Data Protection Regulations In 2024 – What UK Businesses Need To Know

Introduction

Data protection and privacy regulations are always evolving. As we approach 2024, businesses in the UK need to be aware of upcoming changes and new regulations that will impact how they handle data. Having a solid understanding of these regulations is crucial for ensuring compliance and avoiding penalties. In this article, I will provide an extensive overview of the key data protection regulations that UK businesses should expect in 2024 and provide guidance on steps they can take to prepare.

The Data Protection Act 2018

The Data Protection Act 2018 is the primary legislation that governs data protection in the UK. It implements the requirements of the General Data Protection Regulation (GDPR) and provides additional specifications and exemptions. The key aspects of the Data Protection Act that businesses need to be aware of are:

• Lawful processing of personal data – Ensuring you have a lawful basis for processing personal data and maintaining records of your processing activities. The lawful bases include consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests.

• Individuals’ rights – Giving individuals control over their personal data by allowing them to access it, correct inaccuracies, erase it, restrict processing, data portability and object to processing.

• Accountability and governance – Businesses must implement appropriate technical and organisational measures to demonstrate compliance and integrate data protection into operations. Having clear policies, training staff and maintaining records of processing activities.

• Data transfers – Additional rules apply when transferring personal data outside of the UK. Adequacy regulations or appropriate safeguards need to be in place.

• Security – Personal data must be processed securely including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. Using encryption, pseudonymisation and upholding confidentiality are key.

• Breach notification – Data controllers must notify the ICO within 72 hours of becoming aware of a data breach that poses a risk to individuals’ rights and freedoms.

• Privacy notices – Providing concise, transparent, intelligible and easily accessible privacy notices to individuals about how you process their personal data.

• Record keeping – Maintaining detailed records of data processing activities and ensuring they are up to date.

Age Appropriate Design Code

The Age Appropriate Design Code comes into effect on 2 September 2023 and regulates how online services likely to be accessed by children handle their data. Key requirements include:

• Best interests of the child – Always act in the best interests of children when designing and developing online services.

• Data protection impact assessments – Undertake DPIAs to assess and mitigate risks to children that could result from your data processing.

• High privacy settings by default – Switch nudge techniques off by default and switch on by choice. Collect and retain minimal personal data needed to provide service.

• Transparency – Provide prominent, clear and accessible privacy information to children on how you use their personal data.

• Detrimental use of data – Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, such as direct marketing or microtargeting.

• Policies and community standards – Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules).

• Verifiable parental consent – Obtain verifiable parental consent before providing paid services, profiling or making personal data publicly available.

• Risk assessment – Regularly assess and mitigate risks for the platform and its users, especially when introducing new processing activities or technologies.

Children’s Code

The Children’s Code will replace the Age Appropriate Design Code in 2023 and intends to enhance children’s privacy online. It will apply to information society services likely to be accessed by children under 18. Key requirements include:

• Best interests of child – Make the best interests of the child your primary consideration when designing and developing online services.

• Privacy friendly default settings – Switch options which use personal data off by default.

• Data minimisation – Only collect and retain personal data necessary and proportionate to provide the elements of your service which a child consents to.

• Transparency – Provide prominent and clear explanations about how you use personal data which are appropriate for the age of the child.

• Detrimental use of data prevention – Do not use children’s personal data in ways detrimental to their wellbeing, for example targeted advertising using profiling.

• Policies – Establish effective functions and policies for complying with the code.

• Risk assessment – Assess and mitigate risks for the platform and its users, especially when introducing new processing activities.

• Age assurance – Take reasonable steps to determine the age of users and prevent access by those below your stated minimum age.

ePrivacy Regulations

The ePrivacy Regulation is still being finalised but will significantly impact how businesses handle online data. Expected requirements include:

• Consent – Obtain user consent before accessing devices or using tracking cookies/similar technologies. Make consent requests specific, granular and easy to refuse.

• Privacy settings – Have privacy settings on devices switched ‘on’ by default.

• Metadata – Restrictions on accessing metadata like location and communications data without consent.

• Direct marketing – More limits on using electronic communications metadata for direct marketing without consent.

• Protection of end-user devices – Requirements around security, transparency and consent when accessing end-user devices.

• Confidentiality of communications – Stronger confidentiality protections for electronic communications content and metadata.

How Businesses Should Prepare

To ensure compliance with upcoming regulations, businesses should take the following steps:

• Review policies and procedures – Evaluate current data handling practices against new regulatory requirements and identify any gaps that need to be addressed.

• Update privacy notices – Ensure your privacy notices cover all the rights individuals have under regulations and explain your lawful bases for processing data.

• Obtain informed consent – Review how you gather consent from individuals and ensure it is specific, informed and freely given. Allow easy ways to withdraw consent.

• Minimise data collection – Audit what personal data you collect and retain. Anonymise or delete any non-essential data.

• Review overseas transfers – Ensure appropriate safeguards are in place when transferring data outside the UK and re-evaluate third-party processors.

• Strengthen security – Implement state-of-the-art security and encryption to protect personal data. Conduct regular security audits.

• Conduct DPIAs – Perform data protection impact assessments for any new high-risk processing activities involving personal data.

• Assign responsibilities – Designate a Data Protection Officer and outline clear data protection roles and responsibilities for staff. Provide training.

• Update breach response plan – Ensure your data breach response plan follows notification requirements and allows you to promptly contain and remediate any breaches.

By taking proactive steps to comply with upcoming regulations, businesses can avoid penalties, protect consumer rights and uphold trust. With data protection evolving rapidly, continuously monitoring and adapting to new requirements is essential.