In this post, data protection specialist Robert Brooks outlines some key predictions for the year ahead.

Following on from the biggest ever year in data protection, might 2019 prove to be the most eye-opening? Looking into my (compliant) crystal ball I can’t help but ask “What lies ahead? Will all of our collective hard work preparing our compliance be enough to see us through?”

The mist clears

In 2019 we will see the floodlights go on in respect of news stories, ICO investigations and fines, some of these will be run of the mill, and others will be, for some, organisationally defining as a result of heavy enforcement under the new regime. In 2018 we saw fines reach a maximum level under the old guard; we also saw custodial sentences for data misuse.

One of the first civil cases was seen in Germany, for breaching GDPR, relating to a single non compliant email; this will be of particular interest to those who use email for marketing. The amount the claimant received was small (50 Euros), no problem if you are sending one or two emails. If however you are sending half a million emails and 500 are judged to be non compliant, that should be a more sobering story.

Another piece of news from the end of last year saw the Radboud University in the Netherlands report that their researchers had discovered that widely used data storage devices with self encrypting drives do not provide the expected level of data protection. They have stated “A malicious expert with direct physical access to widely sold storage devices can bypass existing protection mechanisms and access the data without knowing the user-chosen password”. If this is the case, and there is no reason to doubt it, there will be wide reaching effects.

As a result of these stories consumers are growing more and more aware of both their rights and their frailties, and therefore caring more about how their data is being used. The flip side of this is that the decisions consumers make will reflect who they think best protects data. This will affect the bottom line for businesses and therefore ‘minimal compliance’ will no longer suffice. How personal data is treated will and should inform boardroom decisions.

Whilst for some decision makers the mere mention of GDPR can induce the eyes to roll back in their sockets, if you then throw Brexit into the mix, it can for some, become somewhat emetic. One of the few certainties with Brexit is that we do know that it may potentially affect how we, the UK, receive data from the EEA. Contingencies need to be in place to deal with a no deal! And, reviewing your data transfer processes to see if you will be affected ahead of any change is recommended.

Governments from a significant number of territories around the world are recognising the need for data protection regulation, and are seemingly resolute in developing GDPR-like legislation. Whether this is just to compete commercially remains to be seen, but it does highlight the trend. More than one billion people were affected by the loss of personal data through just 13 data breaches at 11 different companies in the past 12 months, according to personal virtual private network service provider NordVPN.

So the effects are far reaching, people, businesses, countries and their governments, all can and will be affected. It has been suggested that the US my take a more relaxed view in light of alleged indiscretions by various social media platforms, Europe and the ICO on the other hand may take a more strict view. This ongoing issue and others will unfold into truly massive stories with unforeseen political and cultural contortions.

Whether the news is about a household name, state-sponsored attacks or the ‘my cat is stuck up a tree’ kind of data story, one thing is for sure, we will see and hear many stories over the coming months.

Some organisations will not have done anything to protect themselves or the data they handle; others will have done their very best, and still got it wrong. Your consumers, the data subjects, will be watching with added interest.

Let 2019 be the year to learn. My wife recently passed her driving test, and the instructor said “you’ve passed your test, now you will learn how to drive”. The GDPR is a bit like this, last year many businesses passed their test, since then though we have been learning how to drive.

Robert Brooks is the privacy officer at Stephens Scown.  Robert advises clients on data protection and privacy.  To discuss this article or another data protection issue you can get in touch either by telephone 01392 210700 or by email