For data protection this is the start, not the end, of the journey

May 25, 2018, has been etched in the minds of most privacy officers as the deadline for coming into compliance with the European Union’s General Data Protection Regulation (GDPR). It’s like anticipating the end of a marathon: get all your systems compliant by the deadline, or face potentially severe consequences. Yet today is more like the end of mile one of the race. It marks the beginning of a new phase of determining how to enable both innovative uses of data and strong protection for individuals.

GDPR is not just a set of regulations and requirements. It’s a recognition of how critical the fundamental right to privacy is for individuals to trust their engagement with new technologies, and existing technologies, for that matter. Individuals are beginning to realize the huge impact technology has on their lives — a source of pride for American technological innovation but also a big responsibility.

{mosads}For individuals to benefit from innovations such as life-enhancing and potentially life-saving uses of artificial intelligence, for example, they must believe their personal information will be treated securely and responsibly. GDPR gives American and other businesses a roadmap for making those kind of assurances — which they would probably have to make even without GDPR.

For industry, GDPR offers attributes that businesses asked for and received: robust, harmonized and predictable enforcement of flexible rules that can apply to future technology, society and business changes. Robust enforcement will decrease the instances of free riders who choose to ignore the rules. Harmonized enforcement will allow innovators to design to a common set of standards, rather than having to guess what might or might not be acceptable in different jurisdictions. Finally, predictability is critical to allowing for increased investment in data innovation that ultimately will benefit society.

Industry wants predictability but also flexibility so that as technology and business models change, the law still applies. The drafters of the regulation did a remarkably good job on this front. Now, the onus is on the EU Data Protection Board to demonstrate that GDPR enforcement is harmonized and predictable.

This is just the start of the journey, however. While GDPR offers great improvement over existing EU processes, there are areas that need further development. As we move forward on this path, the following will be critical:

• Better understanding of how GDPR provisions on automated decision-making will impact the use of data to train artificial intelligence tools that have potential for great social progress. Some algorithms, for example, allow a human to intervene and explain how a certain decision was made about an individual; many, however, do not. The regulation’s so-called “right to explanation” is a bit murky and needs clarifying.

• The creation of a model that provides for predictable rules on international data transfer that are applied evenly to all countries.

• More understanding of when a fine of 4 percent of global turnover could be applied, so we avoid the unintended consequence of companies not being willing to launch new data services in Europe.

GDPR is a tremendous achievement. We have not crossed a finish line, and instead we should mark today as having a much clearer course of the race to continue running. We can celebrate  new privacy protection for individuals, and urge all stakeholders to work together to create guidance on how to implement the rules.

For my fellow privacy officers, we have been given new mechanisms to design privacy into products and services. Whether it is GDPR expectations of data portability, the need for privacy impact assessments, or the appointment of European data protection officers, these requirements also can be tools we use to deliver trust. It is time to stop at the hydration station, enjoy an energy bar and then resume the race.

David A. Hoffman is associate general counsel and global privacy officer at Intel Corporation. In 1999, he founded Intel’s privacy team. He is a senior lecturing fellow at his alma mater, the Duke University School of Law.