GDPR from a Data Privacy Officer’s Perspective: 4 Keys to Know

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise technology. In this feature, Egress Data Protection Officer Kevin Tunison offers commentary on GDPR from a data privacy officer’s perspective through four essential keys.

The world and the technology industry are very different places since GDPR was implemented five years ago. Data loss is a near-constant threat to companies; our 2023 research revealed that 91 percent of organizations surveyed had an outbound email data breach, and 86 percent suffered negative impacts from outbound data loss. This is a pressing issue for organizations as legislation around data tightens. Without a doubt GDPR is a force for good, but I’d like to address four areas of concern from the DPO’s (Data Privacy Officer’s) perspective.

Email Security Requirements

Email is a leading cause of data breaches, but it is also a necessary tool for businesses to function and for people to access banking, public services, and healthcare. So, training staff on both how to use it and report a breach is paramount to avoid GDPR fines. It is important to enable businesses to protect their customer data.

Under GDPR, only the Controller is responsible for determining if a breach is reportable, not the Processor. But a good start for GDPR is, “Will this information, action, or chain of events directly impact a person’s daily life?” This sort of process should be ingrained within the company culture. For example, remote working has created a similar rise in accessing work emails from personal devices, which may not have the same security installed as a professional device. On a smaller screen, more data breach risks creep in, like incorrect email recipients.

The basic principles of GDPR says you must protect personal data “against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Intelligent technologies provide reasonable and cost-effective steps to compliance. They help to detect and alert you to phishing attacks, accidental data loss, non-compliant behavior, and malicious data exfiltration. Combined with a healthy security culture, it is the responsibility of every organization to facilitate compliance.

GDPR from a Data Privacy Officer’s Perspective

AI, Profiling & Large Language Models (LLMs)

GDPR will persist for many years to come but questions will arise about how it is applied as technology evolves. For example, following the explosion of large language models like ChatGPT. But with novelty and ease of profiling comes uncertainty, huge conversation has occurred around this from a data compliance perspective, leaving professionals wondering if GDPR is encompassing enough or whether we need separate legislation.

With both the godfathers of AI and the EU calling for increased legislation, we must come to an agreement on a new set of compliance measures that set out some basic principles. The potential of AI is borderless and so is how that data gets used ethically and responsibly, so we may see overarching principles across countries, much like the tenets of GDPR.

While much discussion arises around the impact of Brexit on GDPR implications, it is safe to say the legislation largely remains the same. As cyber threats and resulting data breach risks evolve, organizations must prove how they are mitigating these. What is particularly interesting to see is how legislators react to developments in the AI space. As we have seen in the past, however underused or obscure legislation may be today, it always has the potential to be applied to the maximum extent possible tomorrow. So, watch this space for developments.

GDPR is Not the End-All and Be-All Legislation

Privacy law is constantly evolving, and we must consider the many pieces of legislation that came before GDPR. Quite often it is not well understood outside of privacy circles, where other laws are prioritized before GDPR. For example, ePrivacy (PECR) is an entirely separate set of regulations to determine the legality of electronic communication like cookies and call recordings. There are also law enforcement aspects of data protection with their own set of rules, usually more stringent than commercial GDPR. National security laws also pre-empt GDPR. Vodafone does a great job at providing transparency where they are legally allowed.

Why is this a challenge? Privacy is often nuanced. It requires not just understanding the task at hand, but the wider strategy of a business wanting to use data, and how it could be misused. Often when a business wants to make use of information, it is not just a privacy issue. It can incorporate many different laws and regulations ranging from Health and Safety, HIPPA and SEC rules to BIPA, or Australia APRA as just a few examples.

New legislation on the horizon is also adding to the complexity. I very much doubt anyone can answer with any certainty what the EU AI Act will bring, or the UK Online Safety Bill (one of several that present an ever more pressing challenge of bypassing encryption).

Bypassing Encryption Legislation

The challenge of balancing privacy with the rule of law is never going away. They are fundamentally at odds with one another. Since the days of Skype and Blackberry, we have seen some countries mandate a way to bypass encryption. This is contrary to living in free and transparent societies where speech and expression have express protections, even when you do not agree what is being said.

The pivot here is renewed focus on children and their safety online. This is paramount and starts at home and at school, with teachers, parents, and guardians monitoring and guiding what children are exposed to. There has yet to be a case where active safeguarding involvement by adults in a child’s online activity resulted in them being exploited.

Putting technological backdoors into privacy solutions has the potential to do much more harm than good and gives a false sense of security that children are not at risk. However, risk prevails, without effective parenting. There is also the concern of the impact these kinds of law have on breaking the basic principles set out in the internationally ratified Convention 108 on personal data protections spanning from Argentina to Azerbaijan.

Privacy laws have an interesting road to navigate, whether regulating personal data, child online safety, or the rapidly evolving world of generative AI. As technology continues to evolve, we’ll see legislation adapting to stay in step. Legislators must work hard to keep pace to ensure ground is not lost and, ultimately, regulations like GDPR remain a force for good.