man in suit holding 2022, numbers in a tech light style - concept for data protection

What data protection changes can we expect from 2022?

When it comes to data protection, the last two years have been exceptional in many ways. Businesses have constantly had to keep on their toes as they try to stay ahead of the curve. I can’t see this changing too dramatically anytime soon.

So, what might 2022 look like, based on what we know now?

Data protection in 2022

A new commissioner joins the ICO

John Edwards is confirmed as the new Information Commissioner. He was formally in the same position in New Zealand and is the government’s favoured person for the role.

AI technology & data protection

With the big players pushing the use of AI in society and the workplace, there is a very real threat that regulation is in danger of falling far behind technology again.

The intention from the Information Commissioner’s Office (“the ICO”) is there – you only have to look at the recent possible ‘first’ cross border joint investigation fine involving Clearview AI, the US tech company that has been ordered by the ICO (and other international authorities) to stop processing and delete UK citizens personal data. It has been suggested that much of the data Clearview uses will have been collected (scraped) from social media accounts without people’s knowledge.


Ad-tech continues to be under the microscope following the ICO opinion piece in November, when it called for companies to eliminate existing privacy risks posed by the Ad-tech industry.

Ad-tech, cookies (and similar tech), data co-ops and email marketing etc. is a huge part of all of our professional and personal lives. The effects of personal data being processed in this way are potentially far reaching and we are already seeing growing numbers of privacy-based campaigns – cookie hunters and Subject Access Requests. This too will evolve.

The ICO opinion piece itself didn’t indicate any new regulations but it did suggest enhanced enforcement – but this will likely depend on the new leadership. We may instead get red tape confetti.

Data protection in a Post-Brexit world

The fallout from Brexit feels very much with us still and in the ongoing grasp of the pandemic data principles can be pushed to the limit. Whether that is UK civilian health data being processed by more and more third-party processors with mistrust never far away or, our online activity being tracked, trapped, and sold in the market.

Whatever an organisation is doing with people’s personal data, consideration in regards to privacy and what is compliant needs to be made. Organisations may want to consider conducting ethical impact assessments as well as privacy impact assessments. This is especially relevant if your brand or your brand ethos matters to you.

Consumer’s choices are changing, and more consideration is given when it comes to ‘who am I dealing with and what do they stand for’.

For more information on how GDPR has changed since Brexit, click here.

The adequacy decision

Underpinning all of this we have “the adequacy decision”.

The adequacy decision ‘sunset clause’ has a 4-year run time until review, expiring in June 2025, but can be revoked within that time if there is a shift in how we do things, and/or developments based on the drafted data reforms in the UK would no longer justify an adequacy finding.

Might we see new regulations and data protection law modifications? Or a loss of the adequacy decision? If so, this could make things very difficult for businesses – and things are already quite difficult as they are.

Being informed, flexible, and ahead of the curve as best you can, will help the sustainability of your business. Compliance with the current legislation will prepare you for the future, whatever it brings.

If you would like advice on data protection please get in touch with our team.