4 Recent GDPR changes your business needs to know about

Enacted in 2018, GDPR set out to protect the privacy of European citizens online. It ruled that consent must be: obtained by the user before any cookies are activated, must be granular, and must be easily withdrawn if requested. These data subjects have the right to restrict processing and even request that companies delete their data.

With the rise of artificial intelligence and new legislators, GDPR’s way of working is being threatened.

With a few recent changes impacting the General Data Protection Regulation (GDPR), businesses must navigate revised regulations to handle customer data responsibly. This will require an understanding of the new regulations to understand how they will impact your business.

Generative AI is threatening the integrity of GDPR

Artificial Intelligence (AI) is gaining popularity , which is only expected to grow.?

But the lack of governance around AI leaves room for doubt. AI applications that process personal information are subject to GDPR’s principles. Users have to consider if the information output by these machines can be linked to one specific person.

So companies must ensure that AI analyzes personal data in a compliant way. The EU’s recently proposed “Artificial Intelligence Act " (AI Act) aims to encourage proactive addressing of privacy and ethical concerns in AI development.

Some of the topics proposed in the AI Act are around:

• Scope and Definitions - how to define what constitutes artificial intelligence and its different categories of risk.
• High-Risk AI Systems - how to identify certain high-risk AI systems, like medical devices or critical infrastructure, and enforce strict requirements for their development, deployment, and use.
• Data Quality and Transparency - requiring developers to use representative and unbiased data for training AI systems. Transparency about AI's decision-making processes is also expected.

This feels similar to the GDPR’s impact on data protection.

Like GDPR, the EU AI Act aims to protect individuals' rights and privacy. While GDPR focuses on personal data, the AI Act addresses risks posed by artificial intelligence systems.

Both regulations set rules for transparency, accountability, and safeguards to ensure that people's rights are respected in the digital age.

The EU AI Act could become a global standard, determining to what extent AI has a positive rather than negative effect on your life wherever you may be.

What does this mean for your business?

While the EU AI Act is still proposed, it could change the way marketers act. Marketers:

• Will need to be cautious about how they employ AI in their strategies moving forward.?
• Might need to ensure that AI algorithms for ad targeting are free from biases and adopt stricter compliance measures for high-risk AI applications in marketing.?
• Must understand and adapt to the Act’s requirements, as non-compliance could lead to fines.

2. Changes to cookie banners

GDPR outlines a set of rules for dealing with cookies, which has made consumers all that much more aware of what data is being collected on them from third parties. Cookie consent is a cornerstone of compliance for websites with EU-located users.

This is because one of the most common ways for personal data to be collected and shared online is through website cookies. GDPR sets out specific rules for the use of cookies.

A “Cookie Banner Task Force ” was created in 2021 to field responses to various concerns filed by privacy group None of Your Business (NYOB). Earlier this year the task force shared a report with the European Data Protection Board.

The report states that there must be a clear option to reject the use of cookies (not just rejecting and leading to the website closing).

What does this mean for your business?

Companies will need to ensure they follow the rules below:

• Any pre-ticked boxes on what cookies will be accepted are not valid and contravene the GDPR.
• You must not use button colors that can be deceptive to users. Users are often in such a rush, they select a button by its color versus reading the words.
• Websites can not use the term “legitimate interest” to allow businesses to process some personal data without user consent.
• A “withdraw consent” option must be available by a “floating icon” which will be reviewed on a case-by-case basis as well.

New laws for cross-border regulation

The European Commission plans to introduce a new law aimed at improving the enforcement of GDPR by EU countries' privacy regulators. This law will address concerns about inefficient handling of major cases, particularly involving Big Tech companies.

It aims to set procedural rules for cross-border investigations and infringements, harmonize administrative procedures, and support GDPR cooperation and dispute resolution mechanisms.

What does this mean for your business?

To adhere to GDPR, marketers must:

• Pay close attention to data transferred between countries
• Adopt more transparent, secure, and accountable data handling practices when working with international data.?
• Be aware of the Data Privacy Framework

Data Privacy Framework notes how data is transferred from the USA to the EU

Introduced in July 2023, the EU-U.S. Data Privacy Framework was enacted to ensure that data can flow freely (safely and legitimately) between the USA and the EU.?

US-based companies like Google, Amazon, and Meta collect a ton of customer data and use it to send personalized messaging to their customers. There have been massive lawsuits between companies spanning the Atlantic Ocean around the misuse of customer data.

This updated framework will make it much easier and more seamless for American companies to operate in Europe.

What does this mean for your business?

To remain compliant with the DPF, businesses must:

• Consider how they transfer personal data between the EU and the US.
• Review their data flows, revise contracts with third parties, and implement more strict privacy measures to maintain cross-data transfers that uphold the EU privacy standards.?
• Determine the best solution for themselves. Interpretations of data residency are multi-faceted. Some customers may still prefer the ability to pursue a data resident solution rather than the DPF.

End Note

Regulatory bodies like the GDPR are constantly improving the way user data is protected. Many other countries have started to follow suit, implementing their own privacy regulations. The United States introduced CCPA, Canada has PIPEDA, Singapore introduced PDPA, and Brazil has LGPD.

And with technological advancements like AI, the sky’s the limit on how data can be used to enhance customer journeys (and how regulations will enforce privacy.)