GDPR Is Six Years Old: What Is Its Impact On AI?

The 25th May marks the 6th anniversary of GDPR, the EU’s data protection regulation. Its introduction was met with mixed reviews, with some praising it for overhauling data protection in the region, while others saw it as an insurmountable challenge due to the overhaul it brought to data management practices. But has the sentiment changed 6 years on? 

We have collected commentary from leading tech and security businesses to understand their views on GDPR and what the future may hold for the regulation. Let’s find out what they have to say.  

Matt Cooper, Director of Governance, Risk and Compliance, Vanta"Another year older doesn’t necessarily mean another year wiser - a lesson we’re learning on GDPR’s 6th anniversary.
 
"Many businesses across Europe are still struggling to adapt their data management practices to meet the regulations' strict requirements 6 years on. And despite significant efforts, staying in compliance with GDPR remains a resource-heavy task that often demands continuous monitoring and regular audits.
 
"To complicate matters further, AI has become a must-have for many businesses to stay competitive, which is introducing new data privacy risks. This is spreading resources even thinner than before, as businesses are having to adopt robust AI governance frameworks to ensure said novel risks are mitigated, while still grappling with the relatively new GDPR rules. The impact of this is already being felt, with 57% of UK businesses reporting that secure data management has become more difficult with AI adoption, according to Vanta’s 2023 State of Trust report.
 
"However, with risk also comes opportunity. AI has proven particularly effective at automating manual tasks and streamlining compliance processes is no exception. Businesses can use the technology to automate evidence collection and continuously monitor compliance, reducing the burden on their security teams.
 
"GDPR has proven a challenge since its introduction. While its 6th anniversary shows that there may be a light at the end of the tunnel for those struggling, rapid corporate adoption of AI will make it darker before it gets lighter."
 
Agur Jõgi, CTO, Pipedrive:  “The review of GDPR by the European Commission serves business leaders a reminder to keep data policy constantly up to date. In any organisation, data flows in an interconnected network. However, this is just one piece of the data puzzle – added layers of complexity with external data sharing means attention needs to be paid to watertight compliance. This is why it’s vital for companies to work with trusted partners when considering data protection.
 
"If you’re contracting a data processor to carry out certain processing activities on your behalf, such as using a CRM platform for your sales team, you need to know that they are laser-focused on any legislative changes. According to article 28 of the GDPR, the relationship between a data controller and a processor needs to be made in writing, through a data processing contract. And, as the importance of AI skyrockets up the corporate agenda, robust data agreements need to account for machine learning applications crunching large volumes of sales data, enabling continuous compliance and safety. As data transfers happen, inside and outside the EEA, data processors should keep up to speed with the implications that EU GDPR has for businesses.
 
"The fact of the matter is that regulators can exact a heavy toll on companies that don’t meet data protection standards..."

"For especially severe violations, the fine framework can be up to 20 million euros or up to 4 % of total global turnover of the preceding fiscal year. This is why scrutinising all data checkpoints is business-critical, so that organisations can continue to operate in a secure and safe environment with data, and in turn maintain the loyalty and trust of their customer base.”
 
Eduardo Crespo, VP EMEA, PagerDuty:  “The European Commission will undertake a major review of the GDPR framework this month. This review offers leaders a chance to interrogate data security policies, especially in context of next generation technology. It is important that data protection isn’t viewed as just another frustrating piece of bureaucratic red tape – it is designed to protect data privacy, reinforce consumer trust in companies and keep transparency of processes top-of-mind. Data protection, through measures like EU GDPR, relies on two pillars in an organisation: the right technology and the right skills to use it.
 
“Understanding EU GDPR, especially in the context of rising interest in AI, is key. In the market, across digital products and services, there is a mounting keenness to explore emerging technologies..."

"In our State of Digital Operations Report, we found that more than three-quarters of companies are pursuing automation, but there is a lag in adoption. The reason we’re not seeing a full surge in AI for organisations is that data security concerns are acting as a blocker, coming out as a top concern to a third (34%) of business and IT decision-makers, mirroring those concerns of AI.
 
“Organisations who fail to act or deploy enterprise operations solutions and AI do face the risk of falling behind early adopters. With the volume of data and content to store and secure, across retail, media, financial services and a host of other sectors, security and cloud investments need to remain both timeless and timely in the IT world, especially with the backdrop of EU GDPR review. At the ship’s helm, leaders have a responsibility to prioritise risk reduction, revenue protection, and operational resilience, while ensuring that data flows in a safe and secure way. These are precisely the outcomes companies can aim for with concrete data strategy, as well as collaboration with the right data processors, who are eagle-eyed when it comes to regulation-related updates.”
 
Michel Isnard, VP of EMEA, GitLab"GDPR played a pivotal role in ensuring that organisations recognise that they must integrate privacy, security, and compliance throughout their processes to manage risk effectively and add business value.
 
“The growing need for data to build and fine-tune AI applications, coupled with an ever-increasing number of data breaches, indicates that adherence to GDPR has never been more important..."

"With software delivery in particular, the need for developers to invoke secure-by-design principles becomes even more critical. Secure-by-design principles ensure the entire development lifecycle has the necessary controls to address vulnerabilities specific to each phase of the software delivery process. It also requires tighter collaboration between developers—with clear functional knowledge of how software should work - and teams with a better understanding of the legislative, regulatory, and security requirements impacting the business. Implementing a framework incorporating the secure-by-design principles streamlines software development and ensures more robust security and compliance and better-governed software."
 
Nikolaz Foucaud, Managing Director, Coursera EMEA: “The European Commission’s GDPR review is arriving at a critical juncture, as any vision for data protection needs to now account for AI’s profound structural impacts. With LLMs requiring vast datasets for their training and refinement, it is imperative to ensure that data privacy and protection checks and balances are in place, especially as leading GenAI players seek competitive edges. For the UK, with its own GDPR framework, eyes will be firmly fixed on the European Commission to assess the result of legislative review.
 
"As AI usage is likely to be increasingly regulated, data protection officers need to be focused on regulatory alignment across borders, and this process will require a fair deal of cross-border collaboration around clear-cut AI strategy. In the UK, to ensure solid management of any regulatory needs, having widespread data compliance literacy will be vital for all organisations. British companies cannot afford to fly blind when it comes to regulation, especially as penalties for non-compliance can be up to £17.5 million or 4% of annual global turnover.
 
"Ensuring that there are appropriate skills within departments to manage ever-increasing datasets in line with new compliance obligations must be a top priority for Britain’s people leaders..."

EU GDPR review will likely signal a need to change policy and procedure in the UK, and successful implementation will only be possible if businesses possess the necessary skill sets. Keeping data and compliance skilling opportunities available across organisations will help data protection experts adapt to ever-evolving regulation.”

Image: GOCMEN

You Might Also Read: 

Navigating The Data Privacy Maze:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Seven Benefits Of Using A Managed Security Services Provider
New Guidance For Business Email Compromise »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Apcon

Apcon

Apcon's mission is to provide valuable network insights that enable security and network professionals to monitor, secure and protect their data in both physical and virtual environments.

Bird & Bird

Bird & Bird

Bird & Bird is an international law firm with a focus on helping organisations being changed by technology and the digital world. Areas of expertise include cyber security.

Air Informatics

Air Informatics

Air Informatics LLC provides security, information management, analytics and informatics for IT and wirelessly enabled airplanes and operations.

Combis

Combis

COMBIS is a regional high-tech ICT company focused on the development of application, communication, security and system solutions and the provision of services.

SCADASUDO

SCADASUDO

SCADASUDO is a cyber solution architecture and design office, established by leading experts in the field of OT (Industrial control) and IT (information Technology).

Zymbit

Zymbit

Zymbit provides hardware security modules (HSM) for IoT devices, including Raspberry Pi and other single board computers.

Sabat Group

Sabat Group

Sabat Group provide relationship-driven information security & cyber security recruiting services.

Futurae Technologies

Futurae Technologies

Futurae - enabling trust and invisible security for your users on all devices and applications. Strong customer authentication (SCA) made easy.

Aryaka

Aryaka

Aryaka’s SmartServices offer connectivity, application acceleration, security, cloud networking and insights leveraging global orchestration and provisioning.

Scrut Automation

Scrut Automation

Scrut Automation's mission is to make compliance less painful and time consuming, so that businesses can focus on running their business.

Symptai Consulting

Symptai Consulting

Symptai Consulting is a leading Cyber Security, Digital Transformation and Anti-Money Laundering firm serving the Caribbean and the wider world.

McDonald Hopkins

McDonald Hopkins

McDonald Hopkins is a business advisory and advocacy law firm. We focus on insightful legal solutions that help our clients strategically plan for an increasingly competitive future.

Calamu

Calamu

Calamu is a software-defined storage security and resiliency platform that keeps your data secure and accessible wherever you choose to store it.

Afripol

Afripol

AFRIPOL was set up to strengthen cooperation between the police agencies of AU member states in the prevention and fight against organized transnational crime, terrorism, and cybercrime.

IT Voice

IT Voice

IT Voice specializes in Managed IT and VoIP solutions. Our focus is simplifying the technology so our customers can stay focused on what they do best.

Secure Cyber Management

Secure Cyber Management

Secure Cyber Management provides industry-leading cloud security advice, guidance and services.