Two new EU regulations are currently keeping UK companies busy: the Digital Operational Resilience Act (DORA), which came into force in January 2024, and the Artificial Intelligence Act (AI Act), which passed in May.
DORA will regulate the areas of cyber security, IT risk, and resilience in the financial sector and will start to be applied as of January 2025. The AI Act passed in May, and the expected date when it takes effect is still pending. However, companies in this country are actually well prepared to implement the regulations – if they learn from the past.
Do you remember the year 2018? That was when the EU General Data Protection Regulation (GDPR) came into force. Many UK companies had to fundamentally revise their data protection and compliance strategies in order to fulfil the strict requirements. Now, with the EU AI Act and DORA, two further regulations of a similar scope are about to kick in. The goal of the European Union’s ambitious digital strategy remains the same here: To address the most urgent challenges in the digital market while preserving the fundamental rights of the individual in the digital age.
The legal foundations established by the AI Act offer the opportunity for the responsible, transparent and ethical development and use of AI. DORA seeks to protect financial institutions from systemic risks such as cyber threats for the stability of the entire financial sector and its users. Nevertheless, for many managers, implementation may be more of a chore. However, they can use their experience from the introduction of the GDPR to prepare proactively. Lessons learnt from past implementations can help them to meet the new compliance requirements while protecting the interests of consumers in the best possible way. While data protection compliance may not fully cover all substantial expectations of these new legislations, these four key learnings from the GDPR implementation can also help today:
1: Develop a deep understanding of company data
A key aspect of the GDPR was that companies had to thoroughly analyse their internal data pools. They had to filter out what personal data they collect in the first place. Where does it come from? How is it processed and stored? Only those who were able to comprehensively clarify and subsequently resolve these questions were able to comply with the requirements of the regulation. The AI Act and DORA have similar requirements. To ensure that AI systems are transparent, secure and ethical, companies must document the origin and use of the underlying data in detail. In the financial sector in particular, a precise understanding of the information processed and of each institution’s assets is necessary if organisations want to remain resilient in terms of IT security. If companies have already established comprehensive data management and risk management frameworks as part of GDPR implementation, they can now transfer these structures and processes specifically to the requirements of the AI Act and DORA. This enables them to manage compliance requirements much more efficiently and cost-effectively.
2: Review your contractual relationships
In order to comply with data protection requirements, companies had to adapt their cooperation agreements to the regulations of the GDPR. Similar obligations now also arise from the AI Act and DORA. Here, organisations are required to carefully review and update their contractual relationships – for example, to establish clear instructions on how to handle sensitive data and what appropriate risk analyses look like, as well as to ensure transparent reporting. Those who have already gone through this process as part of the GDPR can now benefit from the experience gained. These companies are familiar with the necessary contractual clauses and test steps and can apply them specifically to the requirements of the AI Act and DORA. This saves them valuable time and resources.
3: Rely on robust security measures
The GDPR has also obliged organisations to thoroughly review the security level of their data processing procedures and upgrade them where necessary. For cloud-based solutions in particular, many organisations have had to significantly tighten their security measures. The AI Act and DORA also place great emphasis on IT security. Organisations in the financial sector must therefore ensure that their systems and critical infrastructure are protected against cyberattacks and other threats, in the best possible and proportional way. This requires extensive security tests, risk analyses and technical protective measures. Those who have already developed robust security concepts as part of the GDPR implementation can now adapt them specifically to the new compliance requirements. This allows you to utilise synergies and significantly reduce the cost of implementation while focusing on the residual required actions.
4: Consistently train your staff
A decisive factor for the success of the GDPR was the data protection awareness and expertise of employees. Companies could only fulfil the strict requirements if all employees understood the compliance requirements and applied them in their day-to-day work. This also applies to the AI Act and DORA today. Organisations must also provide their employees with targeted training. In this way, they can ensure that AI systems are used ethically and that they remain resilient to the new cyber risks. Those who have already set up extensive training programmes as part of the GDPR introduction can now align these with the new compliance requirements.
Using your GDPR experience for the AI Act and DORA
Companies that have learnt from the implementation of the GDPR can now benefit from their knowledge to successfully overcome the new compliance challenges. Even after the AI Act and in DORA, it is essential to fully understand the data being processed, review contractual relationships, maintain a strong infrastructure and continuously train employees. This may not be a silver bullet, but it allows managers to save time, effort and resources while remaining accountable. At the same time, they protect the interests of their customers. This strategic foresight transforms compliance from a mandatory exercise into a clear competitive advantage.
About The Author
Mario Tavares Moyron is Senior Corporate Counsel & EU Data Protection Officer at Genesys. Genesys empowers more than 8,000 organizations in over 100 countries to improve loyalty and business outcomes by creating the best experiences for customers and employees. Through Genesys Cloud, the #1 AI-powered experience orchestration platform, Genesys delivers the future of CX to organizations of all sizes so they can provide empathetic, personalized experiences at scale. Visit www.genesys.com.