A Roundup of Trends to Watch on International Data Privacy Day

Corporate risks surrounding data privacy, data transparency and data ethics are ramping up for many reasons, and International Data Privacy Day serves as an opportunity to build awareness around those issues. As organisations look to take pragmatic steps to strengthen their data privacy position and better safeguard customer, partner and employee data, there are several key trends to watch and prepare for. These include:

• Active consumer advocacy groups initiating data privacy complaints and investigations. Increasingly, organisations need to be focused on data transparency and ethical use of data, ensuring websites, cookie management, marketing campaigns, consent and internal analytics and R&D activities not only comply with privacy regulations but are clearly communicated in the public domain. For example, Max Schrems’s privacy watchdog group None of Your Business announced in December that it plans to file 5,000-10,000 new GDPR complaints in the coming months. In a Law.com article, a spokesperson from NOYB said this wave of complaints will include companies of all sizes, with a focus on cookie banner violations.
• A rise in class action lawsuits spurred by high profile data breaches and privacy violations. Private rights of action as permitted under GDPR and other data privacy laws have begun to escalate from individual matters to large class action suits. Recent activity and decisions in U.K. and European courts indicate growing traction for class actions against organisations that violate GDPR. In the event of a data breach organisations therefore need to be able to quickly understand the nature of data in scope of the breach and take appropriate action regarding risk management and notifications to mitigate the risk of future class actions.
• Continued growth of global privacy regulations and the strengthening of existing regulations. The patchwork of global data protection and privacy laws is continually developing, presenting significant challenges for organisations to ensure they create flexible global privacy frameworks where policies, procedures and training are meeting the full scope of requirements to which their organisation is subject.
• Ongoing issues with cross-border data transfers. Given the global nature of almost all business, organisations will continue to face challenges with data transfers and meeting data localisation obligations. Organisations face continued complexity around how to minimise their need to transfer sensitive data across borders whilst still maintaining operational efficiencies. Implementation of legal measures to support data transfers and technical infrastructure to enable robust data localisation capabilities are additional challenges. This will be an area of increasing complexity and risk, at least until a replacement for Privacy Shield is in place.
• Data privacy impacts in antitrust and merger clearance. In the Resilience Barometer, 73% of respondents said data privacy concerns have impacted their M&A activity in the past year. This isn’t surprising, as authorities have begun to more closely examine company-controlled customer data, the ways it may be used post-merger and whether the combination of customer data sets between two companies would be lawful. In addition, organisations are keen to minimize the risks associated with acquiring new products and services, with increased focus on privacy due diligence pre-acquisition and rapid remediation programmes to mitigate identified risks and support privacy by design principles.

Ultimately, data privacy will continue to be one of the most significant risk issues throughout 2022. This is why more organisations must be proactive in strengthening their approaches to data governance, understanding the use and flow of data across their organisation and communicating transparently on data processing and international transfers as well as other key processes. A holistic and proactive approach to data privacy will be critical to weathering and thriving in the current landscape.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.