data protection – CIO.works

GDPR Fines Hit $1.4B as Customer Support Becomes Compliance Risk

By CIO / Blog / data protection, GDPR, compliance, EU, regulation, customer service

In 2025, GDPR fines reached $1.4 billion in Europe and $2.8 billion globally, highlighting significant risks in customer support operations due to data handling by outsourced teams. Experts emphasize that compliance depends on strict data access controls, comprehensive audit trails, thorough agent training, and ongoing monitoring to prevent breaches and ensure accountability throughout support workflows.

https://news.designrush.com/gdpr-compliance-customer-support-risks-explained

The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust

By CIO / Blog / risk management, data protection, leadership

Steve Durbin highlights that the next major cybersecurity crisis will not be breaches but the growing distrust in data integrity, especially as AI-driven decisions rely heavily on trustworthy data. He stresses that data governance, clear ownership, and auditability of data are critical to maintaining accuracy and preventing harmful distortions that can compromise operations and decision-making.

https://www.securityweek.com/the-next-cybersecurity-crisis-isnt-breaches-its-data-you-cant-trust/

Focus Areas When Implementing Data Protection by Design and by Default in 2026

By CIO / Blog / privacy, data protection, GDPR, compliance, regulation

Data protection by design and by default, a key principle of the EU GDPR, remains inconsistently implemented nearly a decade after its adoption, requiring organizations to consider four main factors—state of the art, cost of implementation, processing context, and risks to individuals—for effective compliance. In 2026, evolving technologies and regulations, especially concerning AI, demand a dynamic, risk-based approach that integrates ongoing assessment and adaptation of technical and organizational measures from the system design stage through deployment to safeguard personal data and uphold individuals' rights.

https://iapp.org/news/a/focus-areas-when-implementing-data-protection-by-design-and-by-default-in-2026

CISOs Rethink Their Data Protection Strategies

By CIO / Blog / data protection, cybersecurity

Chief Information Security Officers (CISOs) are rethinking their data protection strategies in response to the rapid expansion of artificial intelligence (AI) use, which magnifies the risks to sensitive data through increased data sharing and exposure. Organizations are enhancing data classification, access management, and monitoring tools, adopting zero-trust frameworks, and frequently updating policies to keep pace with evolving technologies, regulatory requirements, and emerging AI-enabled cyber threats, underscoring the critical need for continuous adaptation in data security programs.

https://www.csoonline.com/article/4143384/cisos-rethink-their-data-protection-strategies.html

Spain’s Data Watchdog Maps the Hidden GDPR Risks of Agentic AI

By CIO / Blog / risk management, data protection, GDPR, AI, regulation

Spain's AEPD published a 71-page guide addressing GDPR compliance for agentic AI, highlighting privacy risks like prompt injection and memory issues. It distinguishes AI agents from chatbots and outlines vulnerabilities in multi-agent systems. The guide includes recommendations for memory compartmentalization, data minimization, and governance frameworks aimed at responsible AI deployment.

https://ppc.land/spains-data-watchdog-maps-the-hidden-gdpr-risks-of-agentic-ai/

Day 80: Data Protection – Building Enterprise-Grade Privacy and Security

By CIO / Blog / security controls, compliance, data protection, cybersecurity, privacy

A comprehensive data protection system is being implemented, focusing on encryption, data classification, privacy controls, and GDPR compliance. The system utilizes AES-256-GCM encryption, a data classification system with four sensitivity levels, and a privacy control framework with granular consent management. Additionally, it incorporates data masking strategies and automated GDPR compliance workflows to ensure data security and privacy at scale.

https://fullstackinfra.substack.com/p/day-80-data-protection-building-enterprise?source=queue

Security Obligations Under GDPR Still Apply, Even if Data Is Anonymous in the Hands of an Attacker

By CIO / Blog / data protection, GDPR, compliance, privacy, regulation

UK Court of Appeal ruled in DSG Retail v. Information Commissioner that GDPR security obligations remain for controllers even if data is anonymous to attackers. The decision emphasizes the broad nature of “personal data” and the need for controllers to protect against unauthorized access, regardless of how data may appear to a third party. This ruling challenges prior interpretations that could diminish data protection responsibilities. It suggests that GDPR accountability may extend beyond the direct data handling by the controller.

https://iapp.org/news/a/security-obligations-under-gdpr-still-apply-even-if-data-is-anonymous-in-the-hands-of-an-attacker

Data Protection by Design and by Default

By CIO / Blog / data protection, GDPR, compliance, privacy

Data protection by design and by default ensures privacy is integrated from the start of any process involving personal information. Organizations must implement technical and organizational measures to protect rights, especially for children. Compliance involves assessing risks, ensuring minimal data use, and creating user-friendly options for exercising rights. Organizations are accountable for these practices throughout the information’s lifecycle and should document their decisions.

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-by-design-and-by-default/

EU Court of Justice Narrows Scope of When Pseudonymized Data Is Considered “Personal Data”

By CIO / Blog / regulation, GDPR, data protection

EU Court of Justice ruling narrows definition of “personal data,” stating pseudonymized data is only personal if re-identification is “reasonably likely” for the recipient. This shifts how organizations handle such data, impacting sectors like AdTech and AI training. Compliance obligations for GDPR remain based on the original controller's capabilities. Organizations can share pseudonymized data more freely, but must assess re-identification risks carefully.

https://www.armstrongteasdale.com/thought-leadership/eu-court-of-justice-narrows-scope-of-when-pseudonymized-data-is-considered-personal-data/

EDPB Releases Guidelines on Blockchain Personal Data Processing

By CIO / Blog / data protection, GDPR

EDPB released guidelines on blockchain personal data processing, addressing GDPR compliance challenges due to blockchain's immutability and decentralization. It emphasizes clarified roles for nodes and advocates for minimized personal data use, encryption, or hashing to protect data, and off-chain storage for eraseability. Public consultation open until June 9, 2025, with expected consistency in final guidelines.

https://natlawreview.com/article/blocks-rights-privacy-and-blockchain-eyes-eu-data-protection-authorities