Data Privacy as a Driver of Governance, Risk and Compliance

Governments around the world are more inclined than ever to move fast on data regulations in the face of emerging technologies. In the past five years, countries accounting for over half the global population have passed comprehensive data protection laws. 

While these new privacy mandates should act as guides to approach governance, risk and compliance (GRC), organizations cannot view them as a minimum threshold to meet compliance requirements. Organizations must be able to anticipate how data regulations will evolve in the near future and adapt their GRC initiatives to factor in major shifts in the privacy landscape, so they can position themselves ahead of the curve as the public becomes more and more aware of data privacy laws and initiatives.

Here are the present and upcoming drivers of privacy.

New Regulations: The Domino Effect

California’s new proposal for regulation on automated decision-making technology (ADMT) and the European Union AI Act are just the first dominos to fall around artificial intelligence regulation. Considering the copy-and-adjust pattern states have taken in passing data privacy legislation, once the first state passes AI regulation, a model will be there for others to quickly follow. Given that data privacy is a core tenet of AI governance, part of the foundation for a run of state-level laws is already in place. 

Mine CEO Gal Ringel: Seize opportunities beyond literal compliance.

This is not just posturing. The Federal Trade Commission’s December action against Rite Aid over its use of facial scanning technology shows the risks of AI are being taken seriously, mirroring the risk-based approach the EU is taking. How enforcement works out remains to be seen, but getting regulation on the books is the first step, and it’s happening with overwhelming public support, as up to 85% of Americans in surveys favor regulation to ensure AI is safe and secure.

How do people feel about Meta after years of criticism over data misuse and data sales to third parties? How is 23andMe to be trusted after its late 2023 data breach? With the value of data and the vast public support for data privacy, opening organizations to unnecessary risk is unacceptable.

For companies that prioritize the management of privacy risk and compliance, trust and brand loyalty will follow. It’s no accident that Apple ran a 2019 marketing campaign on the theme “privacy matters.”

Proactive vs. Reactive

Whereas IT has traditionally been the GRC taskmasters, called upon to remediate problems and locate data in needle-and-haystack situations, they have not traditionally been looped into ongoing risk and compliance operations. That disconnect led to an untold amount of doomed-to-fail privacy programs. For companies that fail to prioritize compliance or, worse, view it as adversarial to business interests, GRC operations will always be reactive, and thus doomed to fail. 

The EU’s General Data Protection Regulation (GDPR) was the first legislation to include requirements like data minimization – collecting as little data as is needed to complete specified business processes – and privacy by design. More and more privacy laws mandate that companies only use data for the intended purpose of the collection.

With most major global economies now having some data protection and privacy laws in effect, the days of willfully collecting loads of data are over, and companies must adjust their operations to treat privacy proactively rather than a tick on a checklist if regulators come calling.

AI risk impacts compliance and innovation. Compliance may not seem advantageous on initial inquiry, but given the near universal support for data rights and people owning their data, a world of opportunity exists for companies that embrace data privacy. With the AI boom, that faith in privacy will pay off even more, as new public concerns and new compliance challenges enter the GRC sphere. 

Safety and Transparency

Work on AI regulations is already underway, so we should see progress across the spectrum in 2024.

From the regulatory starting point, it will be important to monitor technological innovation and ask customers how they want to see your product evolve to keep pace with the GRC challenges AI innovation brings. The first few generative AI uses unveiled to the public, such as ChatGPT, needed enormous amounts of data to be trained, violating every aspect of data privacy that has arisen since the passing of the GDPR in 2016. Future AI innovation will need to reckon with that so innovation is driven by safe data usage, rather than merely robust data usage.

This will often require companies to use AI safely, transparently and, most notably, like a scalpel to tackle specific tasks – like vendor risk assessments and data discovery in the world of GRC – to succeed with fewer resources and more buy-in from other departments. 

We’ve already seen this happening in the compliance sphere, as the companies with the most momentum are those that are innovating GRC solutions with machine learning and AI to enable GRC success and organizational buy-in. That equates to tools that are complex under the hood but simple enough that anyone can understand what is going on even without regulatory knowledge. 

Leadership Sets the Tone

The innovation means the very technologies that will pose new challenges to GRC teams will also be the keys to success. 

For GRC strategy to inform overall enterprise goals, organizations first need leadership to align and assign it prioritization. Leadership championing privacy and related causes sets the tone for the rest of the organization and puts in place ROI drivers like brand reputation, R&D, IT, etc., so GRC will advance across the enterprise with more bottom-line visibility.

Compliance might still seem perfunctory, particularly when an organization is facing various and differing laws across jurisdictions, but if those values are not communicated through every department – product design, development, customer support, marketing, and sales – the end product will reflect that disconnect. 

Any organization reprioritizing compliance in 2024 will find that not every employee needs to know specific regulations, but everyone needs to be aware of the intangibles of proper data privacy and governance, which will help inform teams as they interact more often and meaningfully with compliance objectives.

Gal Ringel is co-founder and CEO of Mine, a pioneer and global leader in data privacy and governance management. He has worked for years to empower individuals and enterprises with robust data privacy solutions that address the complexities of data governance in a rapidly changing regulatory environment.