2022, what a year it has been for data protection in the UK. There has been domestic economic and political uncertainty, including three separate Prime Ministers in as many months, as well as international uncertainty with the conflict in Ukraine, and legal uncertainty around post-Brexit legal reform. It is definitely safe to say that the key theme of this year has been ‘uncertainty’, which (ironically) has become something we can be certain about.
Given all that has happened in the last 12 months, we thought we would round the year off by taking a look at 2022’s DP Index results and the shifting attitudes of data protection professionals across the UK. The UK Data Protection Index asks over 500 Data Protection Officers (DPO) across the UK on their views on data protection. Our privacy professionals represent both in-house DPOs and consultants.
Since the first DP Index report, we have consistently asked our panel of DPOs to rate, on a scale of 1 to 10, how compliant they consider their organisation to be with UK data protection laws. This quarter, 51% of respondents scored their organisation an 8 or above. This is down from 57% in the last quarter and represents a further fall when compared to the second quarter of this year. However, during the first quarter of 2022, only 52% of DPOs scored their organisation an 8 or above, so despite the slight increase throughout the middle part of the year, attitudes towards organisational compliance have remained fairly similar.
This quarter we also saw a dip in confidence levels regarding organisations’ compliance with data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. requests. DPOs’ perception of their organisation’s compliance with individuals’ rights requests has “fallen significantly” this quarter, down six percentage points. This has been an area that has seen a considerable decline since Q1 of this year, which incidentally was when we experienced the highest-ever recorded levels of confidence in this area. Confidence in the areas of data security and policies and procedures has also fallen this quarter.
One reason for this downward trend could be due to the current uncertainty regarding pending data protection reform and the continued indecisiveness of the Department of Culture, Media and Sport (DCMS) around the plans for our post-Brexit data protection regime resulting in confusion regarding current requirements vs future requirements. In addition, the current economic crisis in the UK means that organisations may not be focusing their time and resources on data protection as much as they may have previously, leading to compliance declines.
The increased use of AI has been a big trend for a couple of years and the same momentum continued into 2022; but has change begun? This quarter saw a significant decrease in the number of privacy professionals who claimed that AI and machine learning were the biggest compliance challenges for their organisation – a fall from 13% last quarter to just 7%. So, is this because less companies are choosing to implement AI technologies, or because DPOs are simply finding it easier to manage? From the latest Index results, it would seem it is the former, as the number of DPOs who have stated that their organisation is using AI as part of their “core business proceedings” has steadily fallen to just 15% this quarter.
It seems, therefore, that the buzz around AI has slowed down, perhaps influenced by the increased push to regulate the use of AI technologies, including the EU’s own proposed AI Regulation. There are also the economic effects of Covid and other global affairs, which have clearly had an impact on both organisations and consumers; potentially resulting in organisations being less willing or less able to invest in new technologies and processes so quickly, something we touched on in a previous blog.
This year, the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICO) has seen big changes including the appointment of a new Information Commissioner, John Edwards, and the publication of the new ICO25 Plan; as well as its proposed new role under the new Data Protection and Digital Information Bill calling the future effectiveness of the regulator into question. It is perhaps no wonder then, given the general upheaval, that confidence in the effectiveness of the ICO has been steadily falling since Q1 2022. At the start of the year, 43% of participants rated the ICO an eight or above, but this has fallen steadily since then to 31% in Q4.
In terms of future data protection reforms, there were two major topics that we quizzed our panel of DPOs on: the proposed UK Data Protection and Digital Information Bill, and the European Data Protection Board’s (EDPB) October Guidelines, (which suggested that organisations must report breaches to all member state supervisory authorities in which affected data subjects reside, not just one).
As the DPDI BillThe proposed Data Protection and Digital Information (DPDI) Bill aims to amend and supplement the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (2018) and the Privacy and Electronic Communications Regulation (PECR). was first introduced in the summer of this year, we have only had two quarters to gauge what our panellists think. That being said, this quarter their attitudes have significantly hardened. 54% of DPOs said that the proposals would not be in the best interest of data subjects, a 13% increase from last quarter. Similarly, last quarter, 30% of respondents “strongly disagreed” that this proposal would save their organisation money. This quarter, that proportion rose to 45%. Further, 54% “strongly disagreed” that the proposals could simplify privacy management within their organisations.
This dip in confidence regarding the benefits of the proposed Bill may reflect the fact that privacy professionals have now had more time to consider the proposals in their entirety, now that the dust has finally settled from the first consultation. In addition, the political instability the UK has experienced over the last few months is likely to have left many uncertain as to what will happen next and what it will mean for their organisation, particularly as it now appears that the Bill has been paused for the moment pending a further (non-public) consultation. This confusion was echoed in our question on what route our panellists expect the new Prime Minster to take regarding the reform of data protection laws. Just over half (51%) expect Prime Minister Rishi Sunak to continue with the plans made under Johnson’s government; 27% are hoping that they will revert back to UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.; 15% expect Sunak to do a complete rewrite, and 7% think there should be something else.
When it comes to the EDPB’s October Guidelines, the feedback received from our panel largely reflects online discourse and dissent. On a scale of one to ten, with ten being extremely problematic, 36% rated it an 8 or above. The EDPB has opened their proposal up to comments, and we are currently waiting for the results. Whether mandatory reporting to all applicable supervisory authorities will become required therefore remains to be seen, but judging by our panel’s responses, it wouldn’t be a welcome change.
As we have discussed, if we had to sum up 2022 in the world of data protection in one word, that word would be ‘uncertainty’. Therefore, consistency and commitment will be what many are hoping for in 2023. Whilst it appears that the UK is gaining some political stability which will carry on into the New Year, this may mean that the DPDI Bill (or some iteration of it) comes off the shelf in 2023 resulting in more regulatory upheaval, but what this will look like in practice remains to be seen. Furthermore, we cannot ignore the fact that economic issues are likely to continue and perhaps worsen into Q1 of next year, which may have some impact on organisations’ ability to properly resource their data protection compliance. Taking all of the above into consideration, it will certainly be interesting to see whether the present uncertainty will remain or whether a new year will bring a more positive outlook.
If you are a UK-based data protection professional and want to take part in our DP Index, or if you want to know more about what our panel thought, click here to read more about our DP Index (including the latest report).
Fill in your details below and we’ll get back to you as soon as possible