We survived GDPR implementation… but it doesn't stop there
It may seem impossible, but GDPR has been with us since 2016 – i.e. 8 years. After the initial problems and disagreement, everything settled down over time and now companies are acting in accordance with the regulation and we have all simply adjusted our view of how we can handle personal data. But…
However, adapting to work with data does not end with the GDPR regulation. The European Union is taking action in this regard, and a number of regulations or directives are now in force or will soon be in force, which relate to other areas of data handling – for example, non-personal ones.
In this and the following article, we will look at them and try to present their main ideas to you in a nutshell. It is better to start preparing sooner rather than later. Let’s look at these documents together:
- Act on data management
- Data Act
- The AI Regulation
- Cyber Security Regulation
- Regulation on cyber security requirements for products with digital elements
- Digital Markets Regulation
And as a bonus, we’ll throw in information from the European Data Strategy and the European Code of Conduct for Cloud Providers.
Act on data management
The European Data Management Act entered into force in the autumn of 2023 – there is no need for an adaptation law, only the provision of an enforcement body at the level of individual states. The aim of this regulation is to fulfill Union-wide data strategies to support the proper functioning of the internal data market.
The European Union wants to ensure that as much data as possible is available for research and innovation. That’s why it established rules and incentives for public and private sector organizations to securely share as much data as possible – including personal data, for example using anonymization methods.
Using this approach, it should be easier to create datasets for various analyzes and machine learning. But this should not be an obstacle for maintaining competitiveness and intellectual property. And of course one of the main priorities is to keep all data secure, although there may be exceptions where data is shared outside the EU.
Within this regulation, we encounter two special kinds of organizations – those that mediate data and those that engage in data altruism. Operating rules are also set for these organizations.
Data Act
The data regulation will not come into effect until next year, but given the large increase in devices connected to the Internet, it makes sense to familiarize yourself with it as soon as possible. Although this regulation follows on from the Data Management Act, it is not one and the same.
The Data Act focuses on handling data from IoT devices that is not personal but can help improve services and customer care. GDPR is the overriding device, but the Data Act is more focused on non-personal data that is generated by smart devices or connected products – with exceptions such as prototypes or data generated by complex proprietary algorithms.
It still adheres to the original intent of building an efficient data market, but this regulation goes further and helps customers take control of the data generated by the devices in their hands. It is one of the steps to help remove technical obstacles, the device could be serviced by a third party even after the expiration of the warranty and support by the manufacturer or helps companies to move more easily between individual technologies – including cloud and edge services.
The long-standing debate about the unfair terms of most SaaS services – you don’t give consent to use data, you can’t use the service – should also be significantly calmed by this regulation, as the regulation should protect users more in this regard.
But if you want to find out if this regulation applies to you, it’s a good idea to ask for help, because there are a lot of exemptions based on the size of organizations, involvement in different ecosystems or the degree of key role that the system plays in the operation of the device.
The AI Act
The AI Regulation will apply from 2026. Artificial intelligence is all around us and concerns are emerging more and more often. So the European Union sat down and prepared this regulation, which aims to:
- Support the introduction of AI systems into the market, into operation and into common use
- Developing and supporting the adoption of safe, trusted and ethical AI
- Protect users at different levels
- Support Ai innovation
But there will be a plenty of areas where it won’t even begin to apply – in automated tasks, research and development, testing, and the military, defense, national security, and international justice fields.
But the advantage is that if the company uses AI for internal use, then there is no need to apply this regulation. It only applies to AI when it is involved in products and services. These will be able to be tested for compliance with this regulation thanks to national AI sandboxes.
Such products and services will need to have detailed documentation, and special conditions will apply to high-risk AI systems and general AI models. In addition, it is necessary to keep in mind that this regulation applies to the territory of the EU, it does not apply only to companies that have their headquarters here.
For supervision within the framework of the AI Regulation, an office for AI will be established, as well as a European Council for Artificial Intelligence + a supervisory authority will be established for each state. In case of non-compliance with the conditions, organizations face high fines and the authority also has the right to inspect all materials, including source code.
To be continued...
We have now taken a brief look at three regulations that already have or will have an impact on the functioning of companies in the near future. Hopefully this simplified overview has helped you find out if your business will fall under any of these regulations, so that it doesn’t come as a surprise to you later. And next time we will continue.
