GDPR Is Six Years Old: What Is Its Impact On AI?

The 25th May marks the 6th anniversary of GDPR, the EU’s data protection regulation. Its introduction was met with mixed reviews, with some praising it for overhauling data protection in the region, while others saw it as an insurmountable challenge due to the overhaul it brought to data management practices. But has the sentiment changed 6 years on? 

We have collected commentary from leading tech and security businesses to understand their views on GDPR and what the future may hold for the regulation. Let’s find out what they have to say.  

Matt Cooper, Director of Governance, Risk and Compliance, Vanta"Another year older doesn’t necessarily mean another year wiser - a lesson we’re learning on GDPR’s 6th anniversary.
 
"Many businesses across Europe are still struggling to adapt their data management practices to meet the regulations' strict requirements 6 years on. And despite significant efforts, staying in compliance with GDPR remains a resource-heavy task that often demands continuous monitoring and regular audits.
 
"To complicate matters further, AI has become a must-have for many businesses to stay competitive, which is introducing new data privacy risks. This is spreading resources even thinner than before, as businesses are having to adopt robust AI governance frameworks to ensure said novel risks are mitigated, while still grappling with the relatively new GDPR rules. The impact of this is already being felt, with 57% of UK businesses reporting that secure data management has become more difficult with AI adoption, according to Vanta’s 2023 State of Trust report.
 
"However, with risk also comes opportunity. AI has proven particularly effective at automating manual tasks and streamlining compliance processes is no exception. Businesses can use the technology to automate evidence collection and continuously monitor compliance, reducing the burden on their security teams.
 
"GDPR has proven a challenge since its introduction. While its 6th anniversary shows that there may be a light at the end of the tunnel for those struggling, rapid corporate adoption of AI will make it darker before it gets lighter."
 
Agur Jõgi, CTO, Pipedrive:  “The review of GDPR by the European Commission serves business leaders a reminder to keep data policy constantly up to date. In any organisation, data flows in an interconnected network. However, this is just one piece of the data puzzle – added layers of complexity with external data sharing means attention needs to be paid to watertight compliance. This is why it’s vital for companies to work with trusted partners when considering data protection.
 
"If you’re contracting a data processor to carry out certain processing activities on your behalf, such as using a CRM platform for your sales team, you need to know that they are laser-focused on any legislative changes. According to article 28 of the GDPR, the relationship between a data controller and a processor needs to be made in writing, through a data processing contract. And, as the importance of AI skyrockets up the corporate agenda, robust data agreements need to account for machine learning applications crunching large volumes of sales data, enabling continuous compliance and safety. As data transfers happen, inside and outside the EEA, data processors should keep up to speed with the implications that EU GDPR has for businesses.
 
"The fact of the matter is that regulators can exact a heavy toll on companies that don’t meet data protection standards..."

"For especially severe violations, the fine framework can be up to 20 million euros or up to 4 % of total global turnover of the preceding fiscal year. This is why scrutinising all data checkpoints is business-critical, so that organisations can continue to operate in a secure and safe environment with data, and in turn maintain the loyalty and trust of their customer base.”
 
Eduardo Crespo, VP EMEA, PagerDuty:  “The European Commission will undertake a major review of the GDPR framework this month. This review offers leaders a chance to interrogate data security policies, especially in context of next generation technology. It is important that data protection isn’t viewed as just another frustrating piece of bureaucratic red tape – it is designed to protect data privacy, reinforce consumer trust in companies and keep transparency of processes top-of-mind. Data protection, through measures like EU GDPR, relies on two pillars in an organisation: the right technology and the right skills to use it.
 
“Understanding EU GDPR, especially in the context of rising interest in AI, is key. In the market, across digital products and services, there is a mounting keenness to explore emerging technologies..."

"In our State of Digital Operations Report, we found that more than three-quarters of companies are pursuing automation, but there is a lag in adoption. The reason we’re not seeing a full surge in AI for organisations is that data security concerns are acting as a blocker, coming out as a top concern to a third (34%) of business and IT decision-makers, mirroring those concerns of AI.
 
“Organisations who fail to act or deploy enterprise operations solutions and AI do face the risk of falling behind early adopters. With the volume of data and content to store and secure, across retail, media, financial services and a host of other sectors, security and cloud investments need to remain both timeless and timely in the IT world, especially with the backdrop of EU GDPR review. At the ship’s helm, leaders have a responsibility to prioritise risk reduction, revenue protection, and operational resilience, while ensuring that data flows in a safe and secure way. These are precisely the outcomes companies can aim for with concrete data strategy, as well as collaboration with the right data processors, who are eagle-eyed when it comes to regulation-related updates.”
 
Michel Isnard, VP of EMEA, GitLab"GDPR played a pivotal role in ensuring that organisations recognise that they must integrate privacy, security, and compliance throughout their processes to manage risk effectively and add business value.
 
“The growing need for data to build and fine-tune AI applications, coupled with an ever-increasing number of data breaches, indicates that adherence to GDPR has never been more important..."

"With software delivery in particular, the need for developers to invoke secure-by-design principles becomes even more critical. Secure-by-design principles ensure the entire development lifecycle has the necessary controls to address vulnerabilities specific to each phase of the software delivery process. It also requires tighter collaboration between developers—with clear functional knowledge of how software should work - and teams with a better understanding of the legislative, regulatory, and security requirements impacting the business. Implementing a framework incorporating the secure-by-design principles streamlines software development and ensures more robust security and compliance and better-governed software."
 
Nikolaz Foucaud, Managing Director, Coursera EMEA: “The European Commission’s GDPR review is arriving at a critical juncture, as any vision for data protection needs to now account for AI’s profound structural impacts. With LLMs requiring vast datasets for their training and refinement, it is imperative to ensure that data privacy and protection checks and balances are in place, especially as leading GenAI players seek competitive edges. For the UK, with its own GDPR framework, eyes will be firmly fixed on the European Commission to assess the result of legislative review.
 
"As AI usage is likely to be increasingly regulated, data protection officers need to be focused on regulatory alignment across borders, and this process will require a fair deal of cross-border collaboration around clear-cut AI strategy. In the UK, to ensure solid management of any regulatory needs, having widespread data compliance literacy will be vital for all organisations. British companies cannot afford to fly blind when it comes to regulation, especially as penalties for non-compliance can be up to £17.5 million or 4% of annual global turnover.
 
"Ensuring that there are appropriate skills within departments to manage ever-increasing datasets in line with new compliance obligations must be a top priority for Britain’s people leaders..."

EU GDPR review will likely signal a need to change policy and procedure in the UK, and successful implementation will only be possible if businesses possess the necessary skill sets. Keeping data and compliance skilling opportunities available across organisations will help data protection experts adapt to ever-evolving regulation.”

Image: GOCMEN

You Might Also Read: 

Navigating The Data Privacy Maze:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Seven Benefits Of Using A Managed Security Services Provider
New Guidance For Business Email Compromise »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alliance for Cyber Security (ACS)

Alliance for Cyber Security (ACS)

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

National Institute of Information and Communications Technology (NICT)

National Institute of Information and Communications Technology (NICT)

NICT is Japan’s sole National Research and Development Agency specializing in the field of information and communications technology.

Vintegris

Vintegris

Vintegris are a Certification Authority and manufacturer of innovative systems and applications for the full cycle of digital identity.

National Cyber Security Center (NCSC) - Hungary

National Cyber Security Center (NCSC) - Hungary

The National Cyber Security Center was established in 2015 by uniting the GovCERT-Hungary, National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

QOMPLX

QOMPLX

QOMPLX integrate, contextualize, and analyze data from virtually any source to help you identify operational risk and inefficiencies throughout the enterprise.

McIntyre Associates

McIntyre Associates

McIntyre Associates is an Executive Search boutique specialized in recruiting for the Cybersecurity industry. Our clients range from Venture Capital backed startups to Fortune 100 companies.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

Acceptto

Acceptto

Acceptto offers the first unified and continuous authentication identity access platform with No-Password.

CRI Group

CRI Group

CRI Group excels at deterring, detecting and investigating crimes against businesses using a global network of professionals specially trained in Anti-Corruption, Risk Management and Compliance.

Binarly

Binarly

Binarly has developed an AI-powered platform to protect devices against emerging firmware threats.

Surfshark

Surfshark

Surfshark is a cybersecurity company focused on developing humanized privacy & security protection solutions to secure people's digital lives.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

Safe Decision

Safe Decision

Safe Decision is an information technology company offering Cyber Security, Network, and Infrastructure Services and Solutions.

Hook Security

Hook Security

Setting a new standard in security awareness. Hook Security is a people-first company that uses psychological security training to help companies create security-aware culture.

Darknone Global

Darknone Global

Darknone is a consortium of elite hackers and security leaders united by an unbridled passion for augmenting the security of the digital realm.

Cyber and Fraud Centre – Scotland

Cyber and Fraud Centre – Scotland

The Cyber and Fraud Centre – Scotland exists to ensure Scottish organisations are as resilient as they can be against cyber and fraud crime.

Inroad Technologies

Inroad Technologies

Inroad Technologies provide IT services that help keep your business computers, servers and networks secure and trouble-free.