How EU regulations are shaping digital standards

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

May 24, 2023

Happy birthday, GDPR!

Not to burst the birthday balloon, but the EU’s landmark data protection and privacy regulation is a mere five years old (seven if you want to be pedantic) and like some youngsters, has made plenty of noise, caused some mess, continues developing its teeth, and may still require training wheels.

Conversations around protecting privacy have evolved significantly over the last five years, not least because of GDPR. But building digital trust goes beyond a single regulation to a focus on the picture around our entire digital society globally.

With the privacy landscape’s constant evolution and critical developments in the form of advanced technologies, increased expectations, and enhanced global regulations, it’s important to remember that regulations like GDPR in Europe and PIPEDA in Canada are there to protect the rights and freedoms of individuals and help regulate the collection and use of our personal data.

So far, it has not been a silver bullet. According to Cisco, 43% of consumers feel that they are not able to effectively protect their personal data, mostly because they can’t figure out how it is being used. While all of us should take our data protection more seriously, it’s up to organizations to be accountable and transparent, putting the requisite protections in place to build, evidence, and maintain digital trust.

Regulation is only one part of the answer. In the five years since GDPR came into force, we’ve seen the increasing emergence of digital standards to provide benchmarks and guidance in data, privacy, and AI.

The rise of digital trust through EU regulations

GDPR brought data protection and an awareness of individual rights to the mainstream media and public attention. This elevated the conversation to be about more than protecting data and shone a light on trust. This remains imperative with data breaches on the rise and continuing to make the headlines.

GDPR centres on six key principles of effective data protection that together enhance organizational resilience and reduce risks, both to individuals and to businesses from the impacts and consequences of data breaches. These principles include the lawful, fair, and transparent use of data; the use of minimal, accurate data with a limited and specific purpose; and doing so securely and for a limited amount of time.

The regulation mandated the need to record processing activities. In fact, it has always been beneficial for an organization to have data maps and data flows for proactive compliance as well as to support reactive activities, including breach and incident response. The latter makes it easier to determine the impact of a breach, enabling a more efficient and thorough response, in turn mitigating the impact and helping to maintain or perhaps rebuild trust.

Its many detractors claim that GDPR has stifled business change and innovation – for example, the criticism that the Italian DPA received relating to its enforcement action against OpenAI for the use of Italian’s personal data as part of ChatGPT. However, one could argue for a lack of maturity within organizations’ privacy frameworks or the lack of a culture that prioritizes privacy and embeds data protection as part of the digital strategy being the true root cause of dissatisfaction with the regulation.

By embedding data and privacy by default across all processes, including product and software development lifecycles, regulations and digital standards can provide the building blocks needed to continuously improve privacy maturity in a way that develops greater digital trust.

The impact of EU regulations on digital standards

The global regulatory landscape is changing significantly. Globally, there are more laws, stronger enforcement powers, more fines, and greater visibility of supervisory authorities. All of these factors change the risk profile in jurisdictions, with Australia being a recent example.

In 2022, shortly after high-profile, high-impact data breaches and very public investigations that remain ongoing, Australia confirmed an overhaul of its Privacy Act. Its privacy law enforcement powers are now among the strictest in the world, exceeding GDPR with fines increased from AUD 2.2m (£125K) to AUD 50m (£28m). Meanwhile, in the US, a federal privacy law continues to be mooted as more state-level privacy laws take effect in 2023.

Alongside this, there are also emerging frameworks and standards that support effective privacy management (ISO 27701) and help embed privacy by design and default into products and services (ISO 31700). All this comes as organizations are increasingly prioritizing privacy as part of their digital strategies to foster transparency and accountability and build greater customer trust in their brands, products, and services. They see the potential value that embedding privacy by design and default can have to building and sustaining digital trust. According to the 2022 Cisco Data Privacy Benchmark Study, 83% of businesses view privacy regulations favourably and 91% consider privacy a business imperative.

Looking ahead: Emerging trends and technologies impacting data protection and trust

Our data is everywhere. Organizations are collecting and using more data, supported by ever-more-complex digital supply chains and system integrations. There is an increasing utilization and normalization of consumer-facing technologies, including generative AI chatbots like ChatGPT and others, and commercial surveillance practices (in digital health, advertising, and social media, for example) that illustrate the sheer scale and breadth of data collected as we go about our lives.

These technologies, including health and wellbeing apps, generate vast amounts of human activity data from individuals sharing emotions, opinions, experiences, and locations. Digital standards and regulations provide the baseline, but there is an increasing challenge for us to think about the possible privacy harms or other unintended consequences.

Organizations focused on protecting privacy and establishing digital trust now have the opportunity to consider how these technologies may impact privacy and whether they are exploring the right solutions. They can ask questions like just because you can, does that mean you should? Do you trust these technologies with your data? Can you explain what they do with an individual’s data and justify a legitimate and lawful use? Do you know how to put appropriate controls in place to protect privacy and prevent unauthorised or inappropriate secondary use of the data collected?

Without GDPR, organizations may not have had the impetus to prioritize these questions, nor consideration of the answers. Five years on, we are talking about them much more, but there is still a long way to go in terms of practical solutions for proactive compliance by design as well as effective, active, and appropriately dissuasive regulatory enforcement before GDPR can remove its training wheels without a wobble. Whilst large fines such as the recently announced €1.2bn sanction (the single largest fine under the GDPR to date) levied against Meta by the Irish Data Protection Commission (DPC) and the European Data Protection Board (EDPB) make global headlines, there is still a clear absence of meaningful regulatory enforcement, including sanctioning organizations with the maximum 4% penalties and issuing cease processing notices instructing the immediate and mandatory suspension of global data transfer and immediate and mandatory deletion of data.

Moreover, there are significant opportunities and benefits of prioritizing privacy beyond mere compliance with regulatory obligations. To conclude with a question that parents of five-year-olds will have heard all too often, “Are we there yet?”. On GDPR – no – but we have made good progress. Let’s keep it up.

Read more from Matthew Goodbun in The social layer of data protection isn’t enough and visit BSI's Experts Corner for further insights on other digital trust, privacy, information security, and environmental, health, and safety topics that should be at the top of your organization's list.

Matthew Goodbun

Matthew Goodbun

Mathew Goodbun, Senior Privacy Consultant, is a well-qualified data protection and privacy professional with extensive knowledge of global privacy compliance and data protection matters. A skilled and credentialled practitioner, his program management, compliance expertise, and knowledge of global privacy laws means that he is well positioned to translate regulatory compliance obligations into meaningful business context.

Matthew supports his clients in highlighting the commercial benefits of prioritizing privacy through proactively building and maintaining digital trust and embedding privacy by design and default across all products, services, functions, and jurisdictions.