2018 was the year when data protection law seemed to be at the heart of many big news stories. The General Data Protection Regulation (GDPR) came into force in May, gathering lots of attention in the media, as organisations worked out what they needed to do to prepare. We have also seen the revelations in relation to Cambridge Analytica and Facebook and use of personal data in political campaigning, as well as major cyber attacks on the likes of Carphone Warehouse and British Airways, to name but a few.
What will we see as we move into 2019?
It is all about data
Data protection and privacy will continue to be at the forefront of many developments. Thanks to GDPR, there will be greater scrutiny of new technologies, as organisations work out how to best use new and innovative technology while balancing the rights of individuals under data protection law.
We are already seeing organisations paying much closer attention to the data protection aspects of the technology that they procure or new processes and systems that are developed internally. Data protection impact assessments will be key tools in helping organisations to assess and mitigate risk, and demonstrate compliance.
When using third-party platforms and cloud-based services, close attention to the contract will be essential, to ensure it correctly documents the relationship between the parties, and contains appropriate allocation of risk and responsibilities. While we have seen major vendors adapt their terms to reflect the requirements of GDPR, issues such as whether the supplier is a processor, controller or a joint controller, controls over the use of sub-processors, audit and inspection rights and the allocation of liability and indemnities will continue to be important points for negotiation.
ePrivacy law reform
On privacy law reform, while GDPR is now in place, we are still awaiting the final text of the proposed new EU regulation on ePrivacy.
The ePrivacy Regulation will set out the rules going forward in relation to cookies and the online tracking technologies that drive adtech, mobile apps and online services, together with electronic marketing.
Businesses should ensure that they keep abreast of developments with a key date for finalising the text being the European Parliament elections in May 2019. Assuming the text is finalised by then, it is likely it will come into force prior to the planned transition period for the UK leaving the EU.
There will continue to be hype around blockchain, and much of that should be viewed with a degree of scepticism. According to Gartner’s annual emerging technology Hype Cycle, blockchain has now crested the Peak of Inflated Expected Expectations and is beginning its descent into the Trough of Disillusionment.
Many of the use cases that are mooted appear to revolve around using blockchain for the sake it, when existing technology already works perfectly well, or where other factors mean that blockchain will not improve or speed up processes. For example, blockchain is unlikely to revolutionise the transfer of land and buildings given the need for purchasers (and their lenders) to carry out appropriate diligence on the proposed purchase.
But genuine use cases will emerge. Blockchain can work well where multiple parties are involved and there is a need to maintain a clear and accurate historic record of transactions or movements.
We have seen some interesting applications of distributed ledger technology to help with supply chain provenance and to tackle counterfeiting, particularly in the food and drink industry. For example, Walmart recently announced that it will be requiring lettuce and salad providers to use an IBM blockchain platform, which should help it to better manage contamination outbreaks by knowing exactly which bags are affected.
AI and automated decision making
The use of artificial intelligence and automation will also continue to become increasingly common, with third-party AI-as-a-platform and workflow tools making it easier for businesses of all sizes to automate many tasks.
Issues such as contractual liability will need to be carefully thought through. Who is responsible for errors or mistakes? Have systems been properly tested before they are released into a live use?
Businesses that use automated decision-making need to ensure that they understand its limitations and how it works. We have already seen organisations in the US being sued because they were using a third-party personality test tool for recruitment that, unknown to them, operated in a way that breached disability discrimination laws.
Under GDPR, understanding how AI works is even more important. Organisations need to be able to provide individuals with meaningful information about automated decision-making where it has a ‘significant effect’ on the individual. As AI becomes more powerful and algorithms more complex, being able to explain why an individual was rejected during an initial CV sift or offered a particularly high insurance premium will become harder.
Businesses also need to be alert to confirmation bias, where AI tools simply reinforce (or exaggerate) an organisation’s historic practices. Amazon is reported to have ditched an AI tool used to review CVs in recruitment because it had observed patterns in recruitment in the previous ten years and taught itself that male candidates were preferable.
It is important that these issues are considered at the outset of any project if businesses are to avoid these stumbling blocks.
And what is at the very beginning of the Gartner Hype Cycle? Smart dust and flying autonomous vehicles. But that is for another year.