McKinsey & Co.’s latest research on data privacy has found that the European Union’s proposed next regulations following the sweeping General Data Protection Regulation (GDPR), effective in 2018, could have positive impacts on businesses worldwide and mitigate data breach risk but could also come with burdensome administrative tasks and compliance.

A website dedicated to the GDPR states it is “the toughest privacy and security law in the world” and is applicable to any organization worldwide, regardless of location, that targets or collects data related to people in the EU.

“With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence,” the site states. “The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).”

However, there are limitations in the U.S. on how the GDPR is applied due to laws in the country.

“While these developments have led to major changes in data privacy, one of the other goals of the regulation — to establish a market for data and facilitate data exchange between companies — has not been reached to date,” McKinsey wrote in its article. “The EU digital strategy offers organizations both challenges and opportunities but these regulations will likely continue to evolve, so organizations should remain aligned with the regulatory process.”

According to McKinsey the EU’s proposed digital strategy, as of now, will be effective this spring and includes:

• • “The Data Governance Act creates a new way of managing data to increase trust in and facilitate data sharing.
  • “The Digital Markets Act creates fair and contestable markets for innovation, growth, and competitiveness in the digital sector.
  • “The Digital Services Act creates a safer digital space where the rights of all users of digital services are protected.
  • “The Data Act regulates access to data in B2B, B2C, and B2G (business-to-government) relationships and while switching between cloud providers.
  • “The AI Act enacts stringent regulations of (high-risk) AI systems and prohibition of certain practices.”

Interestingly, McKinsey says the proposed legislation provides protection of end-user rights associated with artificial intelligence (AI) to create a new market “where identifying possible algorithms that are not forbidden or high-risk becomes a paramount goal and, therefore, creates new market possibilities, even in areas where traditionally the companies had already created the relevant legacy algorithms.”

“Several benefits arise from the new regulatory regime, specifically for data sharing and portability and the possibility of reducing gatekeeper platforms. This is specifically so with social-media platforms and also when it comes to insurance contracts and other services.

“Companies will also experience increased user rights when it comes to AI. This could affect businesses such as credit bureaus, insurers, or banks that are using AI to assist with decision making or customer rating. Traditionally, organizations and their digital platforms have seen little concern in using AI on customer data when it comes to their core business processes as with target marketing, for example. This perception is significantly questioned in the new guidance, and organizations should consider new methods to inform customers and to ensure a sustainable operating model.”

McKinsey recommends businesses go ahead and review the proposed legislation to assess what impact it could have on them and their business models to consider necessary changes and be compliant if the proposed acts become law. Data collection — whether personal information is necessary to gather on customers — and AI use should also be reviewed, according to the article.

Images

Featured image credit: anyaberkut/iStock