Speaking about this year's changes, Paal highlighted that biometric data and neurodata, including facial recognition, are classified as special categories of personal data and therefore subject to stricter protection under the GDPR. "For businesses, this means additional requirements, especially in sectors like healthcare and financial technology. I strongly recommend conducting a proactive audit of sensitive data to determine what personal data is being collected or processed," Paal advised.

According to the data protection expert, businesses and public institutions must also increasingly account for the risks associated with deepfakes, including identity theft. "To prevent breaches, it is advisable to implement multi-factor authentication, including encryption and access restrictions. There are also specialised tools available for detecting and mitigating deepfake technology," said Paal.

Discussing this year’s trends, the expert predicted that the European Data Protection Board and national supervisory authorities will increase both the number and severity of fines, with a particular focus on repeat violations.

Companies and institutions must therefore recognise that a system designed to meet compliance requirements today may not remain compliant in the future. "Data protection risks must be regularly assessed, and compliance monitoring and reporting should be automated to minimise human error," Paal recommended. She emphasised the importance of proactive security, user-friendly solutions, and responsible adoption of new technologies.

The GDPR Register CEO also reminded businesses of a key data protection principle: collect only the minimum necessary information. "It is crucial to critically assess what data is collected and for what purpose, eliminating unnecessary or redundant data. Data collection should be clear to users and tied to specific objectives," Paal stressed.

This year, cross-border data transfers will be significantly affected by the Schrems II ruling. As a result, organisations must carefully evaluate whether transferring data to third countries ensures a level of protection equivalent to that of the European Union. "This may require implementing additional technical and organisational measures to compensate for shortcomings in third-country legal frameworks," Paal explained, adding that greater attention must be paid to contractual clauses and international standards. "Investing in pseudonymisation and encryption technologies for data flows is highly advisable," the expert noted.

Data breaches caused by partners or service providers can also lead to hefty fines and reputational damage. As a precaution, businesses and institutions should critically assess whether their third-party providers and cloud services comply with GDPR standards.

Given that regulatory compliance is becoming increasingly complex and tracking all requirements and changes manually is time-consuming and inefficient, artificial intelligence can provide valuable assistance.

"AI can be used for conducting data audits, adjusting processes to regulatory changes, and drafting data protection documents," Paal pointed out, adding that the startup has already launched its first AI-powered product to help businesses and public institutions meet GDPR obligations.

However, the use of AI in data processing is under heightened scrutiny from regulators. "When using AI, it is essential to ensure that processes remain understandable and transparent. Users must also have the option to delete their data or opt out of AI-driven processes," Paal emphasised.

Developed in collaboration with IT experts, the GDPR Register simplifies and streamlines compliance with GDPR requirements, helping companies and institutions efficiently manage processes, actions, and documents associated with GDPR regulations.

For more startup news, check out the other articles on the website, and subscribe to the magazine for free. Listen to The Cereal Entrepreneur podcast for more interviews with entrepreneurs and big-hitters in the startup ecosystem.