When you purchase through links on our articles, Future and its syndication partners may earn a commission.

Anyone who has worked in a customer-facing role in the last five years or so should be, in one way or another, familiar with General Data Protection Regulation (GDPR) and how it shapes the way organizations handle customer information. Well, from 2026, a new European regulation – the AI ​​law – will come into force, and it is worrying some companies.

But it shouldn’t. Or at least that’s what this data privacy expert said. Speaking at the recent ISACA conference in Dublin, Dr Valerie Lyons – author of The Privacy Leadershared his thoughts on the new regulations and the changes they could bring.

“I don’t really see much more in the AI ​​law than what the GDPR already provides. The principles are exactly the same, principles of transparency, security and consent,” she said.

It’s the thought that counts

There is significant overlap between the two pieces of legislation, primarily due to the large amount of data stored and processed by AI systems, and because the AI ​​Act uses a very broad definition of artificial intelligence.

GDPR compliance is not an exact science, she explains, and it is likely that AI law will use similar “principles of necessity and proportionality,” Lyons says.

It is important to understand the context and intentions behind the regulation, noting: “If I think back to the GDPR, Giovanni Buttarelli, who is sort of the father of the GDPR, said that you can adhere to the spirit of the GDPR. law, or to the letter of the law. If we follow the letter of the GDPR law, this will never work. You must respect the spirit of the law. »

Who pays?

We hear a lot about companies being entrusted giant fines for non-compliance with the GDPRbut we’re not getting the whole story, Lyons suggests.

“You know, fines don’t work because in reality no one pays them, so the Treasury doesn’t even get the money,” she says. “I mean, everyone in Europe thinks Ireland should have owed a lot of money, but 1% of the fines (were collected)”

Although the Irish Data Protection Commission has issued fines worth billions of euros, less than 1% part of which was actually collected through appeal procedures.

Even then, these fines don’t hurt businesses as the statistics suggest, and it’s usually the taxpayer who ends up paying the price.

“Who pays for the DPC to go to these courts? The Treasury,” says Lyons.

“So essentially the taxman continues to pay. Tusla, for example, the Irish child protection agency was fined $75,000 four years ago – they paid the fine and the Treasury ultimately paid that fine too – because it’s a taxpayer-funded government agency, she told TechRadar Pro.

It seems likely that the AI ​​law will be regulated by the same organization, the Data Protection Commission, which Lyons describes as having “no power”, suggesting that the lack of oversight could continue with the new regulations .

So what will the AI ​​Act mean for businesses in the coming months as new regulations come in?

For small businesses, most are AI deployers (i.e., deliver AI systems to users), as opposed to distributors or developers.

“Their next step is simple. Do a gap analysis. Using standards such as ISO or NIST will be very helpful in this regard and can provide a structured and solid roadmap for the next steps. Often small businesses complain about the cost, but NIST standards are available for free. » Lyons explained to us.

Joining the GDPR is already a good first step, so develop an AI policy and implement it – and make sure you organize AI introductory training before February 2025. Make sure you to update all ROPA notices, policies and DPIA with the AI ​​system.

“After that, it’s about ensuring that a robust process is in place to monitor the introduction of AI systems into the organization,” Lyons reassured.

More from TechRadar Pro