GDPR Is Six Years Old: What Is Its Impact On AI?

The 25th May marks the 6th anniversary of GDPR, the EU’s data protection regulation. Its introduction was met with mixed reviews, with some praising it for overhauling data protection in the region, while others saw it as an insurmountable challenge due to the overhaul it brought to data management practices. But has the sentiment changed 6 years on? 

We have collected commentary from leading tech and security businesses to understand their views on GDPR and what the future may hold for the regulation. Let’s find out what they have to say.  

Matt Cooper, Director of Governance, Risk and Compliance, Vanta"Another year older doesn’t necessarily mean another year wiser - a lesson we’re learning on GDPR’s 6th anniversary.
 
"Many businesses across Europe are still struggling to adapt their data management practices to meet the regulations' strict requirements 6 years on. And despite significant efforts, staying in compliance with GDPR remains a resource-heavy task that often demands continuous monitoring and regular audits.
 
"To complicate matters further, AI has become a must-have for many businesses to stay competitive, which is introducing new data privacy risks. This is spreading resources even thinner than before, as businesses are having to adopt robust AI governance frameworks to ensure said novel risks are mitigated, while still grappling with the relatively new GDPR rules. The impact of this is already being felt, with 57% of UK businesses reporting that secure data management has become more difficult with AI adoption, according to Vanta’s 2023 State of Trust report.
 
"However, with risk also comes opportunity. AI has proven particularly effective at automating manual tasks and streamlining compliance processes is no exception. Businesses can use the technology to automate evidence collection and continuously monitor compliance, reducing the burden on their security teams.
 
"GDPR has proven a challenge since its introduction. While its 6th anniversary shows that there may be a light at the end of the tunnel for those struggling, rapid corporate adoption of AI will make it darker before it gets lighter."
 
Agur Jõgi, CTO, Pipedrive:  “The review of GDPR by the European Commission serves business leaders a reminder to keep data policy constantly up to date. In any organisation, data flows in an interconnected network. However, this is just one piece of the data puzzle – added layers of complexity with external data sharing means attention needs to be paid to watertight compliance. This is why it’s vital for companies to work with trusted partners when considering data protection.
 
"If you’re contracting a data processor to carry out certain processing activities on your behalf, such as using a CRM platform for your sales team, you need to know that they are laser-focused on any legislative changes. According to article 28 of the GDPR, the relationship between a data controller and a processor needs to be made in writing, through a data processing contract. And, as the importance of AI skyrockets up the corporate agenda, robust data agreements need to account for machine learning applications crunching large volumes of sales data, enabling continuous compliance and safety. As data transfers happen, inside and outside the EEA, data processors should keep up to speed with the implications that EU GDPR has for businesses.
 
"The fact of the matter is that regulators can exact a heavy toll on companies that don’t meet data protection standards..."

"For especially severe violations, the fine framework can be up to 20 million euros or up to 4 % of total global turnover of the preceding fiscal year. This is why scrutinising all data checkpoints is business-critical, so that organisations can continue to operate in a secure and safe environment with data, and in turn maintain the loyalty and trust of their customer base.”
 
Eduardo Crespo, VP EMEA, PagerDuty:  “The European Commission will undertake a major review of the GDPR framework this month. This review offers leaders a chance to interrogate data security policies, especially in context of next generation technology. It is important that data protection isn’t viewed as just another frustrating piece of bureaucratic red tape – it is designed to protect data privacy, reinforce consumer trust in companies and keep transparency of processes top-of-mind. Data protection, through measures like EU GDPR, relies on two pillars in an organisation: the right technology and the right skills to use it.
 
“Understanding EU GDPR, especially in the context of rising interest in AI, is key. In the market, across digital products and services, there is a mounting keenness to explore emerging technologies..."

"In our State of Digital Operations Report, we found that more than three-quarters of companies are pursuing automation, but there is a lag in adoption. The reason we’re not seeing a full surge in AI for organisations is that data security concerns are acting as a blocker, coming out as a top concern to a third (34%) of business and IT decision-makers, mirroring those concerns of AI.
 
“Organisations who fail to act or deploy enterprise operations solutions and AI do face the risk of falling behind early adopters. With the volume of data and content to store and secure, across retail, media, financial services and a host of other sectors, security and cloud investments need to remain both timeless and timely in the IT world, especially with the backdrop of EU GDPR review. At the ship’s helm, leaders have a responsibility to prioritise risk reduction, revenue protection, and operational resilience, while ensuring that data flows in a safe and secure way. These are precisely the outcomes companies can aim for with concrete data strategy, as well as collaboration with the right data processors, who are eagle-eyed when it comes to regulation-related updates.”
 
Michel Isnard, VP of EMEA, GitLab"GDPR played a pivotal role in ensuring that organisations recognise that they must integrate privacy, security, and compliance throughout their processes to manage risk effectively and add business value.
 
“The growing need for data to build and fine-tune AI applications, coupled with an ever-increasing number of data breaches, indicates that adherence to GDPR has never been more important..."

"With software delivery in particular, the need for developers to invoke secure-by-design principles becomes even more critical. Secure-by-design principles ensure the entire development lifecycle has the necessary controls to address vulnerabilities specific to each phase of the software delivery process. It also requires tighter collaboration between developers—with clear functional knowledge of how software should work - and teams with a better understanding of the legislative, regulatory, and security requirements impacting the business. Implementing a framework incorporating the secure-by-design principles streamlines software development and ensures more robust security and compliance and better-governed software."
 
Nikolaz Foucaud, Managing Director, Coursera EMEA: “The European Commission’s GDPR review is arriving at a critical juncture, as any vision for data protection needs to now account for AI’s profound structural impacts. With LLMs requiring vast datasets for their training and refinement, it is imperative to ensure that data privacy and protection checks and balances are in place, especially as leading GenAI players seek competitive edges. For the UK, with its own GDPR framework, eyes will be firmly fixed on the European Commission to assess the result of legislative review.
 
"As AI usage is likely to be increasingly regulated, data protection officers need to be focused on regulatory alignment across borders, and this process will require a fair deal of cross-border collaboration around clear-cut AI strategy. In the UK, to ensure solid management of any regulatory needs, having widespread data compliance literacy will be vital for all organisations. British companies cannot afford to fly blind when it comes to regulation, especially as penalties for non-compliance can be up to £17.5 million or 4% of annual global turnover.
 
"Ensuring that there are appropriate skills within departments to manage ever-increasing datasets in line with new compliance obligations must be a top priority for Britain’s people leaders..."

EU GDPR review will likely signal a need to change policy and procedure in the UK, and successful implementation will only be possible if businesses possess the necessary skill sets. Keeping data and compliance skilling opportunities available across organisations will help data protection experts adapt to ever-evolving regulation.”

Image: GOCMEN

You Might Also Read: 

Navigating The Data Privacy Maze:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Seven Benefits Of Using A Managed Security Services Provider
New Guidance For Business Email Compromise »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Communications Security Establishment (CSE)

Communications Security Establishment (CSE)

CSE is Canada's national cryptologic agency, providing the Government of Canada with IT Security and foreign signals intelligence (SIGINT) services.

CyberGRX

CyberGRX

The CyberGRX Exchange and our risk assessments-as-a-service help Enterprises and Third Parties cost-effectively identify, prioritize and mitigate risk.

Kleiner Perkins

Kleiner Perkins

For five decades, Kleiner Perkins has made history by partnering with some of the most ingenious and forward-thinking founders in technology and life sciences.

Greenberg Traurig (GT)

Greenberg Traurig (GT)

Greenberg Traurig, LLP (GT) is a global law firm with offices in 40 locations in the United States, Latin America, Europe, Asia, and the Middle East.

Privafy

Privafy

Privafy helps mobile service providers, IoT manufactures , and enterprises redefine the way they protect Data-in-Motion.

Illuma Labs

Illuma Labs

Illuma Labs delivers real-time voice authentication and fraud prevention solutions.

Kalima Systems

Kalima Systems

Kalima’s mission is to securely collect, transport, store and share Industrial IoT (IIoT) trusted data in real time with devices, services and mobile workers.

Tide Foundation

Tide Foundation

Tide's breakthrough multi-party-cryptography enables TRUE-zero-trust technology that unlocks cyber-herd immunity.

Alias

Alias

Alias (formerly Alias Forensics) provide penetration testing, vulnerability assessments, incident response and security consulting services.

Mr Backup (MRB)

Mr Backup (MRB)

MRB offers Data Protection as a Service for businesses looking to reduce the time, cost and complexity of securing your company data.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.

Europol - European Cybercrime Centre (EC3)

Europol - European Cybercrime Centre (EC3)

The European Cybercrime Centre (EC3) was set up by Europol to strengthen the law enforcement response to cybercrime in the EU.

Pulsant

Pulsant

Pulsant is the UK’s premier digital edge infrastructure company providing next-generation cloud, colocation and connectivity services.

Zenzero

Zenzero

Zenzero simplifies technology adoption and supports our customers through managed and outsourced IT support.

ThreatDown

ThreatDown

ThreatDown, powered by Malwarebytes, is on a mission to overpower threats and empower IT by removing the complexity of detecting and stopping today’s most advanced threats.

Complete Cyber

Complete Cyber

Complete Cyber provide professional cybersecurity services and products to help secure your infrastructure, systems and data.