Fines, crackdowns and political footballs: Here’s what privacy aficionados should expect in 2023

Read on to discover the five trends we’ll be keeping a close eye on this year.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

January 2023

The start of a new year is often a time for new beginnings, hope, and resolutions to do things a bit differently. In that vein, on Wednesday, 4 January, the UK prime minister was in a reflective mood, setting out his five priorities for the year ahead. Unsurprisingly, plans around privacy were absent despite continued uncertainty in the UK around the Data Protection and Digital Information Bill.

But while uncertainty already seems to be the overarching sentiment for 2023, there are a few trends in privacy we’re certain we’ll see this year. 

Offenders will be named and shamed

The Information Commissioner, John Edwards, told the BBC in September 2022 that “naming and shaming organisations that fail to comply is a new proactive way for the ICO to work.” This naming and shaming will apply not just to headline-grabbing fines, but also to reprimands issued to organisations who fail to comply with the UK GDPR. Reprimands were previously unpublished, but the ICO’s intention is that by “reading about where an organisation failed to comply with data protection laws, we hope that others will understand what went wrong and what they need to do if they find themselves in a similar scenario.”

It will no longer be just organisations which have experienced a massive data breach in the spotlight. Expect to see others which fail to comply with UK GDPR legislation more generally publicly named by the ICO. Edwards appears to be adopting a tougher approach than we’ve seen from previous Information Commissioners, and we expect to see more investigations, more pre-emptive fines and more brand damage as he takes action against those ignoring their responsibilities.

The internet may become a safer place for children

In September 2022, the ICO announced a potential £27m fine for TikTok for failing to protect children’s personal information. In the press release, the commissioner, John Edwards, said his office is currently looking into how more than 50 different online services are conforming with the ICO’s Children’s Code. And, it wasn’t just TikTok that was in hot water over how it processes children’s information last year. Meta was fined €405m by the Irish data protection authority after Instagram allowed teenagers to set up accounts with their email addresses and phone numbers publicly displayed. And the Department for Education was warned after poor due diligence meant the personal information of up to 28 million children was shared with gambling companies. It only escaped a fine in excess of £10m thanks to the ICO’s new approach towards the public sector which aims to reduce the impact of fines on the public.

We expect the focus on children’s rights online to continue globally – not least because California has passed its Age Appropriate Design Code Act, heavily based on the ICO’s Children’s Code, which will come into effect in the state on 1 July 2024 and New York has plans to introduce something similar there. In the UK, the current draft of the Online Safety Bill covers all services likely to be accessed by children and includes more child protection measures, including more stringent requirements around age verification. Whether or not it passes in its current state is another matter. 

A crackdown on biometric snooping

Have you been filmed while at the self-serve checkouts in a supermarket recently? You’re not the only one. Southern Co-operative has installed facial recognition cameras at 35 of its stores in the UK, Amazon is rolling out palm scanners for shoppers to make payment in Whole Foods in the US, and even Mastercard is trialling ‘pay with your face’ functionality. Meanwhile, Aldi’s ambitions have extended in the past year to opening a “check-out free” store, ‘Aldi Shop & Go’ which allows shoppers to just walk out with their goods. It won’t be the last. Tesco has one too. The privacy group Big Brother Watch has already made an official complaint to the ICO over Southern Co-op’s use of surveillance technology and we’re expecting the regulators to become more interested in this area across the board in 2023.

Europe is edging closer to a ban on facial recognition with its proposed Artificial Intelligence Act, which should limit how far biometric recognition can be used. Meanwhile, in June 2022, the Ryder Review commissioned by the Ada Lovelace Institute, called for an immediate moratorium on the use of live facial recognition technology in the UK until legislation governing its use has been passed. Italy went one step further in November 2022, when it placed a moratorium on the use of facial recognition technology.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

Data protection could suffer because of politics

Since leaving the European Union, pragmatism dictates that the UK keeps its data protection regime as similar to the EU GDPR as possible to maintain frictionless data flows. But postering politicians don’t always care about economic sense, and the proliferation of anti-EU sentiment in UK politics means this isn’t a certainty. That’s despite warnings by bodies such as the Advertising Association for the government to ensure any changes to the UK GDPR are backed by evidence and not driven “purely for the sake of seeking divergence”. After all, changes could result in additional cost for businesses, as well as the administrative burden of maintaining compliance with multiple data protection regimes. We’ve already seen the impact of such disruption after the removal of the EU-US Privacy Shield in 2020. The Secretary of State for Digital, Culture, Media and Sport (DCMS), Michelle Donelan, has called the GDPR a “regulatory minefield” that “ties businesses in knots with clunky bureaucracy”. Let’s hope that cool heads prevail in 2023.  

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

Economic pressures will increase pressure on privacy

Gartner predicts that 75% of the global population will have its personal data covered under privacy regulations by 2024, and large organisations’ average annual budget for privacy will exceed $2.5m over the same timeframe. Not everyone has that kind of money spare, particularly during an economic crisis. But recessions are known to increase the threat of cybercriminal activity, and the rise of remote working is providing an endless number of opportunities for hackers to attack. Leaders need to make sure their staff know about privacy, care about it and are prepared to do their bit to protect it. And in 2023, they’ll be looking for the most cost effective way to achieve privacy compliance.

There will undoubtedly be savings that can be made – we recently spoke to a scale up that was dealing with privacy by using an experienced data protection manager and a software platform, supported by two law firms. It made no sense. Neither does forking out more than £1,000 a day for a privacy consultant that will never understand your business as well as you and your employees do. Comparatively, the Privacy Compliance Hub starts at only £595 per month and enables leaders to understand and confidently build a culture of continuous privacy compliance for the long term. Why not drop us a line?

More to watch and read