Turing Institute (the UK’s national institute for data science and artificial intelligence) is working together with the ICO on the action plan and a framework will be developed for explaining processes, services and decisions delivered by AI to improve transparency and accountability. Details can be found at National AI Strategy – AI Action Plan – GOV.UK (www.gov.uk)
UK Government: A new system of Data Protection – Is this a welcome development?
On 8 March 2023 the UK Government introduced the Data Protection and Digital Information (No.2) Bill. As the name suggests, this is the second version of the Bill which replaces the original published in July 2022.
The new bill has been labelled ‘a common-sense-led’ version of GDPR. Many of the changes reflect feedback on experience of GDPR from a variety of stakeholders and aim to reduce the administrative burden on businesses, reform the ICO and promote innovation.
The main changes are covered in 11 parts:-
- records of processing only need to be maintained if the processing activity is likely to result in a high risk to the rights and freedoms of individuals.
- there is no longer the need for a Data Protection Officer. A ‘senior responsible individual’ will be accountable instead.
- data protection impact assessments will not be needed, but instead businesses will need to produce an ‘assessment of high risk processing’
- there will be no need to appoint a data protection representative in the UK if the data controller or data processor is not established in the UK
- The threshold for the refusal of subject access requests due to being ‘manifestly unfounded’ and ‘excessive’, will instead be ‘vexatious or excessive’ and data controllers will be able to take into account their resources and whether the request was meant to cause distress or was made in bad faith.
- The list of exemptions to when consent is needed for placing cookies on a user’s terminal equipment will be expanded.
- The Bill will introduce a number of recognised ‘legitimate interests’ – so if businesses can demonstrate processing is necessary for these legitimate interests, they will not have to carry out legitimate interests assessments.
- In terms of international transfers, the Bill sets out a new standard by which organisations can assess the lawfulness of their use of alternative transfer mechanisms. They must act ‘reasonably and proportionately in considering whether the standard of protection given by the relevant transfer mechanism would result in materially lower standards than that of those in the UK GDPR’.
- The proposals state that all activities that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity, will be in the scope of ‘scientific research’.
- In direct marketing, non-commercial organisations (such as not for profit) can send electronic marketing communications without prior consent for the purposes of furthering charitable, political or other non-commercial objectives, but only if the individual’s contact details were obtained by a clear expression of interest or offer to support the objective.
- Fines for nuisance calls and texts will be increased from the current maximum of £500,000 up to a maximum of either 4% of a business’s global turnover or £17.5million, whichever is greater.
Why it matters
The proposed changes are not unexpected as they mostly align with the government’s response to its consultation, although there are a few useful amendments such as record keeping, international transfers and scientific research.
The Bill is not a huge step away from the EU GDPR, probably because the UK Government will be concerned about the risks in diverging too far, due to the EU-UK adequacy decision being due for review in 2024.
A key area, likely to be welcomed by many UK businesses, is the ability for data to flow more freely between the UK and the EEA because the current administration mechanisms are complicated and onerous.
The good news is that, overall, organisations that are already compliant with the UK GDPR will not have to make changes to comply with the new UK GDPR. The revised framework is unlikely to be difficult or costly to implement and should give organisations more flexibility about how they comply.
There will be a second reading which should take place in a few weeks. Progress on the new Bill will be closely watched by Europe.