If 2008 was the year of financial crisis, 2016 will be remembered as the year of political rupture. Eveywhere, stable systems produced unexpected results as a majority of voters chose anti-establishment representatives. At the same time, the incumbent legislatures were passing new laws that, for the data industry, make 2016 the year everything changed.
These are the six events which shaped the new framework:
General Data Protection Regulation (GDPR)
24th May 2016 is likely to be etched into the memory of any data practitioner as the date when GDPR became law. After five years of tough negotiations within the European Union, the final Regulation combined the bold vision originally seen by its architects in the European Commission with many of the existing practices already required by the Data Protection Act.
Critically, the industry has been given two years to become GDPR compliant. That is an important window given the many derogations which were set out in the new law. It took a while for the ICO to start giving guidance within its own timetable, but the process has now begun. Close reading of these guidance notes will be an essential part of any GDPR programme next year.
A kickstart to those programmes will undoubtedly have come from the headline-grabbing new fines of up to 4% of global turnover for significant breaches. Estimates of the potential impact on UK firms ranged from £122 billion to £240 billion.
But it is some of the more technicallly-demanding aspects of GDPR which have got the data industry worried. The new right to be forgotten is looking particularly difficult for organisations to implement, while the requirement to notify the ICO within 72 hours of discovering a data breach is a similarly large obstacle that organisations are struggling to understand how they will overcome.
Laws need to be enforced and 2016 saw a significant change at the Information Commissioner’s Office with the arrival in July of Elizabeth Denham in the top job. After eight years, Christopher Graham bowed out of an office he described as in “good heart”, albeit one facing some tough challenges.
Denham did not wait to make her intentions felt, swiftly moving to get “white hat” companies onside with compliance. Given the tough line being taken against data brokers trading records without consent and nuisance callers, it is clear that the ICO is not waiting for 2018 and enforcement of GDPR to make the full power of the regulator felt.
As news of the unexpected outcoume of the EU membership referendum started to filter out on 24th June, many legal counsels and data protection officers reported getting the same query - “does this mean we don’t have to worry about GDPR?”. The answer, of course, is very much that we do since GDPR was already UK law before the Brexit vote and its enforcement will start at least nine months before any EU exit happens.
Even as the timescale for that event continues to slip, concerns have been raised about how UK-based businesses will be able to continue to transfer data in and out of the EU. Critically, the UK will need to introduce data protection laws that are at least as comprehensive as GDPR in order to be considered a safe haven for European citizens’ data.
If lobbying around GDPR seemed like a triple triathlon, the collapse of Safe Harbour was more like a one-round knockout in a boxing match, followed by a rematch that went the full twelve rounds. Having been found lacking by European courts in 2015, the replacement in the form of Privacy Shield immediately hit problems. The European Parliament just about managed to agree, but not without controversy.
Having passed that hurdle, the new rules for moving data between the EU and the US continued to meet resistance amid a feeling that the solution was giving too much ground to American tech companies. Even after it had been signed off, European data protection regulators continued to be sceptical and there continues to be a sense that Privacy Shield lacks credibility.
As if to prove European Commissioners right to worry about how to protect our personal information, 2016 was a year in which massive data breaches became the norm, not the exception. Humiliation was piled on top of embarrassment for Talk Talk as its failure to keep customers’ data safe became ever more obvious. But by the end of the year, it had been overshadowed by one of the largest-ever data breaches at Yahoo! which started out appearing to have exposed 500 million customer records, only to see the figure revised upwards to 1 billion.
Information security has been shaken out of its slumbering role as a mature practice, mostly considered to be about technical fixes, with the realisation that it has to be wrapped up in a culture of data governance. Any idea that personal information can ever be kept 100% secure was killed off during 2016, not least because individuals have had enough and started to punish companies which suffered a data breach by taking their business elsewhere.
Permission and trust
If there was a glimmer of hope for the data industry during the year, it mostly came in the very early signs of changes in approach that may get companies on the right side not only of GDPR, but also of consumers. In the wake of the awful year for charities during 2015, several came out with an entirely new, opt-in based approach. Whether this is too little, too late will remain to be seen as consumer trust continued to be hard to find and the ICO took a tough line with the sector.
2016 was also the year in which consumers caught up with the fact that the convenience and cool of technology came with a cost in terms of the data being thrown off by all those devices and apps. Marketing may have latched on to big data in a big way across the year, but there were signs that consumers were not completely convinced. Explaining the data-value exchange and closing the deal with consumers very much remains a work in progress.