The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them.

Today’s AI solutions

On April 21, 2021, nearly three years after the EU General Data Protection Regulation (GDPR) took effect, the European Commission published its draft proposed regulation. It offered a set of rules to regulate use of AI systems and the data they collect. Like the GDPR, this decision would apply to companies located in or affiliated with the European Economic Area (EEA). The regulators set out to circumvent many of the usual loopholes when dealing with compliance. For example, they apply to AI information used in the EEA even if that information is collected and produced outside the EU.

The proposal seeks to ensure that AI used in the European market respects the rights of people related to privacy and personal information. To be specific, it aims to protect against ethical and data privacy risks tied closely to AI, including bias in underlying data sets and discriminatory outcomes.

The proposal applies to AI providers, users, distributors and importers. It addresses rules for data risk management, transparency, conformity assessments and more. This proposal addresses a new type of technology whose operation and output have not been subject to regulation thus far. However, it is very much in line with the general trend of data privacy laws. Overall, the systems that handle our personal data have grown in scope and reach. The information we feed them becomes more detailed and specific. So, both legislators and regulators expanded the umbrella of their oversight to ensure that people still have privacy rights.

A history of protections

The EU has always been at the vanguard of data privacy protection, going back as far as the 1995 EU Data Protection Directive. The U.S. followed closely behind with the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the 1998 Children’s Online Privacy Protection Act (COPPA). Since the early 2000s, data privacy regulations have grown in number and variety across the globe. The 2003 California State Data Breach Notification Law, the 2012 EU Right to be Forgotten, the 2018 GDPR and the 2020 California Consumer Privacy Act (CCPA) and its amendments followed. These laws comprise a partial list of the regulations written to protect the privacy and personal data of citizens, customers and users of various tools and platforms, on- and offline.

Personal data privacy needs

Different rules apply in different places and have different compliance needs. But most of them address the same issues with regards to personal data.

• Notification: requires organizations to notify customers about what data is being collected, why it is being collected and processed and with whom it is being shared.
• Request for Personal Data: grants customers the right to request access to their collected personal data at any time.
• Consumer Consent and Opt-Out: prohibits processing of personal data without prior consent.
• Deletion: gives customers the right to request that their personal data be deleted.
• Correction: provides customers with the right to correct errors in personal data.
• Data Security Solutions: requires companies to ensure personal data security.

The increasing reach of data privacy regulations did not happen in a vacuum. Lawmakers have been attempting to keep up with the way both old and new industries utilize technology to gather and monetize personal data, setting rules designed to curtail the risks of personal data exposure and uphold the right to privacy. To ensure this data protection, regulators give data privacy rules teeth. For example, defying GDPR could incur fines of up to €20m or 4% of total worldwide annual turnover. Privacy regulators in Europe have imposed more than $331 million in fines for breaking GDPR rules.

As a result of this growing oversight, every industry that manages personal data has seen some of its members violate data privacy rules in some way. As soon as an industry sets itself up as a collector of personal data, it becomes the target of threat actors who wish to acquire that data for illegal — and profitable — uses.

The impact of a data breach

Adding to the problems as companies adjust to new privacy laws is the fact that regulators look beyond the ongoing management of personal data. Data leaks and breaches have become more common. In response, regulatory bodies examine not only how a company manages personal data prior to the breach, but also how it responds following an incident. Follow-up audits check whether a company has improved the procedures that led to the data breach. Regulators impose more fines if they consider the efforts made by the company to prevent the initial breach and future events aren’t enough.

All industries feel the impact of these expensive lessons. Landing pages now ask visitors to provide consent before visiting the website. Retailers implement privacy/spam policies that comply with the most stringent rules across the regions in which they do business. Cyber insurance providers analyze risk based on volume and scope of personal data. Last but not least, school policy managers scramble to find ways to secure sensitive data.

The complex landscape of data privacy

Companies of all types and from all industries face an ever-growing, ever more complex landscape of privacy regulations. Competing and sometimes conflicting needs in different locations challenge global corporations. More stringent rules following breach events compound how companies must protect data during regular business. New tech brings with it new regulations that impact existing work — and limit new ventures. And the threat of fines — or a public relations nightmare — hang like the Sword of Damocles over businesses.

Solutions and tools

Businesses often respond to tech challenges with tech solutions. As privacy regulations come into effect, the tools required to enable companies to comply develop with them. Today, an entire industry is committed to providing businesses with platforms that offer insights into where and how personal data is saved, processed and copied.

However, these solutions come with their own set of challenges. How can they spot personal data in the mass of information processed by a company? How can a business maintain real-time awareness of personal data as people enter, copy, delete and transfer it? What happens when third-party solutions integrate with the network and access personal data? How do you handle when someone adds a new database or cloud repository? Or when they encrypt information? How can you apply personal data protections when data moves across regions and different rules apply to it? What happens when multiple laws affect data at the same time?

A viable solution for data privacy and compliance must be able to adapt to multiple rules for existing tools as well handling new tech and new personal data sources.