Technology and advanced techniques for processing personal data have created opportunities for solving problems that have also put individual privacy at risk and introduced compliance and legal challenges. Today, just complying with laws is no longer enough. Data privacy and protection complexities require a deeper understanding of the ethics of collecting, using, and sharing personal data.
Approaching privacy and data protection with ethics means assessing its potential to harm people and society, generate negative behavior, or reflect discriminatory patterns. These ethics need to extend not only to data management but also to account security and transactions.
Ignoring this critical aspect of technology, solution, and product development can have severe consequences for individuals, society, and companies, including reputational damage and financial losses.
Striking a healthy balance between technology development and legal and ethical data processing is arduous. On March 8th – 9th, the IAPP Data Protection Intensive: U.K. 2023 Conference occurred in London. The event brought together privacy professionals from across the globe to discuss regulatory trends in data protection. Below are the main themes addressed in the event this year.
UK GDPR: The first day of the conference was also when the Data Protection and Digital Information (No.2) Bill was introduced to Parliament, which was heavily discussed throughout different sessions. If enacted, the Bill will implement changes to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations with the aim of simplifying data protection legislation for businesses. The Government reports that British companies are set to save over the next ten years £4.7 billion from the proposed reforms. The press release stated that the Bill will “introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws.” The main question remains: How will this Bill impact the U.K.’s EU GDPR adequacy status?
International Data Transfer: This topic was discussed on almost all panels I attended. International data transfers remain a top compliance and legal issue for European and global organizations, requiring continuous reevaluation and growing resources. Organizations struggle to understand how they can continue to transfer personal data outside the E.U., especially to the U.S., after the invalidation of the U.S. Privacy Shield. There was a widespread consensus that international transfer regulations are still blurry. A multinational agreement is required to avoid bogging companies down in compliance activity that is often disproportionate even to the data transfer risk.
Additionally, significant focus was placed on conducting a TIA (Transfer Impact Assessment), a legal obligation for all EU-based data exporters who intend to carry out a restricted transfer by relying on one of the transfer tools. In practice, many organizations find conducting a TIA challenging. The conference showcased the experiences, best practices, and tips from legal practitioners about implementing the TIAs quickly.
Artificial Intelligence: Increasingly, organizations are engaging artificial intelligence and machine learning technologies to support data analytics and automated decision-making. These companies face challenges in understanding the privacy, ethics, and data compliance implications of different use cases. Throughout the conference, privacy experts shared real-world case studies that balanced emerging regulatory requirements, privacy rights, and ethical concerns with innovation and recognition of differences in cultural and civil expectations. Specifically, one challenge discussed the difficulty of conceptualizing “artificial intelligence” and the increased number of countries discussing bills to regulate A.I. A special panel focused on the A.I. Act Proposal, published by the European Commission in April 2021 but still awaiting agreement and approval. According to the panelists, the A.I. Act is not expected to be applied until 2025.
Transparency: Virtually all panels mentioned the importance of transparency in dealing with issues related to privacy policies, international transfers, and cookies, among other topics. There is no question that more companies must find ways to explain in a clear and accessible way how they process data, for what purposes, and which protection measures they apply to it. Individuals are increasingly aware of their rights to request transparency and look to these policies to choose between competitors.Approaching #privacy and #dataprotection with ethics beyond regulations means assessing its potential to harm people and society, generate negative behavior, or reflect discriminatory patterns. #respectdataClick to Tweet
Technological and regulatory advances are happening at an accelerated pace worldwide. Companies need to keep up with these changes in order to ensure their compliance but also to remain competitive in the market. Similarly, governments and regulatory bodies must look out for their citizens’ best interests while balancing international relations.