Human-Centred AI: Enabling & Facilitating a Climate for Change

Great Capabilities to Improve

Integrated ecosystems sustain life and provide us with an amazing habitat. People and the ecosystems we live in, in this Digital Age, have great capabilities to improve and sustain the quality of life for all.

As we face and urgently need to deal with many societal challenges, we need a climate for change. Various of such societal challenges (figure 1) can be identified in the domains of manufacturing, supply chains, logistics, maintenance and related industry domains.

As these domains will remain essential parts of our society and economy, a climate for change in these essential parts of our ecosystems is needed as well. Safe, trusted and trustworthy Artificial Intelligence (AI) and other or related knowledge, processes, technologies, human intelligence and experience may be an excellent enabler and facilitator to help cater for and sustain such future-proof ecosystems.

The whole supply ecosystem, including sourcing, engineering, manufacturing, assembling, logistics and the like, as well as the related organisations, professionals, partners and customer involved, and the respective societies, ecology and economy can benefit from access to, use and exchange of data, information, knowledge and experience. Digital platforms, AI, intelligent systems, cognitive (edge and IoT) computing, robotic process automation (RPA), cobots, distributed intelligence and autonomous systems are further expediting this process by connecting, inter-connecting respectively hyper-connecting organizations, individuals, communities, societies and data with tens of billions of objects and entities.

Where To Start?

Where To Start?

What can an entrepreneur, company, sector, community or other groups in manufacturing, industry and related sectors and domains do to create overall positive impact while also having a viable and economically sustainable value model, with related business models and (financial and other) feasibility models to get things both started, going, trusted, growing, scaling, resilient and future-proof? Having a big vision and focusing on the horizon is important, but having a clear starting point is one of the main prerequisite success factors.

With that in mind, it is recommended to start with identifying and establishing the particular challenge(s) one would like to focus on, for instance by using the 12 Societal Challenges for Future of Living, as visualised below (Figure 1). These are in line with both the vision of the European Commission as well as the United Nations’ Sustainable Development Goals (SDGs). These Societal Challenges are obviously intertwined and interconnected.

Figure 1: Intertwined Societal Challenges for Future of Living

Let’s have a closer look to Societal Challenges: Demography respectively Skills & Jobs. Where and why may AI in Industry 5.0 context be valuable, appreciated and even necessary? First some backgrounds:

1. Societal Challenge Nr. 4: Demography

Within the European Union, there is a decline in working-age population. It’s expected to reduce by 13.5 million (or 4%) by 2030 compared to 2018. This, as the EU population size will shrink by 5% between 2019 and 2070, to 424 million inhabitants, the development of shorter working weeks could cause a 2% reduction in labour supply.

The EU’s demographic ratio between people above 65 years old and those aged 20-64 are expected to increase from a one-to-four ratio 2010, to a one-to-(less than)-two in 2070.

2. Societal Challenge Nr. 11: Skills & Jobs

According to the OECD, 65% of the kids in schools today will have jobs that haven’t been invented yet. This indicates that we apparently are not yet sure what the future will look like, but that we do for sure acknowledge society will look very differently in a decade. The World Economic Forum points out that among the top 10 most essential skills of the near future are: analytical thinking, empathy, creativity, reasoning, complex problem-solving, self-management, and technology development and use.

Clearly, this list resembles a more intertwined combination of both the right part of the brain with the left part, than currently commonly seems the case.

These two Societal Challenges and backgounds already demonstrate that AI in Industry 5.0 context may be valuable, appreciated and even necessary to address these societal challenges in industry and related society and economy:

  • When focusing on the Societal Challenge of Demography, combining and deploying innovative processes, data and technologies to augment the capabilities of people, industry, supply side and demand side can be a helpful mechanism to compensate this expected decrease in productivity and levels of welfare and quality of life.
  • When focusing on the Societal Challenge of Skills & Jobs, three questions that come to mind are (i) how will the future of work change the industrial sector, and the looks of our urban and rural societies, (ii) how to keep the veins of trade and human values running through our communities, and (iii) whether technology will displace more jobs in 10 years than it creates, or vice versa. With all these questions raised, what role will and can AI play in combination with human interaction?

Human-centric AI capabilities for Industry 5.0

The above does not only demonstrate that there are huge potential and markets for AI and related intelligent systems. It also demonstrates that there is a need for AI- and other technology-supported H2M, M2H, H2M2M and other interaction, communication and cooperation to help address the current and upcoming challenges, avoid social disruption, and improve social prosperity.

Safe, trusted and trustworthy human-centred AI with human and other European and universal values embedded by design can in our view for sure be a great component for enabling and facilitating a future-proof Climate for Change in the Industry 5.0 and related domains. This is exactly why STAR can accelerate the transition towards human-centric AI in manufacturing, and beyond.

With this, the European stakeholders, society and economy can build, deploy, use, enjoy and even export the most trustworthy human-centric AI for Industry 5.0 and related digital (eco)systems and services all over the world. As Commissioner Breton formulates: ‘Europe has everything it takes to lead the technology race’. In our own words: Europe has great capabilities.

But how to make that work? We will discuss this in our subsequent blogs, so please stay tuned.

Blog by Arthur van der Wees, Arthur’s Legal, Strategies & Systems

Sense & Sensibility

In Health, Care & Cure, in this Digital Age

Sensible Healthy Living

Humans are quite resilient. Sometimes, however, one may need some help.

One of the essentials for resiliency is healthy living, also when one feels ill, has gone sick, recovered or otherwise needs care and other support to retain or improve towards a decent level of quality of life, in every phase of life. Health, wellness, prevention, care, cure and post-cure care go hand in hand.

Can these be improved with the capabilities of this Digital Age? If so; what makes sense, what does not, and how to stay fully aligned with human values? This, as it is all about improving the quality of life of people and society in general, and individuals in particular.


The last decades quite a few have been focusing on the letters e- or m- before healthcare; e-health, m-health and other attempts to introduce technology as the silver bullet in health, care and cure domains.

This technology-centred approach has proven not to be very successful. We believe that the reason is quite clear; the focal point is totally off-topic. Trying to improve quality of life is something else than trying to push as many devices, systems and digital services as possible. Focusing on technology alone makes no sense whatsoever.

The various domains of healthy living do not only concern an abstract human being or treatment protocol. It concerns real individuals, each with its own backgrounds, dreams, particularities and ethics. Each individual will have many persona during its life; regarding healthy living, it can be young, middle-aged or older, professional or amateur sporter, an injured one, a short term or longer term patient, or somebody else that needs special care or other attention for a period of time that differs per individual and per relevant (complex of) personas. Healthy living is personal.

Trust Anchors

However, healthy living is not merely about such persona. It’s also about the many professional caregivers (social, home and other), physicians, doctors, hospitals, health service providers, home care insurance companies, policy makers, agencies and authorities as well as friends and families of the individual, and society at large. These diverse groups of stakeholders are – or should be – trust anchors for any individual that needs care, cure or post-cure care.

The multi-stakeholder-centric approach should also be taken when considering and implementing any capabilities of this Digital Age in the essential yet complex healthy living domain. Such as, for instance, processing of digital data.

This, also as these individuals are vulnerable when that they need care, support and attention. For once, as per their particular health situation but also as per lack of sufficient knowledge and the lower ability (and willingness) to process information in a normal, rational way. They need continuous support by professionals, including professionals in the interdisciplinary convergence of health, data & digital.

Ethical Dilemma

As an example, let’s consider any wearable connected to the internet in some way.

This is one of the reasons why the European project ASCAPE has received funding to work on the above-mentioned interdisciplinary human-centric approach, in particular to explore where and how certain digital capabilities can support cancer patients and improve their quality of life.

The connected device and related software-converted algorithms (including certain artificial intelligence) could help monitor certain health properties of an individual, for instance by sensing and processing those and digitally sharing these with its health professional. Do you believe that such vulnerable individual can freely give consent for the measuring and data sharing? Does such person have a genuine choice to withhold it? How can it independently balance out short and long health impact and short- and long-term privacy impact?

Under the GDPR ‘consent’ by an individual means any ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing or personal data relating to him or her’. Consent should cover each of the processing activities carried out, per purpose. For consent to be informed, the data subject should be at least aware of the identity of the data controller and the purposes of the processing for which the personal data are intended. So, what would be your human-centric ethical call in this example? Who would you need to help out with giving well-informed advice to such individual within your professional ethical conduct?

Updated Multi-stakeholders Spectrum

It is clear that adding an updated multi-stakeholders spectrum as additional trust anchors to the interdisciplinary human-centric approach is a prerequisite. Doing so in a technology-neutral and technology-agnostic way is preferred. We believe that this is the only way to make any digitalization in the healthy living domains a success.

But, where to practically start from this perspective of interdisciplinary human-centricity? We believe it starts with transparency in general, and with that with awareness in particular.

Trust starts with Awareness

Trust is not a five-letter word. It is remarkable how little ‘trust’ has been researched, written and clarified, where there are quite a lot dimensions and nuances of trust. Although not the only approach, for this article we would like to highlight the following five phases towards trust, acknowledging that trust equals consistency over time so can be quite dynamic:

  • Awareness: To become aware to be able to build and achieve the appropriate level of trust is obvious, but not that easy. Have insufficient knowledge is generally seen as a blocking factor that is even more essential than concerns about security, privacy or compliance. Insufficient knowledge for instance means a lack of access to relevant information, and the lack of clarity and readability of supplied information. The phase of becoming (more and more) aware is a continuous one.
  • Understanding: Understanding may follow during or after one has become aware. Having things explained does not mean one understands. So, there is a clear distinction between explanation and understanding.
  • Appreciation: If one understands, it could mean that one has a certain level of appreciation, which would be of course the result of multiple considerations, including benefits, risks, impact and risk appetite.
  • Adoption: As mentioned, trust means consistency over time so the fact that one starts to adopt certain capabilities in the Digital Age does not yet mean the appropriate level of trust has already been met – and will continue to be met –.
  • Acceptance: The same goes for the acceptance phase, but in this phase the individual has chosen to trust it.

I Am Data, Therefore I Am

Trust can be catered for in many ways, including by demonstrating trustworthiness and accountability, both before, during and after deployment and use of any device, system or digital service. In this Digital Age, however, one should not forget that human-centricity also means that one needs to have the data-centric perspective into the core of each consideration, especially in the Healthy Living domain.

This, if one treats the individuals as mere data points, trust will not even start to build; let alone take-up and scale-up of any digitally-enhanced capability.

When thinking about personal data, it is quite simple. It’s personal. It’s only provided for to be processed and protected by accountable custodians, for a single, clear purpose only. If we are able to create, build, nurture and cater for such interdisciplinary human-centric, transparent and trustworthy digital means, as an aid for individuals in Health Living that respect and protect the human values of each person – including but not limited to privacy, security, safety and accountability –, we have a global market of almost 8 billion individuals that we can help to improve their quality of life.

Projects such as ASCAPE explore these success factors in real-life pilots in multiple countries; what does makes sense, and what is sensible, in which situation and context, et cetera. It is crucial that all stakeholders involved will be able to trust the relevant digital capabilities, including devices, data, algorithms, software, digital ecosystems and services. Awareness, understanding, appreciation, adoption, acceptance are also essential for such stakeholders to work on.

Healthy Living that Makes Sense is a Team Sport

If we as interdisciplinary team players achieve the appropriate level of trust and trustworthiness – the level where things really start to make sense –, it will not only help the particular individual but meanwhile and after also the health professionals to provide better care, cure and post-cure care to other individuals. It’s truly a team sport.

October 2021. Blog by Arthur van der Wees, Arthur’s Legal, Strategies & Systems

Data as an Enabler

Data as Main Priority

Recently, Commissioner Breton stated the following:

‘As a European Commissioner, the question I’ve been probably asked the most in the last few weeks is: what is your priority?

Is it 5G? Is it artificial intelligence? Is it industry? Services? Audiovisual? Tourism? Space? Defence? Obviously, all these topics are priorities.

But for me, their foundation, their common denominator, what runs through all their activities from end to end, is data.’


The Commissioner of Internal Market (DG GROW), Digital Single Market (DG CNECT) and DG Defense & Aerospace could not be clearer. Data is the main priority, as it is the dynamic and all-present dimension that is relevant everywhere in this Digital Age. It can bring huge opportunities, benefits and gains. It is therefore high time that people, society and organizations in any sector start to organize themselves to grab this potential, in an European and collaborative way.

No surprise that the Commission published an ambitious Data Strategy [1] last month.

Common European Data Spaces

In the Data Strategy, the Commission mentions it will support the establishment of common European data spaces in nine (9) strategic sectors & domains of public interest:

  1. Industrial (manufacturing) data space;
  2. Green Deal data space;
  3. Mobility data space;
  4. Health data space;
  5. Financial data space;
  6. Energy data space;
  7. Agriculture data space;
  8. Data spaces for public administration, and;
  9. Skills data space.

The fact that the Commission already indicates these are strategic sectors and domains of public interest implies that cybersecurity is fully in scope and on the radar:

‘The data spaces will be developed in full compliance with data protection rules and according to the highest available cyber-security standards.’

However, the Commission also has the vision of openness:

‘The vision of a common European data space implies an open, but assertive approach to international data flows, based on European values.’

Let’s zoom in to these relationships between data and cybersecurity, while aiming for an open society as envisioned.

Cybersecurity in Data Context

Data protection, whether personal data or non-personal data, is one of the main principles in this Digital Age. Data control, access, use, sharing, management and other functionalities all need the non-functionals that are data protection and cybersecurity.

When done right and therefore in an transparent and accountable way, cybersecurity can greatly contribute to the appropriate levels of data processing and protection. Therefore, cybersecurity is a prerequisite part of the solution to demonstrate trustworthiness and build and sustain trust.

Data in Cybersecurity Context

Data is a great asset to enable, facilitate and optimize cybersecurity. In all technical layers and dimensions as well as cross-layer and cross-dimensions. It can give everything and everybody a ‘contextual digital pulse’. With data and related attributes one can also identify anomalies, fraud and other risk.  

Furthermore, one can add attributes in a chain of trust in order to obtain the appropriate impact-based level of trust necessary with the then relevant context. For instance for digital identity, authorization, relational or transactional purposes.

Data-centric security is not yet that much on the radar but is a prerequisite to support human-centric, secure, safe, trustworthy and beneficial digital ecosystems – either cyber or cyber-physical –. More and more data-centricity is recognized and deployed as such. Data is part of cybersecurity, and vice versa.

Principle-based Frameworks

The digital and data domains are highly regulated nowadays. In the last years numerous new regulations respectively updated regulations have come into force. Does this mean one cannot act and maneuver in this Digital Age without the need of continuous legal assistance? We believe the answer is no, and even better: it is up to you to help out! Here is why.

Generally, all these regulations that concern data, cybersecurity or both are principle-based frameworks. Each leave room for you to design, build and deploy your own dynamic architectures and systems within such regulatory frameworks, as long as one explains and documents it well and keep those up to date. The main ingredients that one needs to take into account? These four (4) main principles, all By Design and By Default:

  1. Data Processing
  2. Data Protection
  3. Cybersecurity
  4. Data Management

The regulations mentioned in the landscape visual below provide meta-frameworks in domains such as finance (PSD2), critical infrastructure, vital systems and essential servives (NIS), personal data processing, protection and management (GDPR), identity (eIDAS), non-personal data processing and management (FFDR), open data (Open Data Directive), cybersecurity (CSA) and so on.

Each of these regulations has three to four of the main principles incorporated. Based on these, one can further detail and balance out various layers of subprinciples until some rule-based parts and related governance emerge to organize and balance the appropriate organisational and technical measures you look for, provide, procure, implement or monitor. It’s all about using your own and others’ inter-disciplinary common sense.

Get Involved

Cybersecurity is mentioned almost 20 times in the Data Strategy. The Commission also mentions that the new data paradigm where less data will be stored in data centers and more data will be spread in a pervasive way closer to the user ‘at the edge’. This brings new challenges for cybersecurity. However, it also brings massive opportunities, for all.

So, do not wait for a regulator, authority or court to come with ‘further rules’, as they will generally not. It is up to you to help load these regulatory frameworks, and make the most benefit out of the capabilities, data and other assets available in this Digital Age, while observing continuous appropriate dynamic accountability on the main and related (sub)principles and rule-sets. With this, we can build, deploy, use, enjoy and even export the most trustworthy products, (eco)systems and services in the world. As Commissioner Breton formulates:

Europe has everything it takes to lead the technology race.’

In our own words: Europe has great capabilities.

Arthur van der Wees, Arthur’s Legal, Strategies & Systems

Reference: [1]

Solving Current & Emerging 21st Century Challenging Problem Sets Require Team Work. Nothing Less

Everything is connected

Alexander Von Humboldt, the 18th-century scientist and explorer, world famous in his time, was the first to explain the fundamental functions of the mountains and rain forest for the ecosystem and climate, claiming that the world is a single interconnected organism.

Everything is connected. This is the concept of nature as we know it today. According to Von Humboldt, everything, to the smallest creature, has its role and together makes the whole, in which humankind is just one small part.

Introducing Arthur Strategies & Systems

Arthur Strategies & Systems believes that the 21st Century, with its human, societal, ecological and economical challenges clearly reconfirms and re-establishes Von Humboldt's view and statement. We are all connected in this dynamic world, and to an increasing extent interconnected and hyperconnected. We help design, build, deploy and sustain these ecosystems, and ecosystems of ecosystems.

Meanwhile, in this Digital Age, technology has outstripped our societal, economical and legal frameworks. How to catch up, and keep up? That's one of the other key missions of Arthur Strategies & Systems.

We have been working on these challenges for two decades already and have ramped up on those, and have even chosen to decicate a seperate website on it:


Digital technology changes the world at a fast pace. Yet, Humans are underrated. Build, enhance & retain trust with the combination of human brain power, purpose & passion, machines, algorithms, data & accountability.

We call that the Multiplicity Approach: a dynamic symbiotic combination of diverse groups of people that work together with diverse groups of human-centric machines, algorithms and capabilities to identify, address & solve problems, make & execute decisions, and double-loop to never-stop-learning.

This is Team Sport

This is a Challenging Problem Set. There is No One Solution. There is No One Group with the Answer. There is No One Technical Fixture. This is about Working Together, as Teams. To Achieve Outcomes. This is a Team Sport.

Therefore, Arthur Strategies & Systems operates as a distributed, interdisciplinary organisation, where we build, organise, deploy and manage special teams; per program, per project and per event.

In order to work on solving the current and emerging 21st Century challenging problem sets, we need (A) to team up with all the human brainpower available; from young and old; from junior to senior, left side of the brain AND the right side of the brain; from anybody, and (B) responsibly augment and otherwise amplify all that knowledge, experience, lessons-learned, competences and capabilities, for good.



Privacy & Other Human Values are an Opportunity, Not a Hindrance

Data is Addictive

Many have claimed that data is the new oil. While organisations are leveraging the infinite possibilities of data analytics, users happily consent to the giving away of their private information – including sensitive and other personal data – in exchange for basic internet tools and services (such as email and chat) as well as targeted-ads-selling platforms (such as numerous search engines and social networks).

However, with the new EU general data protection regulation (GDPR) shortly entering into application, as well as the recent excessive personal data sharing revelations and related behavioural analytics and influencing, privacy and related human values and rights are coming into the bright spotlight. Does the GDPR and other human rights frameworks present a hindrance for businesses though?

Turning Backs on Data Absorbers

For the past period Facebook’s data scandal has been making headlines after it emerged that the social network allegedly shared information about 87 million of its users with Cambridge Analytica, a political consultancy firm, which used the data to influence presidential elections in the U.S., amongst others. A few days later, Facebook’s chief said that all its 2.2 billion users should assume that their data has been compromised by third-party apps.

The revelations have raised a wave of criticism of Facebook’s and other Data Titans’ personal data protection practices and prompted users and organisations to close their social media accounts, while governments have intensified their calls for tougher regulation and harder taxation of these data absorbers.

Solving the Riddle

While the current increased attention to on-line privacy is noteworthy, the solution to the challenge posed does not lie as much in turning our backs on social media. It does also not in only tougher regulation.

Undoubtedly, in the context of future technological developments, users, organisations and governments will face similar challenges related to the protection of users’ privacy. Therefore, in order to remain relevant and successful in this digital age, we need to get privacy, data protection and other human values rights relevant in the Digital Age, organised-well and enforced the first time around.

Understanding Privacy

Next to calls for proper enforcement of the Rule of Law, both users, customers as well as vendors and other organisations processing personal data of others (either data controller or data processor) need a better understanding of issues pertaining to security of privacy. It is essential that users become aware of the importance of their privacy and recognise its value in the on-line environment, just as they do in the physical world.

In becoming more vigilant they be supported with, should look for and give preference to fully-transparent and privacy-enhancing products, systems and services. In response, vendors need to embrace their new role as: The Custodians of Users’ Personal Data.

This also means that they should build products, systems and services with privacy & security by design and by default, as opposed to bolting those features onto existing products, systems and services. The era of build fast fixed later is over.

Privacy as a Unique Selling Point

Platforms, services providers and other vendors should communicate transparent user-centric practices and related business models to their customers. If customers accept the approach, such privacy and security features will inevitably become important enablers for building mutual trust.

Ultimately, vendors’ focus on customers’ privacy can and should serve as a unique trust point. It will provide appropriate accountable organisations with a competitive advantage opportunity, rather than posing a hindrance. The same goes for being transparent and accountable regarding other human values.

Hence, in order to remain relevant, organisations should embrace privacy, data protection and other human values, and think of them as an integral part of the business model.

Side note: Arthur’s Legal is currently running free webinar sessions on Privacy in IoT. These webinars are open to public and provide an ideal starting point for understanding and addressing privacy- and security-related issues in context of this Digital Age. Further details and sign-up form are available at

It Could Happen to You

State-of-the-Art Security & Privacy: Merely Needed, Continuously

For organizations around the world, implementing state-of-the-art security and personal data protection (using both technical and organizational measures) is now a must. In the wake of the recent Equifax incident, this article outlines why data security and privacy accountability is important and how organizations can responsibly manage their sensitive data.

You Got Equifax-ed!

On September 7, 2017, Equifax disclosed arguably the most severe personal data breach ever, affecting up to 145.5 million U.S. consumers, between 694,000 British consumers, and approximately 100,000 Canadian residents. The global consumer credit reporting agency announced that between March 2017 and July 2017 hackers could access consumers’ personal data, including names, social security numbers, birthdates as well as driver license numbers. Also, the details of up to 209,000 credit cards were reportedly compromised.

While previous breaches have exposed the details of more people overall, the Equifax incident is significant due to the highly sensitive nature of the leaked information. Although some of the data is of temporary nature and can easily be refreshed (such as credit card numbers), other types are more difficult to change (including addresses or social security numbers).

It’s not difficult to imagine why the leak of unchangeable “lifetime data, including customers’ names and birthdates, is extremely alarming to consumers. As a result, the incident has been followed by significant media outcry, inspired the introduction of legislation, and sparked investigations from the FTC and FBI. Not to mention the value of Equifax’s stock fell by a third in the days following the disclosure.

Another Case for Encryption

Due to the extent of the Equifax data breach, it is not surprising that it took less than two weeks for the first privacy regulator to take legal action. The attorney general of the state of Massachusetts filed a lawsuit against Equifax under to the state’s consumer protection laws.

The complaint alleges that the credit reporting agency failed to adequately secure its portal after the public disclosure of a major vulnerability in the open-source software used to build its consumer redress portal and failed to maintain multiple layers of security around consumer data. It also argues that the credit rating agency violated the law by keeping Massachusetts’ residents’ information accessible in an unencrypted form on a part of its network accessible from the internet.

Given the fact that the company collects and aggregates the information of more than 800 million individual consumers worldwide, it is disturbing to learn that encryption was not being used effectively by its IT security team in this case. The lack of encryption is even more surprising when viewed through the lens of the Equifax’s main business activities: acquiring, compiling, analyzing, and selling sensitive personal data.

The Massachusetts’ claim alleges that Equifax’s market position and business nature obliges the company to go beyond the regulations’ minimum requirements and “implement administrative, technical, and physical safeguards […] which are at least consistent with industry best practices.” As one of the most commonly used and best-practice security measures, the encryption of sensitive consumer data should have been ensured.

From What If …

What if the Equifax incident had occurred a year later?

In the first months of 2018, several important pieces of new EU legislation will go into effect, including the General Data Protection Regulation (GDPR) and the directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). Both laws bring about significant changes in the domain of data protection and cybersecurity and introduce a new set of requirements with which companies must comply. Had the Equifax breach occurred in July 2018, the agency would likely face legal claims pursuant to GDPR and NIS Directive.

The NIS Directive aims to achieve a high common level of security of network and information systems within the EU. In doing so, its provisions apply to all providers of digital services active in the EU as well as operators of essential services active in the Union. GDPR, on the other hand, places stringent data protection and security obligations on anyone handling personal data of EU citizens.

Similar to NIS Directive, the GDPR requires companies processing personal data to implement appropriate technical and organizational measures that ensure a level of security appropriate to the risk, taking into account state-of-the-art costs, purposes, and impact. In this respect, the regulation regards encryption as one of the appropriate technical measures to be implemented. Failing to encrypt customers’ data properly, Equifax would likely be non-compliant with its relevant provisions.

GDPR also requires an organization to notify authorities within 72 hours of becoming aware of the breach, so it’s Equifax’s disclosure of the data breach more than six weeks after it occurred would certainly not comply with the obligation to notify the supervisory authority without undue delay. Once again, had the incident occurred a year later, failing to act in accordance with the law could result in Equifax being charged with penalty fees of up to 4 percent of its total worldwide annual turnover, which would amount to about EUR 130 million, per breach.

Data Protection Impact Assessment

Both breaches could have been prevented had Equifax diligently carried out the Data Protection Impact Assessment (DPIA) required by the EU GDPR. The DPIA is a legal requirement under the GDPR for organizations processing personal data in a way which is likely to result in high risk to the rights and freedoms of natural persons. Though it is not only important from the legal compliance perspective, the DPIA can also provide organizations with a systematic description of personal data processing, including special categories of data, an assessment of its necessity and processing, as well as identification of risks and the measures in place to address them.

In other words, DPIA serves as a valuable strategy and validation tool for testing and assuring data and security strategy. It provides organizations with many benefits, including the potential for structural savings, data minimization, and scalability of the business model. Hence, based on the extent of the incident it is clear that a diligently carried out DPIA would and should have raised plentiful red flags for Equifax to address.

It Could Happen to You

Given the thousands of UK and Canadian citizens who were also affected by the Equifax incident, some have claimed that the filing of the lawsuit by the Massachusetts attorney general may just be the tip of the iceberg. Indeed, it may as well be the case. At the same time, however, there remain thousands of organizations processing sensitive personal data which constitutes an essential part of their business.

Irrespective of the new legislation entering into application in 2018, if organizations have not started addressing the issues of security and protection of personal data of their customers, the Equifax saga may in the end only serve as an overture to a swiftly developing and extensive narrative featuring a growing number of unprepared characters.