Five years of GDPR - what does the dawn of AI mean for data privacy regulations?

The business landscape may have changed a great deal in that time, but GDPR continues to be effective, reflects Jakub Lewandowski, Global Data Governance Officer at Commvault.

“Whilst only five years old, GDPR is already the grandad of data regulation in the modern age: established and dependable, although not yet outdated. Despite all the technological developments within the last half decade – facial recognition, virtual reality, and AI, to name just a few – GDPR has stood the test of time.

Both large and small businesses have been hit with fines for non-compliance, including some of the best known British brands – “A total of 1,446 fines have been issued since 2018 all varying in amount and addressing different sized companies and violations,” notes Gary Lynam, Director of ERM Advisory at Protecht.

“Statistically, the violations with the most fines are related to data processing non-compliance and let’s face it, with the likes of TikTok, British Airways and Ticketmaster being among the prominent names to have received fines, GDPR is clearly by no means a simple tick box process,” Lynam adds.

Richard Starnes, Cyber Security Strategy Director at Six Degrees, says: “ICO fines have risen in frequency and cost over the past five years, brand damage for breaches is now understood, and class action style lawsuits are becoming possible in the UK.

“This can have the consequence of causing companies to raise their data protection capabilities, but there is also an incentive to report breaches less frequently or at all. Let us not forget the recent case of the former Chief Security Officer (CSO) of Uber who was convicted of US Federal charges for covering up a data breach involving millions of user records,” Starnes adds.

Next up for the UK

Since leaving the EU in 2020, the UK has had the opportunity to establish its own data protection legislation.

Node4’s Head of Compliance, Vicky Withey, explains: “Since Brexit, the UK continues to follow GDPR; however, this is all up for change. As the UK government now has the opportunity to tailor legislation that is focused within specific market sectors, potential reforms can help organisations to achieve their goals where GDPR has been too restrictive, preventing growth and prosperity.”

“The UK must ensure that any changes in legislation are approved by the EU to meet ‘adequacy’ requirements, whilst the safe transfer of data between countries will help with technology advancement and medical research,” she continues.

“The UK Government understands the importance of protecting privacy rights to maintain the free flow of personal data across the EU. Still, it will also consider that data protection standards vary globally, and as a result, plans to introduce a Data Protection Reform Bill will be eagerly anticipated by organisations, legal and compliance bodies alike,” Withey continues.

Alev Viggio, Director of Compliance at Drata, takes a similar view, stating: “the UK government’s decision to replace GDPR with its own British Data Protection Bill will lead to a new wave of regulations and policies for businesses to adhere to. The challenge here is that many businesses will still have to adhere to EU GDPR and this new system pending their customer base - this can create confusion and complexities in any compliance programme, especially when considering the consequences of fines and violations if they fall out of compliance.”

Getting a handle on AI

The recent explosion of AI, and the phenomenon of ChatGPT over the past six months, has increased debate around what we need from data privacy regulations in 2023.

Asha Palmer, SVP Compliance Solutions at Skillsoft, says: “Despite common misconceptions, AI is regulated through GDPR – organisations are obligated to provide affected individuals with information about the associated logic of any automated decisions.

“As generative AI tools such as ChatGPT take the world by storm, organisations need to develop and update governance around its usage in the workplace, considering the security, privacy, confidentiality and ethical implications,” Palmer adds.

“With LLMs (Large Language Models) set to revolutionise the world, we can expect to see additional legislation to regulate their use and ensure data continues to be protected,” agrees Commvault’s Jakub Lewandowski.

He adds that the UK Data Protection and Digital Information Bill “is already more extensive in its regulations around automated decision-making, while an AI Act has already been proposed in the EU too. Luckily, the experience that privacy professionals gained through building and implementing GDPR frameworks will be a great starting place when the time comes to undertake a similar process with AI.”

Emphasising the importance of regulating the use of AI, Vicky Withey warns: “With so much personal data being collected, processed, and stored, the potential risk for data breaches is significantly increased. By granting AI access to this data, it also increases the risk of personal data being manipulated to create fake identities for cybercriminals. 

Protect, comply and mitigate risk

With new legislation incoming and new technologies increasing risk, often without us realising, how should organisations take action to ensure that they are fully compliant and protecting their data. 

Gary Lynam recommends: “The best way for organisations to protect their data is ensuring an integrated governance, risk and compliance (GRC) approach. A centralised and cohesive system that simplifies evolving requirements of GDPR rules and its new UK Data Protection and Digital Information Bill, and effortlessly keeps pace with future regulatory changes and data protection challenges.”

Alev Viggio from Drata also recommends an automated system, recognising that managing compliance “manually facilitates the chances of human error, so adopting a continuous compliance approach via automation can vastly simplify the process for following data protection rules and understanding the overlap between various regulations to avoid redundancies.”

Embracing the rise of AI, Skillsoft’s Asha Palmer advocates “creating a holistic generative AI governance structure that is sustainable, trustworthy, and transparent [that] will require shared accountability between those developing the tool and those using it.

“All stakeholders must come together to understand the risks and consider what protocols are, or should be, put in place to ensure GDPR compliance. An effective governance structure must include risk assessment, policies and procedures, and testing and monitoring.”

“Policies should be clear and prescriptive to all employees, supplemented with AI education and training that includes common uses and benefits, potential for bias, and the global AI regulatory landscape. This will support organisational exploration of the fundamental principles of AI governance,” Palmer continues.

More than an event

Our flagship event series #RISK is where the whole ‘risk’ community comes together to meet, debate, and learn, to break down silos and improve decision-making.

Technology is at the center of every core business process within modern organizations and #RISK London 2023 is a content rich Expo centred around seven key themes:

DATA PROTECTION & PRIVACY    SECURITY    ESG    PEOPLE    GRC    WELLBEING    FINANCIAL CRIME

At the inaugural #RISK in November 2022 we discovered that our attendees were visiting as groups and even using the event as a meeting point to catch up with colleagues from different departments

Our mission is to continue to build on the success of #RISK 2022 and provide a platform that allows organizations to address the cumulative nature of risk, unite disparate GRC specialties and create a compelling ‘deep dive’ agenda led by subject matter experts and thought leaders.

Find out more