On this fifth GDPR anniversary, remember that data protection principles are increasingly serving as inspiration for legal obligations regarding the use of “non-personal”/”corporate” data. What was good business practice is becoming a statutory obligation.
So double-check that you have everything you *should* have, because soon you will be *required* to have it.
Not that privacy processes and documentation can or should be used as such on IT systems containing non-personal data – but you do need (i) a good, broader datagovernance approach and (ii) a strategy for handling data classification and onboarding new systems, irrespective of what they will contain.
And no, it’s not too late – far from it. IT consultants can help, as can technically-minded lawyers – because you need to take into account other risks than purely data protection risks (notably, intellectual property rules play a key role, as do sector-specific laws). For instance, we regularly help clients on data governance projects and draw upon our technical background and previous work to help with benchmarking.
This evolution also further strengthens the need to think more about cybersecurity as a global company challenge, not something purely for the IT / infosec teams. We have seen a tremendous rise in the number of sector-specific or service/product-specific regulations with cybersecurity requirements (IoT, cars, the raft of sectors covered by NIS2), and internationally more and more countries have cybersecurity laws. If you do not yet have a global cybersecurity strategy, it’s high time – and the reflexes you have built (or tried to embed in processes) regarding the protection of personal data (regarding data breaches, DPIAs, etc.) can come in handy when devising that strategy. That is, assuming you have baked data protection into the company-wide approach (and not left it to purely the Data Protection Officer / Privacy Officer / Compliance / Legal teams) – if you haven’t, maybe you need to reconsider your approach. Information security consultants can help, as again can lawyers with a decent grasp of technical concepts – what matters is ensuring that you take into account technical, operational, financial and legal risks – as well as opportunities.
Similarly, data protection reflexes form part of the equation when it comes to AIgovernance. You obviously want to avoid feeding your personal data or that of your customers/contacts/… to a third-party machine learning tool; if you are building your own tool you need to ensure that any personal data that is fed into the tool is processed lawfully. Reflexes regarding fairness, though, go beyond personal data, and you can draw inspiration from them to determine how you handle other information in the context of AI systems. Just make sure you do not focus only on personal data, or you might lose sight of some of the key risks in your use case.
Learn from your data protection approach – what works, what doesn’t – and do better.
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗