The General Data Protection Regulation (GDPR) has a wide-reaching impact, affecting every organisation that processes personally identifiable information (PII) of EU residents, including those located outside the EU that provide services to EU-based businesses.
Our recent webinar explored the latest updates to GDPR and broader data protection regulations, focusing on increasing enforcement actions, evolving compliance requirements, and the rising threats posed by sophisticated cyberattacks and AI-driven data breaches.
Our expert panel consisted of Ben Westwood, Motor Insurers Bureau CCO & DPO, Skillcast's Head of Legal, Bunmi Adefuye, and CRO, Catriona Razic. They provided insights on navigating these legislative changes and mitigating potential risks.
Key discussion points
- Anticipated GDPR updates and data protection regulations for 2024.
- Overview of new compliance obligations and how organisations can prepare for emerging threats, including advanced cyberattacks and AI-enabled data breaches.
- Practical guidance on effective data management strategies to ensure continuous compliance and protect sensitive information in an evolving regulatory landscape.
Current state of data protection compliance
Recent statistics paint quite a daunting picture and highlight the severity of the data risk:
- The fourth quarter of 2023 saw data breaches expose more than 1.5m records in the UK
- According to the UK Government Cyber Security Breaches Survey 2024, 50% of businesses and 32% of charities and reported a cyber security breach or attack in the last 12 months
- The average cost of a data breach in the UK rose by 8.1% in 2022 resulting in a total cost of £4.56m
Safeguarding data is critical to preventing cybersecurity breaches in the future. As cyber threats become increasingly sophisticated, robust data protection measures are essential for minimising vulnerabilities and ensuring the integrity of sensitive information.
Implementing advanced security protocols, such as encryption, multi-factor authentication, and regular system audits, can significantly reduce the risk of unauthorised access or data theft.
Additionally, fostering a culture of awareness and continuous training among employees will strengthen the organisation’s overall defense, making data protection a key component in mitigating future cyberattacks and preserving trust in digital operations.
Managing and protecting data moving forward
Examining data breach cases provides insight into what factors courts consider. By analysing past rulings, companies can better comprehend the legal standards for data protection and the importance of demonstrating due diligence in preventing breaches.
Lloyd vs Google
Mr Lloyd issued claim that Google breached legislation where Google would have been exposed to $3bn. However, the UK Supreme Court unanimously ruled in favor of Google, overturning the Court of Appeal's decision that allowed Mr. Lloyd to pursue a US-style opt-out "class action" against the company.
The Court held that a data subject is not entitled to compensation under the Data Protection Act 1998 unless they can prove that the breach caused material damage, such as mental distress or financial loss. Mr. Lloyd's case failed because he did not demonstrate unlawful use of personal data or harm to individuals.
Advanced Computer Software Group Ltd
A provisional decision has been made to impose a £6 million fine on a software provider following a 2022 ransomware attack that disrupted NHS and social care services.
The provider failed to implement adequate security measures, compromising the personal information of 82,946 individuals, including sensitive data such as phone numbers, medical records, and access details for the homes of 890 people receiving in-home care.
Despite being a data processor, the company, still had a responsibility to implement technical and organisational safeguards to ensure the security of personal information.
What are data protection best practices?
Data protection best practices include ongoing monitoring and resource allocation to assess the severity and risks of potential breaches, applying appropriate controls as needed. This process demands dedicated management, as data protection strategies can quickly become vulnerable to failure, leaving organisations open to criticism.
Companies must promptly report any data breaches, recognising that data protection is a constant battleground. While the requirements for data controllers are straightforward, businesses often adopt a conservative or broad-brush approach to data processing. Controllers may insist on standard contract terms across the board, as customising agreements for individual cases is often impractical and resource-intensive.
We asked the audience what they feel is the most difficult data protection challenge and the results were not particularly surprising. It is most difficult to address maintaining accurate data inventories and mapping with 45% of respondents identifing this as the biggest challenge. This highligts it as a resource-intensive task that often lacks business priority.
34% cited the need for adequate resources to interpret complex legislation as a significant concern, ranking it second.
Common data protection mistakes
One common mistake in data protection is having policies in place without the necessary controls, processes, or frameworks to support them. While organisations may develop data protection policies, they often fail to embed these in a meaningful way, making it difficult to establish processes that are repeatable and measurable.
Without clear implementation, employees may forget key requirements, underscoring the importance of providing quick reference guides that outline their responsibilities and the steps needed to ensure compliance.
Another key issue is inadequate education and training. Having a policy is not enough—employees must understand their obligations and roles, which requires ongoing, consistent training. Mistakes, especially simple ones, are inevitable, so it's essential for staff to know who to contact in the event of a data breach.
Given the strict 72-hour window for reporting to the ICO, timely action is critical. A data protection officer (DPO) maintaining a visible presence can be crucial in raising awareness and fostering a culture of compliance.
It is important for privacy teams to approach data protection with sensitivity, recognising that individuals may feel they’ve done something wrong. A non-judgmental, supportive approach is key, and it’s also a regulatory requirement to have someone, such as a DPO, responsible for data protection within the organisation.
Emerging threats - AI regulations & compliance strategies
Emerging data protection threats, particularly related to AI technologies, pose new challenges for organisations. With the introduction of new AI regulations in the EU, such as the EU AI Act, companies must rethink their frameworks and put robust processes and controls in place to manage risks.
A key concern today is the use of AI tools like ChatGPT in the workplace. Employees may inadvertently input sensitive data into these systems, creating significant data protection risks. Organisations must decide whether to block access to these tools or implement clear policies to regulate their use. Establishing frameworks, policies, and technical controls will be essential as AI becomes more integrated into business operations.
The EU AI Act has broader implications, especially for UK organisations with EU clients, as it applies to any business interacting with the EU market. This regulation serves as a valuable mechanism to assess the extent to which AI is used within a company and prompts businesses to implement policies ensuring data protection compliance.
As AI technology evolves, businesses must continuously adapt their data protection strategies to address new risks, ensuring that they remain compliant with regulatory requirements and protect their clients’ and employees' personal data.
Biometric data collection is another emerging area riddled with data protection risks. For organisations that plan to capture and process staff biometric data, it is critical to consider how to legitimise this activity under data protection laws. Obtaining explicit consent from individuals is essential, but this can be highly challenging due to the sensitive nature of biometric data.
Setting clear parameters for its use is crucial, along with establishing strong justifications for deploying AI technologies like ChatGPT. For example, businesses must ensure that no confidential or personal data is input into these systems, and if generative AI is to be used, there must be a clear business need to justify its application. Ultimately, businesses must balance operational benefits with the need to manage and mitigate data protection risks in an increasingly AI-driven environment.
We asked the audience the most relevant or concerning upcoming UK data protection and privacy developments. The poll results indicate that 58% of respondents are most concerned about potential future AI regulations and their impact on data privacy, highlighting the anxiety businesses feel regarding how these developments may affect their compliance and operational practices.
Cross-border data transfers also remain a significant concern, ranking as the second highest issue, as they have presented considerable challenges for organisations navigating complex legal frameworks in recent years. In contrast, the Online Safety Bill emerged as the least concerning development, suggesting that while it is recognised, it may not be perceived as an immediate threat compared to the evolving landscape of AI regulations and cross-border data transfer complexities.
Innovative training & awareness
The rinse and repeat model of training has proven to be ineffective, primarily because it often fails to engage employees with relevant and necessary content. While the subject matter—such as fighting crime and promoting ethical behavior—can be compelling, repetitive training sessions year after year lead to disengagement.
Many organisations continue to enforce the same comprehensive courses, assuming that covering all bases is sufficient. However, this approach can dull the learning experience, causing team members to tune out. Even with leadership support and reminders, this outdated model resembles the use of a Blackberry in a world dominated by smartphones.
It's time to rethink training strategies and introduce fresh, relevant content that truly resonates with employees, ensuring that learning is both engaging and applicable to their roles.
- Training innovation involves diagnosing organisational weaknesses and automating learning needs to enhance effectiveness.
- By utilising bite-sized content, training can be kept concise and manageable, making it easier for employees to absorb essential information.
- Incorporating nudge learning techniques serves as gentle reminders to reinforce knowledge retention.
- Additionally, embedding these bite-sized learning modules in decision-making contexts ensures that training is readily accessible when it is most needed.
- Treat your staff like adults by offering the option to fast-track learning. This recognises the knowledge they already so saves time and maintains focus, ultimately fostering a more agile and informed workforce.
Looking for more compliance insights?
SkillcastConnect is our new community bringing together compliance professionals for unique peer group networking free of vendors.
As members of our unique and complimentary community, you can join our live webinars and face-to-face events to interact in person with thought leaders and your peers and access hundreds of digital resources on a variety of compliance, learning, and regulatory topics to support you and your teams along your journey. Join the discussion!