The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them.

Today’s AI Solutions

On April 21, 2021, nearly three years after the EU General Data Protection Regulation (GDPR) took effect, the European Commission published its draft proposed regulation. It offered a set of rules to regulate use of AI systems and the data they collect. Like the GDPR, this decision would apply to companies located in or affiliated with the European Economic Area (EEA). The regulators set out to circumvent many of the usual loopholes when dealing with compliance. For example, they apply to AI information used in the EEA even if that information is collected and produced outside the EU.

The proposal seeks to ensure that AI used in the European market respects the rights of people related to privacy and personal information. To be specific, it aims to protect against ethical and data privacy risks tied closely to AI, including bias in underlying data sets and discriminatory outcomes.

The proposal applies to AI providers, users, distributors and importers. It addresses rules for data risk management, transparency, conformity assessments and more. This proposal addresses a new type of technology whose operation and output have not been subject to regulation thus far. However, it is very much in line with the general trend of data privacy laws. Overall, the systems that handle our personal data have grown in scope and reach. The information we feed them becomes more detailed and specific. So, both legislators and regulators expanded the umbrella of their oversight to ensure that people still have privacy rights.

Learn more on data privacy

A History of Protections

The EU has always been at the vanguard of data privacy protection, going back as far as the 1995 EU Data Protection Directive. The U.S. followed closely behind with the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the 1998 Children’s Online Privacy Protection Act (COPPA). Since the early 2000s, data privacy regulations have grown in number and variety across the globe. The 2003 California State Data Breach Notification Law, the 2012 EU Right to be Forgotten, the 2018 GDPR and the 2020 California Consumer Privacy Act (CCPA) and its amendments followed. These laws comprise a partial list of the regulations written to protect the privacy and personal data of citizens, customers and users of various tools and platforms, on- and offline.

Personal Data Privacy Needs

Different rules apply in different places and have different compliance needs. But most of them address the same issues with regards to personal data.

  • Notification: requires organizations to notify customers about what data is being collected, why it is being collected and processed and with whom it is being shared.
  • Request for Personal Data: grants customers the right to request access to their collected personal data at any time.
  • Consumer Consent and Opt-Out: prohibits processing of personal data without prior consent.
  • Deletion: gives customers the right to request that their personal data be deleted.
  • Correction: provides customers with the right to correct errors in personal data.
  • Data Security Solutions: requires companies to ensure personal data security.

The increasing reach of data privacy regulations did not happen in a vacuum. Lawmakers have been attempting to keep up with the way both old and new industries utilize technology to gather and monetize personal data, setting rules designed to curtail the risks of personal data exposure and uphold the right to privacy. To ensure this data protection, regulators give data privacy rules teeth. For example, defying GDPR could incur fines of up to €20m or 4% of total worldwide annual turnover. Privacy regulators in Europe have imposed more than $331 million in fines for breaking GDPR rules.

As a result of this growing oversight, every industry that manages personal data has seen some of its members violate data privacy rules in some way. As soon as an industry sets itself up as a collector of personal data, it becomes the target of threat actors who wish to acquire that data for illegal — and profitable — uses.

The Impact of a Data Breach

Adding to the problems as companies adjust to new privacy laws is the fact that regulators look beyond the ongoing management of personal data. Data leaks and breaches have become more common. In response, regulatory bodies examine not only how a company manages personal data prior to the breach, but also how it responds following an incident. Follow-up audits check whether a company has improved the procedures that led to the data breach. Regulators impose more fines if they consider the efforts made by the company to prevent the initial breach and future events aren’t enough.

All industries feel the impact of these expensive lessons. Landing pages now ask visitors to provide consent before visiting the website. Retailers implement privacy/spam policies that comply with the most stringent rules across the regions in which they do business. Cyber insurance providers analyze risk based on volume and scope of personal data. Last but not least, school policy managers scramble to find ways to secure sensitive data.

The Complex Landscape of Data Privacy

Companies of all types and from all industries face an ever-growing, ever more complex landscape of privacy regulations. Competing and sometimes conflicting needs in different locations challenge global corporations. More stringent rules following breach events compound how companies must protect data during regular business. New tech brings with it new regulations that impact existing work — and limit new ventures. And the threat of fines — or a public relations nightmare — hang like the Sword of Damocles over businesses.

Solutions and Tools

Businesses often respond to tech challenges with tech solutions. As privacy regulations come into effect, the tools required to enable companies to comply develop with them. Today, an entire industry is committed to providing businesses with platforms that offer insights into where and how personal data is saved, processed and copied.

However, these solutions come with their own set of challenges. How can they spot personal data in the mass of information processed by a company? How can a business maintain real-time awareness of personal data as people enter, copy, delete and transfer it? What happens when third-party solutions integrate with the network and access personal data? How do you handle when someone adds a new database or cloud repository? Or when they encrypt information? How can you apply personal data protections when data moves across regions and different rules apply to it? What happens when multiple laws affect data at the same time?

A viable solution for data privacy and compliance must be able to adapt to multiple rules for existing tools as well handling new tech and new personal data sources.

More from Artificial Intelligence

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…

4 Ways AI Capabilities Transform Security

Many industries have had to tighten belts in the "new normal". In cybersecurity, artificial intelligence (AI) can help.   Every day of the new normal we learn how the pandemic sped up digital transformation, as reflected in the new opportunities and new risks. For many, organizational complexity and legacy infrastructure and support processes are the leading barriers to the effectiveness of their security.   Adding to the dynamics, short-handed teams are overwhelmed with too much data from disparate sources and…

What’s New in the 2022 Cost of a Data Breach Report

The average cost of a data breach reached an all-time high of $4.35 million this year, according to newly published 2022 Cost of a Data Breach Report, an increase of 2.6% from a year ago and 12.7% since 2020. New research in this year’s report also reveals for the first time that 83% of organizations in the study have experienced more than one data breach and just 17% said this was their first data breach. And at a time when…

Real Security Concerns Are Scarier Than Doomsday Predictions

The metaverse, artificial intelligence (AI) run amok, the singularity ... many far-out situations have become a dinner-table conversation. Will AI take over the world? Will you one day have a computer chip in your brain? These science fiction ideas may never come to fruition, but some do point to existing security risks. While nobody can predict the future, should we worry about any of these issues? What's the difference between a real threat and hype? The Promise of the Metaverse…