28th of January was International Data Protection Day, which reminds us that data protection is a daily responsibility in every company processing personal data. This year, the field of data protection is facing many new challenges that require the attention and adaptation of entrepreneurs, pointed out Krete Paal, the CEO of an Estonian privacy startup GDPR Register.
The requirements of the General Data Protection Regulation (GDPR) are becoming increasingly complex, meaning that companies must have a precise overview at all times of what is being done with data, whether documents are updated, and whether measures to mitigate risks are still appropriate. “Data protection has become a dynamically evolving field, now an integral part of business,” said Krete Paal.
The new direction in data protection is proactive privacy protection, towards which, according to Paal, Estonian companies should also move, as mere compliance is no longer sufficient. “In light of numerous high-profile data breaches and privacy scandals, data protection is no longer just a legal requirement – it has become a business advantage,” emphasized Paal.
Since data protection is not only the responsibility of company leaders or data protection specialists but all employees, increasing awareness in the company and training employees remain crucial. “This is particularly important when the responsibility for ensuring data protection compliance is shared among different people or when contact persons change. Team collaboration, such as between data protection and information security teams, understanding each other’s work and cooperating, is also important. Pooling resources helps to prevent many common problems,” advised the head of the privacy startup.
Depending on the stage of development of a company’s privacy program, it is advisable for companies to focus on optimizing internal organization and work processes, especially relevant in the context of budget constraints and limited resources. Data protection language characterizes this as ‘privacy by design,’ which becomes more central in 2024 due to the development of smart solutions, technologies, and consumer expectations.
“Companies should assess whether goals can be achieved without involving third parties or redesign processes so that information is collected in a structured and minimal manner,” said Paal. This is also the focus of GDPR Register, helping companies ensure data protection compliance as simply and cost-effectively as possible, optimizing repetitive activities. “The more complex data protection becomes, the simpler the solutions for managing it must be,” advised Krete Paal.
Adapting to Global changes
Estonian entrepreneurs should keep an eye on global changes in the field of data protection. The upcoming European Union NIS2 Directive and Cyber Resilience Regulation establish stricter standards for cybersecurity and set reporting deadlines for breaches. “This year, the enforcement of cybersecurity regulations will compel companies to be more transparent about their breaches and attacks. Companies in affected sectors should follow developments, as these will become mandatory over the course of this year,” said Krete Paal.
Additionally, experts predict that IT security attacks using artificial intelligence will become more complex and automated. Therefore, companies must regularly review their security measures to ensure they match current risk profiles.
Development in case law
Last year, the European Court made significant decisions in the field of data protection. “This year, we expect a series of important court decisions that will impact the future of data protection. Staying informed about case law is becoming increasingly critical,” stressed Paal.
If time is limited and there are many topics, a company can use the service of an external data protection specialist or subscribe to data protection newsletters, such as the International Association of Privacy Professionals’ Daily Dashboard, which covers data protection developments.
The GDPR Register, created by an Estonian startup and developed in cooperation with IT experts, makes complying with GDPR requirements simple and logical, helping companies and institutions efficiently manage processes, operations, and documents associated with GDPR regulation.
