When the European Commission took office in 2019, it announced a digital strategy to support technological development in Europe, in order to stimulate European innovation and preserve our digital sovereignty. At the same time, it is an objective that the new regulations should contribute to ensuring that digital technologies are used in accordance with European standards and in accordance with the fundamental values in which we recognize ourselves. It is clear that the Commission believes that trust in technological innovations, and trust in the right to data processing, is essential for increased digital innovation.
When designing the new regulatory initiatives, the EU has taken inspiration from one of its most successful regulatory initiatives of recent years, namely the GDPR, and has designed the new initiatives according to the same recipe. This column will show a few ingredients that mean companies that have worked well with GDPR will have advantages when new regulations need to be met.
Obligation to have an overview of the company’s activities
With the GDPR, it has become mandatory to have a processing protocol. This is an overview that shows in which contexts a company uses personal data. Through this overview, the company must describe when, how, why, for how long and on what legal basis the personal data is used. The processing protocol is at the heart of any company’s compliance work. It is therefore not surprising that in several of the new legal acts the Commission has also established comparable requirements for an overview of the conditions which require compliance with the regulations.
Through the Digital Operational Resilience Act (DORA), for example, financial institutions will be required to document all material cyber threats. The Artificial Intelligence Regulation (AI Law) requires you to have an overview of where artificial intelligence is used in the business, its purpose, the risks it entails, and how whose data training, validation and testing is carried out – all the knowledge a company needs to have in order to be able to comply with current regulations.
Cooperation with third parties
The new legal acts also strengthen the requirements on how organizations cooperate with third parties and to what extent the organization remains responsible when third parties are used. This includes the responsibility to monitor vendors, business partners and other third parties, such as software and cloud service providers. An example is DORA, which obliges financial companies to enter into contracts with third parties and also sets requirements regarding the content of contracts.
It is obvious to draw lines for the regulation of the relationship between controller and processor in the GDPR and the requirement of the content of a processor agreement. Therefore, it is time to see the work with data processing agreements and third-party tracking requirements in new legal acts in context.
Transparency and information
The requirements of openness and transparency are basic principles of the GDPR and important values in the European social structure. Without transparency, it is difficult for consumers and businesses to make use of the rights and opportunities offered by regulations. Through the Digital Service Act (DSA), “gatekeepers” will have the obligation to report annually on content moderation, while the AI law introduces an obligation to provide information on when a person interacts with an algorithm and what this algorithm does.
Internal control
Norwegian companies are familiar with the requirements for internal control and management systems. The GDPR itself has clear obligations regarding the introduction of technical and organizational measures to comply with the regulation.
The Digital Markets Act (DMA) and DSA both have detailed rules for the compliance function, while financial institutions covered by DORA are required to have management systems that ensure effective management of related risks. to ICT. The AI Act also proposes requirements for good management systems to ensure high quality training, validation and data testing.
Preparations for the digital decade
Under the slogan “Europe’s digital decade”, we envision a safer, greener and more robust future characterized by Europe’s ambition for digital sovereignty. The EU must invest in opportunities and establish rules to reduce the risks for European citizens. Similar to GDPR, it will be difficult to navigate between new rules, technology and organizational challenges.
But if there’s one thing we’ve learned from the introduction of GDPR, it’s that it’s just as good to start first as the last!