The following is an article by Lead Associate Alexia Valenzia and Junior Associate Veronica Campbell published in the 8th Edition of the ELSA Malta Law Review. The ELSA Malta Law Review seeks to give a legal analysis on the dynamic world of law and the updates and amendments that occur continuously. Copies may be purchased through: https://mt.elsa.org/shop/products/elsa-malta-review--edition-viii
1. The ever-changing data landscape
As research and statistical data continues to demonstrate, the volume of data being generated worldwide each day is increasing at a rapid speed. For example, while there was a global data volume of 33 zettabytes in 2018, it is predicted that this number will rise to 175 zettabytes by 2025.[1] A zettabyte is equal to a trillion gigabytes, meaning that if these amounts of data were to be stored on tablets that can hold 520 GB each, a tower reaching to the moon and back five times could be built.[2] However, it is not only the amount of data being generated that is on the increase, but also its value and importance. The European Commission estimates that the EU’s data economy will be worth €829 billion in 2025.[3] Data is no longer produced as a simple by-product of transactions and interactions, but rather has become an asset for businesses which, if harnessed appropriately, can be compared to an actual currency, at least in terms of its value.
For companies, there are many possibilities to use data as an asset, including using data for customer profiling purposes with a view to giving their customers tailored ads and recommendations. By way of example, Amazon keeps track of what customers search for, which products they buy and what reviews they write through the collection of online cookies[4]. On the basis of this information, Amazon then builds profiles of its customers and compares them to each other. This allows Amazon to give customers recommendations based on products that other customers with similar interests have bought.[5]
On a larger scale, data can be used not only to profile a single person but, more significantly, to predict the market and demand on a larger scale. For example, it is generally recognised that Netflix has leveraged data extensively in order to produce original content which addresses content gaps and genres with high demand.[6] Netflix has also conducted testing for different promotional material in order to identify which combinations of material resonate best with viewers, following which marketing campaigns are modelled accordingly to ensure maximum impact.[7]
Data can also be shared across different companies to further unlock the potential of its use. For instance, Airbus has launched an open aviation platform called Skywise which tracks and gathers data from Airbus clients on aircraft in operation.[8] Airbus and equipment manufacturers can then use this data to make improvements and increase efficiency.[9]
However, even though data can be regarded as a business asset in many ways, approximately 80% of industrial data currently remains unused.[10] Reasons may be of a technological or economical nature, as well as possibly relating to the labyrinth of legislation and regulations which need to be navigated.
This article gives an overview of the existing and upcoming legislation pertaining to data (including personal data) and offers guidance on the manner in which the legislation can be navigated by businesses. The author ultimately argues that, if approached correctly, compliance with data legislation could help increase the value of data for a company and produce positive results for its businesses, such as increased efficiency and customer engagement.
2. Data as an Asset
As stated earlier, data is no longer viewed as a by-product but has rather developed into a currency in and of itself. Much like traditional money, it holds value and can be exchanged. On a daily basis, data is used for barter trades, whereby data is offered in exchange for digital services.[11] Moreover, in some instances where products are being bought with money, customers may have the option to receive a discount when giving specific data to the seller company.[12]
However, data is not only an asset for the purpose of barter trades, it also presents an opportunity for monetization. The most direct way to generate monetary value from data would be to sell it to a third party, unless this is prohibited by law. Alternatively, data can be used to cut costs and increase profit through data profiling and if done properly, the collection of data allows companies to learn and evaluate their customers’ interests and tailor their marketing practices accordingly to engage the customer. The process of developing marketing strategies has therefore been facilitated by means of data analysis, allowing companies to simultaneously save on marketing costs and increase customer engagement. Indeed, profits are then increased by achieving higher sales rates, as studies find that 91% of customers are more likely to shop at brands that offer more personalized recommendations.[13]
Customer satisfaction can also be improved by introducing faster delivery, increasing efficiency and decreasing product shortages, all of which can be achieved by using data for demand sensing[14]. This entails businesses sorting through their historical data on customers’ interests. In a similar fashion to the aforementioned strategy adopted by Netflix, the historical data can then be used to foresee what customers will buy in the future, giving companies an estimate as to the amount of product they need in stock. This enables faster delivery due to less shortages, while also giving companies the ability to avoid overstocking, which in turn leads to a decrease in costs.[15]
In the author’s experience, the legal frameworks which typically cause most concern from a compliance and implementation point of view are those relating to the collection and use of personal data and the security and sharing of data more generally. It is therefore important to understand the basic principles surrounding these frameworks so that companies can adhere to them correctly and as seamlessly as possible.
3. Data Regulation: Setting the Scene
From a legal perspective, the European Strategy for Data (the “Data Strategy”) is a focal point in terms of identifying the EU’s vision of data management in the future[16]. The Data Strategy’s main aim is that of creating the possibility of a free flow of data within the EU while also maintaining European values and respecting fundamental rights, including the right to privacy and data protection[17]. The first regulation is the European Data Governance Act (the “DGA”)[18], which became applicable in September 2023. The DGA establishes conditions for the re-use of data (not necessarily personal data) being held by public-sector bodies. It does not create an obligation to allow the re-use of data but instead lays down a framework that applies if the re-use is allowed. Member states will now need to ensure that they are technically equipped to respect the privacy and confidentiality of data in the context of its re-use. This entails the implementation of technical measures, such as anonymisation and pseudonymisation of data, as well as contractual measures, such as confidentiality agreements governing the sharing and re-use of data. In order to further facilitate the re-use of data, the DGA requires public-sector bodies to assist potential re-users in seeking the consent of individuals for the re-use of their personal data or permission from data holders whose rights and interests may be affected by such re-use.
The DGA also aims to promote data altruism, meaning the voluntary sharing of generated data, by creating more trustworthy data sharing systems. The DGA recognises the key role of providers of data sharing services in the data economy, and includes measures to ensure that data intermediaries function as trustworthy organisers of data sharing. The DGA also introduces measures facilitating the reuse of certain public-sector data that cannot be made available as open data, such as health data being reused for medical research.
The second regulation introduced through the Data Strategy is the Data Act, which very recently entered into force and is set to become applicable in September 2025.[19] The Data Act is meant to complement the DGA by regulating the manner and conditions under which value can be generated from data, so as to ensure a fair distribution of the value of data. The ultimate aim is to make more data available for the benefit of companies, individuals and public administrations. New rules regulate the transfer of valuable data between data holders and data users while safeguarding its confidentiality, thereby incentivising participation in the data economy. With particular reference to data sharing, the European Commission will develop and recommend non-binding model contractual terms for data sharing agreements, with a view to ensuring that weaker market players (particularly SMEs) are not subjected to unfair terms by stronger market players. The Data Act is also intended to particularly unlock the EU cloud market by facilitating the process for customers to switch between different providers of data-processing services, and increasing data interoperability.
Finally, the Digital Markets Act (the “DMA”), which became applicable as of May 2023, also concerns data protection in the context of data being used by gatekeepers.[20] Gatekeepers are defined as providers of core platform services, and it is the European Commission which determines which companies are being categorized as gatekeepers, depending on whether they fulfil certain requirements. As of February 2024, the Commission has designated Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft as gatekeepers. These entities now face new obligations, including allowing their business users to access the data they generate through their use of these entities’ platforms. The DMA also imposes limitations on gatekeepers, prohibiting them from cross-using users’ data. This means that gatekeepers cannot process data generated on one platform on another platform, nor can they combine data collected from different platforms.
Within the EU, personal data protection is mainly regulated by the General Data Protection Regulation (the “GDPR”) [21], which has impacted data management by re-enforcing obligations and principles which companies must abide by when handling personal data. In this context, personal data means any kind of data that could be used to identify a natural person. Under the GDPR, companies are obliged to process data lawfully, fairly and transparently, by providing a clear explanation to data subjects as to the processing of their personal data. Moreover, the scope of data processing must be limited, meaning that the data must be collected and processed to serve a specific purpose, and therefore cannot be collected and retained indefinitely just in case the company might need the information later. Similarly, the principle of data minimisation requires that only the data necessary for the specific purpose be collected. The data being kept must be accurate; if it is not, it must either be erased or rectified. Another GDPR principle is storage limitation, whereby data cannot be kept longer than necessary for the purpose of the data processing. Lastly, maintaining the integrity and confidentiality of personal data is crucial, and companies must take steps to ensure that the data is kept secure and protected from accidental loss, corruption or unauthorised use.
While the legislation on personal data has many different objectives, it is primarily intended to balance two different interests that inherently conflict with each other. On one hand, natural persons have a right to privacy and to the protection and security of their data - they should be in control of the use of their data and should be able to decide whether it is shared, with whom, and in which context. On the other hand, entities need to collect personal data to satisfy their commercial objectives.
Individuals’ interests typically conflict with economic interests because unlocking the full potential and value of data naturally requires companies to exploit it in some shape or form. As mentioned earlier, the collection of data can generally help businesses forecast the market and the consumer’s demand, tailor their advertising practices, identify space for improvement, fuel innovation, and facilitate and organise internal processes. To do so, they need to collect, analyse and store the data they generate. The role of data legislation is to solve the conflict by creating a fair balance between individual and economic interests.
4. Personal Data Collection and Privacy
The first step to unlocking the potential of data is, of course, its collection, and this processing activity is subject to the GDPR whenever personal data is involved. The GDPR applies to any organisation, regardless of its location, that processes the personal data of EU residents or that offers goods and services within the EU. Under the GDPR, personal data encompasses a wide range of information, including names, addresses and even online identifiers such as IP addresses. While compliance with the GDPR may at times prove costly and time-consuming, it fosters trust in companies and can therefore indirectly produce positive results for business. Indeed, a study conducted by Check Point indicates that 74% of business owners claimed that the GDPR had a positive impact on customer’s trust.[22] The GDPR sets out and follows seven main principles, which were touched upon in section III of this publication. The sections below shall now expand on these principles and discuss the manner in which compliance therewith can prove beneficial to companies.
a. Lawfulness, transparency and fairness of data processing
The first principle relates to the lawfulness, fairness, and transparency of data processing. Lawfulness means that there must be a legal basis for processing data, without which the processing would be prohibited. The GDPR sets out six lawful bases for the processing of personal data. Perhaps the most discussed lawful basis is reliance on the data subject’s consent. In order for consent to be a valid legal basis under the GDPR, several requirements must be met.
Firstly, the consent must be given freely, meaning that it would not be valid if the data subject did not have an actual choice to consent or was faced with consequences in case of refusal to consent. Moreover, if pressure or influence prevents the data subject from exercising their free will, or if an imbalance of power exists between the data subject and the entity requesting the consent, consent will likewise be impaired.[23] Secondly, consent must be unambiguous, that is it must be clearly expressed by the data subject. This means that consent must be obtained by means of an opt-in system, whereby the data subject performs a clear affirmative action indicating their consent. Opt-out systems where the data subject is automatically presumed to have given their consent are insufficient and fall short of meeting GDPR requirements.[24]
In order to prevent the exploitation of consent by blurring the purposes of the data processing involved, consent must also be specific, so that the data subject is fully aware of the manner in which their personal data will be used. In the event of multiple purposes, consent must be acquired for each purpose separately, allowing the data subject to consent to the processing for some purposes but deny it for others.[25] Tied to specificity is the requirement of informed consent. The entity requesting consent is obliged to share, for example, the purpose of processing and the type of data that are collected and used, typically by means of a privacy notice. This information must be provided in a way that allows an average person to understand the content, meaning that long privacy notices written in difficult language do not lend themselves to valid consent.[26]
The requirement of informed consent is only one of the effects of the transparency principle. Aside from the information obligations, the data subjects have a number of rights in relation to their personal data, including the right to access and rectify such data, as well as the right to data portability.
Lastly, the principle of fairness dictates that personal data should not be processed in a way that would be unexpected for the data subject. Additionally, data subjects have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them.
The principle of lawfulness, transparency and fairness is intended to give people control over their personal data, allowing them to make informed choices about who they give their data to and how the data is used. A business that complies with the GDPR’s obligations can demonstrate to customers that it respects their privacy. At a time when people are more aware than ever of data protection, privacy, and the related risks, GDPR compliance can prove to be a significant advantage for companies vis-à-vis customer engagement.[27] The transparency principle has the potential to increase customer trust and consequently improve sales, as 85% of respondents to a survey carried out by McKinsey & Company in 2022 felt that it is important to know about a company’s privacy policy before making a purchase.[28]
The trust that is created from transparency leads to increased loyalty and therefore to long-term retention of customers and an increase in profits. A good reputation will also secure a wider engagement of new customers, thereby further contributing to revenue. On the other hand, if a company is not transparent about its data processing practices or is found lacking in its compliance with data protection obligations, consumers may quickly grow distrustful, with at least 53% of customers in the aforementioned survey stating that this would cause them to stop procuring products or services from a company.[29]
b. Purpose limitation, data minimisation and storage limitation
By implementing the principle of purpose limitation, the GDPR aims to ensure that data is only collected for purposes that have been specified beforehand and cannot be used for an incompatible or even unrelated purpose. Similarly, data minimization means that only the personal data that is needed to serve the purpose should be collected. Any data that is irrelevant to the purpose and does not further it must not be collected or retained. Lastly, the principle of storage limitation dictates that personal data is kept for the shortest time possible.
Ensuring compliance with the above-mentioned principles forces companies to actively sort through the data they have and the data they are generating, thereby forming an inventory. This gives companies the possibility to gain a better overview of the data being processed, which, in turn, leads to better data management and data intelligence.[30] Sorting through data will also result in finding data that can no longer be used, has become obsolete or is redundant. By disposing of this data, companies can decrease the costs of processing and storing it unnecessarily.[31]
Moreover, if unnecessary data has been deleted and only lawfully collected data remains, a database emerges that relates only to customers with a genuine interest in the company’s products and services, giving companies the ability to cut marketing costs by using tailored advertisements and marketing practices.[32] In addition, having a database of genuinely interested customers is also valuable in a wider context, as it allows companies to detect and follow trends and upcoming interests and needs, letting them predict the future market and demand.[33]
c. Confidentiality and integrity of personal data
The GDPR imposes stringent obligations on companies that process or control personal data to implement appropriate technical and organisational measures to safeguard against unauthorised access, disclosure, alteration and destruction of data. The GDPR also emphasises the principle of “privacy by design and by default”, requiring entities to integrate data protection measures into their systems and processes from the outset.
While compliance with this principle may appear somewhat daunting and burdensome, this proactive approach helps identify and address potential privacy risks before they materialise into significant issues. The principle also requires companies to limit data collection, thereby allowing companies to remain more organised and reduce the risk of data breaches. By prioritising privacy from the start, companies will also demonstrate their commitment to respecting the privacy of individuals, which leads to enhanced customer trust and reinforces a positive brand image. Finally, integrating privacy measures early in the development process is often more cost-effective than attempting to implement such measures retroactively. Companies can save resources by limiting the need for extensive replanning or redesigns, as well as avoiding legal repercussions resulting from non-compliance with data privacy regulations.
5. Data Security and protection
a. The importance of data security
Once data has been generated and processed, another obligation arises for companies: the safekeeping of their customers’ data. To protect the processed data, businesses need to make sure that they have sufficient cybersecurity protocols and data protection measures in place to prevent data breaches. These measures might be expensive and require time and effort to implement, but data security should be a top priority for companies for several reasons.
The first of these reasons is customer trust. Due to extensive media coverage, people are becoming more aware of the risks connected to a data breach. A customer’s concern is to ensure that it is entrusting its personal data in good hands. This means that when customers entrust a company with their data, they have an expectation that the company will take appropriate measures to ensure the security of that data.[34] If a business manages to achieve this goal, it will earn customers’ trust, with a survey conducted by Salesforce indicating that 84% of people are more loyal to a company that has a reputation for protecting customers’ data.[35] On the contrary, in the event of a data breach, customers may abandon the affected company and purchase services and goods from a competitor.[36]
Data security is not only relevant for the existing customer base but also for possible future customers, as 53% of customers first make sure that the company has a reputation for keeping data safe before making a purchase, as demonstrated in a survey carried out by McKinsey & Company.[37] This means that a data breach will not only adversely affect the existing customer base, but the damage to the company’s reputation will also adversely impact new customer engagement.
Another reason to ensure data security is that it is a necessity for compliance with certain legislation. With various EU laws on the topic of data security, a data breach has the potential to not only affect a company’s reputation but also prove expensive as a result of penalties. For example, British Airways was fined a sum of £20 Million under the GDPR after it suffered a data breach in 2018 in which the information of more than 400,000 customers had been stolen.[38]
b. Legislation on Data Security
The main legislation concerning the security of personal data is the GDPR. However, the topic of broader data security is tackled in several other EU laws.
While the Cybersecurity Act mainly strengthens the European Union Agency for Cybersecurity (ENISA), it also introduced a framework for cybersecurity certification, with a view to increasing the cybersecurity standard.[39] The certification scheme should especially achieve objectives such as the protection of data against unlawful storage, processing, or disclosure. The framework offers the benefit of a singular certification which is valid across the EU, which will facilitate the process of having companies be recognised for their cybersecurity measures, and therefore have a positive impact on their EU-wide reputation.
The Cyber Resilience Act is a proposed EU regulation with a particular focus on the security of products with digital components.[40] To ensure cybersecurity in these products and to therefore safeguard businesses as well as consumers, it creates requirements which the products must comply with. Failing this, the products in question will not be granted access to the EU market. While these requirements may appear cumbersome, they are likely to have a positive impact on customer trust by allaying common concerns with respect to digital products and components.
As for financial institutions, the Digital Operational Resilience Act (“DORA”), which will apply as of January 2025, will introduce new criteria, templates and instructions regulating the manner in which such institutions manage IT and cybersecurity risks.[41] DORA aims to achieve a higher cybersecurity standard and ensure that financial institutions are able to withstand and recover cybersecurity breaches with minimal disruption for customers and the financial system as a whole.
Finally, although the proposed Artificial Intelligence Act (the “AI Act”), which is in its final negotiation stages, mainly regulates the conditions under which artificial intelligence (AI) systems will be allowed to be produced and used, it nonetheless includes provisions concerning data and cybersecurity.[42] Specifically, if a high-risk AI system uses techniques which involve the training of models with data, the AI Act requires that the system meet certain data governance, data management and security requirements. In cases in which personal data is used to monitor AI bias, state-of-the-art security must be implemented, and privacy must be ensured.
6. Data Sharing
In order to unlock the full potential of data, data should not only be generated and stored, but also shared between entities, which can create monetary value for businesses. TomTom, for example, licenses its maps and online services to other companies, thereby generating income.[43] Simultaneously, data sharing can also facilitate internal and external processes and help solve issues or find room for improvement with respect to products and services. An example of this is Airbus’ platform Skywise, mentioned earlier in this article, which allows Airbus to resolve issues relating to its business. The scope of data sharing is not limited to B2B interactions, but can extend to collaborations between businesses and the government or voluntary organisations. Mastercard, for example, provides organisations that work to reduce human suffering with data to facilitate their research processes and give them the tools to achieve their goals.[44] Data sharing can be accomplished by means of agreements between companies, or the setting up of sharing platforms or programmes.
7. Challenges and risks
In today’s interconnected and data-driven world, challenges and risks associated with data have become increasingly prominent. One significant challenge is the escalating volume of data generated and stored, leading to concerns about its effective management, storage and analysis. The sheer magnitude of information creates difficulties in ensuring data accuracy, reliability and security. Cybersecurity threats pose a substantial risk, as malicious actors continually evolve their techniques to exploit vulnerabilities, leading to unauthorised access or corruption of data. Privacy concerns have also intensified, with the growing collection of personal data by organisations and governments raising questions about the ethical use of data and the potential for surveillance.
The rapid pace of technological advancements often outpaces regulatory frameworks, leaving gaps that can be exploited for misuse. Balancing the benefits of data-driven innovations with the need for robust safeguards remains an ongoing challenge in the modern digital landscape. The privacy paradox demonstrates that this struggle between making use of technology and maintaining privacy persists even on an individual level. This phenomenon refers to the contradiction between individuals expressing concerns about their online privacy, while simultaneously disclosing large amounts of data on the Internet, particularly through social media. The privacy paradox highlights the complex interplay between privacy awareness, convenience, and the perceived benefits of digital engagement.
8. Looking towards the future
The future of data is likely to be characterised by several key trends and developments. Firstly, we are already witnessing an increasing volume of generated data, as more aspects of our lives become digitised, from smart homes and wearable devices to the Internet of Things. This surge in data will continue to widen the horizon for data analysis and further development of technology, while certainly posing data management challenges.
Another key trend which is at the forefront of the evolution of data is the ongoing advancement in the areas of AI and machine learning. AI will play a crucial role in extracting meaningful insights from massive datasets. Predictive analytics and personalised services will become more refined as algorithms analyse diverse data sources.
Finally, privacy concerns and data protection regulations will undoubtedly continue to shape the data landscape. The existing and incoming frameworks will continue to be refined and expanded in order to keep pace with technological advancements and adapt to new threats and opportunities. As technology evolves, so too will the strategies for managing, analysing and safeguarding the vast amounts of data that continue to be generated daily.
Should you wish to discuss further, contact Ron Galea Cavallazzi on ron.galeacavallazzi@camilleripreziosi.com or Alexia Valenzia on alexia.valenzia@camilleripreziosi.com or Veronica Campbell on veronica.campbell@camilleripreziosi.com
____________________________________________________________________________________________________________
[1] The Digitization of the World From Edge to Core, Data Age 2025, IDC: https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf
[2] Factsheet published by the European Commission: https://digital-strategy.ec.europa.eu/en/library/data-act-factsheet.
[3] Publication: https://impact.economist.com/perspectives/sites/default/files/ei233_msft_futuredata_report_-_v7.pdf
[4] Article: Amazon: Using Big Data to understand customers | Bernard Marr: https://bernardmarr.com/amazon-using-big-data-to-understand-customers/
[5] Ibid at 4.
[6] Article: https://vivekjadhavr.medium.com/how-did-netflix-use-big-data-to-transform-their-company-and-dominate-the-streaming-industry-a93f90ae8dad
[7] Article: https://www.linkedin.com/pulse/netflixs-secret-sauce-how-data-analytics-propelled-them-michael-turon
[8] Article: Airbus, Delta Air Lines partner on Skywise open-data platform and predictive maintenance services | Airbus
[9] Ibid at 8.
[10] Press release by the European Commission: https://ec.europa.eu/commission/presscorner/detail/en/ip_22_1113.
[11] Publication: ValueDataArticle_aug2022_edited.pdf (columbia.edu)
[12] Ibid at 11.
[13] Report: https://www.accenture.com/content/dam/accenture/final/a-com-migration/pdf/pdf-83/accenture-making-personal.pdf.
[14] Article: The Magic of Predicting Demand from Data (strategy-business.com)
[15] Ibid.
[16] The European Data Strategy: https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/european-data-strategy_en
[17] Overview by the European Commission: A European Strategy for data | Shaping Europe’s digital future (europa.eu)
[18] Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act).
[19] Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act).
[20] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act).
[21] Regulation (EU) 2016\679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[22] Article: GDPR is changing consumer trust and data security across Europe (betanews.com)
[23] European Data Protection Board Guidelines 05/2020 on consent under Regulation 2016/679: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
[24] Ibid.
[25] Ibid.
[26] Ibid.
[27] Article: Five Benefits GDPR Compliance Will Bring To Your Business (forbes.com).
[28] Report: Digital trust: Why it matters for businesses | McKinsey.
[29] Report: State of the Connected Customer Report Outlines Changing Standards for Customer Engagement - Salesforce News
[30] Article: GDPR: raising the bar for data governance | by Iven Mokalu | Medium.
[31] Article: Five Benefits GDPR Compliance Will Bring To Your Business (forbes.com).
[32] Ibid.
[33] Article: GDPR: raising the bar for data governance | by Iven Mokalu | Medium.
[34] Report: 81% of Consumers Would Stop Engaging with a Brand Online After a Data Breach, Reports Ping Identity | Business Wire
[35] Article: 50 Stats Showing Why Companies Need To Prioritize Consumer Privacy (forbes.com)
[36] Article: Mind The Trust Gap: How Companies Can Retain Customers After A Security Breach (forbes.com)
[37] Report: Digital trust: Why it matters for businesses | McKinsey
[38] Article: British Airways fined £20m over data breach - BBC News
[39] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
[40] Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.
[41] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
[42] Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts.
[43] European Commission Staff Working Document – Guidance on sharing private sector data in the European data economy: https://digital-strategy.ec.europa.eu/en/news/staff-working-document-guidance-sharing-private-sector-data-european-data-economy.
[44] Ibid.