GDPR 4 Years: Through The Eyes of a Privacy Tech Startup

25. May 2022

On May 25, 2018, the GDPR came into effect. It is a ground-breaking regulation in the field of data protection. It enhanced the standards of data protection regulations, raised awareness of privacy protection in the EU, and triggered the birth of data protection regulations in many other countries. 

In 2017, brighter AI was founded. Since the founding of our young company, we have been developing and optimizing our anonymization solutions, so that personal data can be used for machine learning and AI innovation while respecting the data subjects’ privacy. 

Our company history closely coincides with the implementation and execution of the GDPR. As an anonymization solution provider, in our business operations, we noticed a few trends and challenges many businesses and organizations encounter while trying to comply with the GDPR.

Being GDPR-compliant Is a Priority for Many Organizations

Four years after the GDPR took effect, we are glad to see that being GDPR-compliant has become many organizations’ priority. 

In 2021, 60% of businesses surveyed expect an increase in privacy budget in the next 12 months, based on an average privacy budget of 873,000 USD. In a self-assessment, 20% of the businesses investigated rated themselves as fully GDPR compliant, and 43% rated themselves as very compliant [1]. At the same time, the companies that failed to comply with the GDPR received enormous amounts of fines. For example, Amazon received the biggest GDPR fine up to date in 2021, of 746 million euros. Until May 2022, over a billion euros of fines were issued. The increasing number reminds businesses of the importance of being GDPR compliant, as well as the financial and reputational damage they will face [2]

 

The Challenges on the Way to Being GDPR-compliant

Cross-border Data Transfer & Changing International Data Protection Legislations:

Recently, there has been an increased demand for data protection regulation-compliant data transfer. Under the GDPR, data transfer refers to the “transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization”. A GDPR-compliant data transfer should satisfy one of the following conditions:

  • EU Commission issues adequacy decision
  • The transfer is subject to appropriate safeguards
  • The transfer meets the requirements of an approved code of conduct pursuant to Article 40
  • The transfer meets the requirements of an approved certification mechanism pursuant to Article 42.

Data transfer to the USA, the EU’s second-largest trade partner, was relatively hassle-free before 2020 because of the EU-US Data Protection Shield. In 2020, Schrems II came into effect. The Shield was ruled invalid by the Court of Justice of the European Union (CJEU). Under the new law, data transfer across the Atlantics requires transfer impact assessments and potentially additional organizational and technical measures. The EU and the US are finding ways to facilitate data transfer recently. Still, analytics, for example, multinational law firm DLA Piper predicted that “data transfer will continue to be an enforcement priority for regulators and a compliance priority for regulated organizations”. 

In November 2021, China’s Personal Information Protection Law (PIPL) took effect, posing data collection and processing challenges for many international organizations operating in China. Under the PIPL, processing entities who plan to transfer personal information outside China need to follow strict regulations. The new Chinese data protection law made transferring data out of China consequently challenging and complicated.

For companies having offices in the EU, the US, and/or China, data anonymization is a method to ease the process and mitigate the risks. As anonymized data is generally not subject to the GDPR, CCPA (referred to as “de-identified data)” or PIPL. 

Visual Data Collection & Processing for AI Innovation

In recent years, public data collection has been a heated topic. However, it might be surprising to find out how many surveillance cameras are around us. For many, cameras may be an upsetting existence peeking into individuals’ privacy. On the other hand, cameras are the most powerful sensor for use cases such as autonomous driving, intelligent retail, and smart cities for businesses and research organizations. The visual data they record empowers advanced analytics and machine learning.

Anonymization is one of the methods to solve the dilemma. Therefore, businesses and organizations put time and effort into making sure their anonymized data is GDPR-compliant. Some companies and organizations try to anonymize data manually, but find it tedious and extremely time-consuming. Some try to build anonymization solutions from scratch, but soon notice the algorithm is too complex and takes a lot of human effort without a guarantee of success.  

For the businesses and organizations who need accurate, high-quality data for advanced analysis and machine learning model development, traditional anonymization solutions such as pixelation and black barring are no longer satisfactory as they destroy the accuracy and integrity of the original data. Therefore, brighter AI has developed Deep Natural Anonymization, which empowers companies to protect peoples’ identities when using such data for advanced analytics and machine learning.

To sum up, being GDPR-compliant is already a necessity for all businesses and organizations operating in the EU. The GDPR is legislation that has restrictions on many fields, but it is not a blocker of technological innovation. A correct solution can put a full stop to the trade-off between privacy protection, smart video analytics, and machine learning development. If you think our anonymization solution can help you break that barrier, feel free to read how our product helped our clients or contact us for more information.

[1] IAPP & EY; “IAPP-EY” Annual Privacy Governance Report 2021; 2021-10

[2]  Enforcementtracker; “Statistics: Fines imposed over time”; 2022-05

Xinzhuo Xiao
Marketing & Communication
xinzhuo.xiao@brighter.ai