As a professional services business operating in a world driven by data and technology, Gemserv like many businesses, finds itself changing its business operations dramatically due to the impact of Covid-19 and adapting our business model to the new normal. In this we are both custodians of datasets in the industries we serve and adviser to others in how to protect and secure data across business operations.
Like other major shocks, such as other epidemics or a major war, we see existing trends speeding up once the crisis has passed, and new societal norms coming into play. Beyond basic data protection and privacy compliance, we have identified many trends that have a direct impact on privacy and data protection – topics in which Gemserv is actively engaged.
The digital services environment and the impact they have on individual rights have become more complex as 2020 and years beyond prove to be challenging with the ‘new normal’. Forward looking technologies may also raise societal concerns as they play an increasing role in the digital world in which people will live in going forward. Privacy risks will, therefore, become more prominent due to risks posed.
The Data Protection Authorities in Europe and UK have revisited their strategies to address these complexities and will focus on high impact areas which involve vulnerable persons such as children, the elderly, patients, complex processing of personal data and complex operations.
In our opinion, the following are likely to be at the forefront in 2020 and beyond:
Health Initiatives Related Privacy Issues
Right to privacy and data protection are again at the centre of debates, with governments and businesses doing their best to reboot the economy by investing in innovative and ‘out of ordinary’ ways to deal with the unprecedented situation. We expect the focus to be on the transparency of the processing of health-related information and protection from unauthorised access, disproportionate data sharing, and the legal need for large-scale data collections.
We will see focus on health care information of employees, especially where employers are rushing to adopt various technologies (facial recognition camera devices, contact tracing apps at work, health and distance tracking technologies) to keep sick workers at home to ensure the safety of those present in the office. Intensified workplace surveillance could become the new normal.
We will also see challenges around the processing of non-health data, such as location tracking data for health monitoring purposes which are likely to increase the risks to privacy and security of individuals.
Artificial Intelligence and Data Ethics
Big data, automated decision-making, profiling, online behavioural tracking, surveillance and facial recognition – all are extremely debated topic, even more so at the age of Covid-19. All those technologies are already largely available and in use. While the ICO and other data protection authorities across the world are shaping their codes of conduct for the use of AI with the aim to develop monitoring systems focused on how AI systems use personal data and automated decision making without human intervention, we feel that many organisations will need support for assessing their AI solutions and documenting a framework of obligations on how their AI models are constructed and used. Algorithmic Impact Assessment (the data ethics counterpart of a Data Protection Impact Assessment) can also be used as an effective way to measure and mitigate risks of bias and making sure that meaningful human intervention is implemented.
Beyond basic data protection and privacy compliance,we have identified many trends that have a direct impact on privacy and data protection-topics in which Gemserv is actively engaged.
Also, advertising and direct marketing in the online environment have become increasingly complex with the use of tracking technologies where large ecosystems are involved in the resale of personal data. Many Data Protection Authorities are focused on educating the public about their privacy rights by developing guidance materials, holding workshops, and self-help tools. We raise public awareness of online privacy concerns and privacy by design through our webinars and blogs. We find that more and more people are reluctant to accept generalised online tracking to deliver targeted ads when such tracking can also be used as a weapon of political influence. Algorithms are now able to infer a large volume of characteristics with a very little amount of personal data.
Continuous scrutiny by data protection authorities, especially on large tech companies is on the agenda, and increased suspicion by the public is leading large tech companies to slowly abandon cookies. Children’s online privacy is also a common theme among Data Protection Authorities in relation to online advertising. For instance, the ICO in the UK has recently published guidance on how the GDPR applies in the context of children using digital services.
The main concern today is whether we would see an increased concentration in the AdTech industry, by destroying the real-time advertising ecosystem to the benefit of Google and Facebook with more pervasive tracking technologies, or if the whole online advertising industry will take a different direction for contextual-based advertising rather than interest-based. What is sure at the moment is that the ePrivacy Directive (transposed into PECR in the UK) does not reflect the current situation of the internet – and the new legal framework, the ePrivacy Regulation, is stalling. The evolution in this area is going to be a highly debated topic in the years to come.
Internet of Things
With the roll-out of 5G, many new real-time connected solutions will push connected devices further into the market. Healthcare, wearables, autonomous vehicles… The possibilities and their promises are fascinating. An ongoing concern about connected devices the previous years has been security and privacy of the data – and this is only going to increase. What categories of data these devices are actually collecting? What categories of data the manufacturer or other third parties are able to access? Is the device truly secured?
Security by design and Privacy by design is going to be scrutinised by data protection authorities and we can expect strong enforcement in the years to come, proportionate to the sensitivity of the data involved in some connected devices.
The Future Relationship between the UK and the EU
The UK leaving the EU raises many uncertainties – and data protection is not exempted. Will data flow freely between the UK and the EU? Quid of the UK and the U.S.? Are we going to assist to more fragmentation in Europe of the interpretation of the GDPR, with an “EU GDPR” and a “UK GDPR”?
All responses to those questions are pending, and like in other industries, there is a risk of loss of momentum with the current climate. Organisations could delay their privacy programs while waiting for more clarity on the future position of the UK in the global exchange of personal data.
In conclusion, we see the impact of Covid-19 as speeding up existing trends and creating new ones. Whilst there is uncertainty what is certain is that GDPR is pivotal in unlocking the huge societal benefits from data and technology, whilst protecting the individual’s rights.