Data Protection Trends - GDPR as a forthcoming global privacy benchmark
Jiri Cerny, Legal & Corporate Affairs Director, Microsoft
Jiri Cerny, Legal & Corporate Affairs Director, Microsoft
Data Protection and Cyber Security
The second major policy trend affecting data protection is cybersecurity. Similarly to privacy, governments are becoming more concerned, if they are ready to tackle challenges brought by new dimension of cyber-attacks. Unlike with privacy laws, which are meant to protect individuals’ rights, cybersecurity laws are primarily driven to protect states’ security, and extend regulatory requirements beyond personal data.
Cyber-attacks can affect public safety also through providers of core infrastructure. Therefore, the modern cybersecurity laws focus not only at state bodies, but also at some private businesses. Example of the forthcoming Cybersecurity law is the European directive NIS, which establishes minimum security requirements to tackle cybersecurity risks. It came into effect in 2018 and the affected entities had the challenge to comply both with GDPR as well as with NIS requirements.
Even though Privacy and Cybersecurity are meant to address different concerns, there is a common denominator that needs to be found. When we think about privacy and cybersecurity in today’s digital world, we usually need to address these topics from a perspective of an IT environment of specific entity. Assessing privacy and cyber security requirements, as two distinct and independent domains, can hardly achieve a sustainable outcome. GDPR and NIS both apply the risk-based approach and the technical and operational measures applied to tackle specific risk need to be proportionate to the addressed risk. This allows the affected entities to take a holistic approach to their compliance privacy and cybersecurity compliance.
From a policy perspective, notions of privacy and cybersecurity should be considered as topics with mutual dependencies and should not force the entities to apply two different set of standards.
Opportunities ahead
It is an undisputed trend that compliance with privacy and cybersecurity laws is becoming an absolute necessity for any organization. However, new privacy and cybersecurity obligations should not be viewed as just another regulatory requirement that companies need to follow. Companies should also see it as a great opportunity to reevaluate how they processes the data, what data is really needed, what are the appropriate processing methods and what subcontractors are involved. It is also an opportunity to unify and simplify all processes where not only personal data is involved.
We can expect the data processing based on machine learning and artificial intelligence will significantly raise in the near future. These notions will enable new methods of personal data use and it will only increase pressure for enhanced privacy standards. We can expect that future AI regulation will build on principles already established by privacy and cybersecurity laws. There are certain areas, such as face recognition, where we might need to rethink the current privacy regulations. With the absence of relevant regulation, companies should consider a need to impose certain ethical standards that are yet to be implemented in the AI-related policies.
See Also: Top GDPR Solution Companies
