Data Protection: What’s in store for 2024?

As 2023 ends, we take a look at some of the key trends and developments to watch out for in 2024.

The Data Protection and Digital Information Bill

The Data Protection and Digital Information Bill is intended to update and simplify the UK’s data protection framework with a view to reducing the burdens on organisations while preserving and maintaining high data protection standards.

We have set out the changes that the Bill will introduce in detail in our previous article which can be viewed here.  However, some of the changes are as follows:

• Providing a more limited definition of personal data so that the focus is on the data controller or processor’s specific knowledge and not the wider public
• Changing the threshold for charging a fee to deal with data subject access requests from ‘manifestly unfounded or excessive’ requests to ‘vexatious or excessive’ requests
• Introducing a new legal basis for processing where processing is ‘necessary for the purpose of a recognised legitimate interest’ with a list of recognised legitimate interests being included in the Bill
• Removing the need to appoint a Data Protection Officer in some cases

This bill is making its way through parliament and is expected to come into force in Spring 2024 so it’s one to watch out for.

Artificial Intelligence

The use of artificial intelligence in the workplace is rapidly evolving, with new technologies being developed all the time.  Some examples of AI used by companies day to day include:

• Chatbots and virtual assistants. Many of us will be familiar with this type of AI as lots of organisations use virtual assistants now as the first point of call when trying to address customer enquiries.  They can also be used to provide information to customers and assist employees in carrying out their daily tasks.
• Automation – AI is commonly used for tasks like data entry. It can essentially mimic the steps a person would take, for example it may scan or photocopy documents and extract data from them.
• Data analysis – AI is used to analyse data to help companies gain intelligence about their customers, products and business. Many businesses find this particularly beneficial for marketing.
• Recruitment – AI can be used in the recruitment process as a screening tool and is sometimes used to carry out assessments.
• Cybersecurity -AI can be used to prevent and detect security threats and potential data breaches. It can monitor behaviours and highlight anything that is unusual.
• Health and safety monitoring – AI can be used to monitor health and safety at work. This could include wearable devices monitoring an employee’s health, computer vision systems which can monitor workplaces through cameras to identify potential hazards such as an employee not wearing PPE, and analytical tools which can analyse data from various sources to provide risk assessments and suggest preventative action.

It is clear that AI, and other technological advances, are having a huge impact on data protection and that greater regulation and guidance is needed in these areas to help deal with this ever evolving landscape. This will be a key trend during 2024.

We’re likely to see this becoming an agenda topic for many businesses, with a rise in internal training and policies related to AI use and, for those involved in the design of AI technology, consideration of data protection at the design stage.  Companies will need to ensure that they have a lawful basis for their processing and will need to be transparent with individuals about how their data is being used.  Data processing will need to be kept limited and up to date, and will need to be used only for the purpose for which it was originally processed.  Appropriate technical and organisational measures will also need to be in place to ensure the security of the personal data.  This is a lot for businesses to manage and organisations are likely to continue grappling with these issues in 2024.  Hopefully, the ICO will issue further guidance on the use of AI in 2024.

International transfers of data

There has been a lot of activity around international transfers in 2023.

A new data bridge, which is an extension of the EU-US Data Privacy Framework, came into force in October 2023 and enables UK businesses to transfer personal data to certified US organisations.  2024 may well see challenges to this new data-bridge, like those we have seen in the previous Schrems litigation.

Also, in 2023, the UK became an associate of the Global Cross-Border Privacy Rules (“CPBR”) Forum. The CBPR is a voluntary accountability-based scheme to help facilitate data transfers.  Its membership is granted initially for a two year period.

It is expected that, in 2024, the Government will continue this trend and seek to be involved in more international transfer arrangements and data bridges. Further, we may see other countries applying to join the Global Cross-Border Privacy Rules (CBPRs) as associate members.  We may also see more countries being given adequacy decisions under the EU GDPR.

Again, further guidance from the ICO is anticipated on international transfers including potentially detailed guidance on the International Data Transfer Agreement and the UK Addendum to the EU standard contractual clauses.

ICO Cookie Update

In August 2023 the ICO and CMA published a blog addressing harmful website design, which seeks to trick customers into providing more personal data than they would like to.

The main concern raised was in relation to “Cookie Banners” where companies make the ‘accept all’ button more prominent. The ICO’s position is that it should be as easy to reject non-essential cookies, as it is to accept them.

Following this, in November 2023 the ICO wrote to some companies running many of the UK’s most visited websites warning them that they face enforcement action if they fail to comply with data protection law.

It is expected that the ICO will provide an update in relation to cookies in January 2024, including details of companies written to in November, that have not addressed the ICO’s concerns.

Data Breaches

This year we saw some large companies make the headlines for big data breaches, caused by external hacking and internal human error.

On 8 August 2023 both the UK Electoral Commission and the Police Service of Northern Ireland (PSNI), announced serious data breaches. For the Electoral Commission this appears to have been the result of a serious hack of their systems. For PSNI, the breach has been reported as the result of human error.

The ICO is currently investigating these breaches, and have not yet announced what the penalties will be for these. This news is expected in 2024, and will serve as a strong reminder to all data controllers of the importance of data protection and training employees on how to protect and handle personal data.

It’s certainly an interesting time for data protection and there’s a lot to watch out for! Please do not hesitate to contact our data protection lawyers.