Navigating the Divide: Lessons from Europe's DORA/GDPR for US Compliance Landscape

Thank you so much. Uh let me just go up and then uh my name is Na Maria coming all the way from Norway to be with you today. landed in US yesterday and uh I uh I'm leading the company called Bloom Ages and what we're doing is to trying uh using AI uh we are in prototyping phase but using AI to reduce school shooting in uh in US and that you can uh wonder how we came there but I studied in Harvard Business School data science and business analytics and in uh last year I approached couple of my uh colleagues and said we have not studied just uh you know to advance our career but we want to use it for social good

and that's why we ended up uh in this project that uh we are prototyping but it was an amazing uh journey because once we started to uh talk to schools and find out how we really can use the potential data to uh create a model to reduce the school shooting and start um recognizing the patterns of criminals coming to the to the area we realize that there are a lot of difficulties with regard to compliance and uh what happened is that uh I'm coming from Europe from Norway and what we have in Europe is GDPR uh the general protection data for data privacy and that that is unique for 27 countries in Europe. However, coming to

US, uh we started to talk with the state of Delaware and then navigating to California and Kentucky and other states, I realized that what we first need to do is to study the compliance with regard to data privacy and uh when I talked with one of the principal uh in the schools and then I realized that there is a audio detection in the school and I was wow is it really is it allowed to have audio detection in school. I even didn't know that because that that's not the type of things we use in Europe. And then uh going back and studying that how companies actually are navigating between US and Europe started to light up in my head that there are a

lot of uh compliance issues between these two continents. First I can uh share with you well some okay it it works now. Good. First I can share some examples with you. Uh Uber in 2017 Uber faced a lot of problems in UK because uh there was a regulation in UK that the the drivers had to go through the um safety background check. That was not something that Uber practice in daily life. And then they were risking to lose their licenses in UK. The ne the year after Germany and France started to revoke the license for Uber because they were not in compliance with the local regulation and the war the drivers in Germany and and France they were supposed to be part

of the union or was not the part of uh general practices in new birth and uh year after California came with another leg regulation AB5 which is assembly BL5 that the gig workers is is not supposed to be contractors but employees. So if you just think about one company going through a massive compliance issue because navigating between uh countries and uh continent uh then you can understand how compliance can be important. The next company I would like to share is Airbnb. And what happened to Airbnb is that uh first in New York uh there was a state regulation that all the housings that were for uh for renting they had to be listed with the

compliance checklist that the state had and then Airbnb started to say that it's not possible because it goes to the data privacy of people and then uh there was also in Spain there was problem with the directorate of uh consumer uh department that um people got problem with the Airbnb. They couldn't list their houses because it was not compliant in the country. So that was another thing that uh the a big company like that went through a lot of problem. And the not last but not least uh company that I want to say is Meta. In 2023, they had to pay 1 25 billion euros to Ireland country uh the the country of Ireland for the data privacy. The

following year in 2024, they also paid 798 billion euros for breaching the unfair market practices in Europe. So why I'm sharing this is to tell you that it's very important when you're working in a multinational company, it's important to be aware of how you can navigate between two uh continents and maybe three if you're also working with Asia and other countries. uh in Europe uh what's interesting that when I was studying in Harvard uh it was always in the class I remember my colleagues were saying that lack of regulation lack of uh legacy whereas in Europe we have too much regulation I think if if I showed a list of what I have done uh as a practice for my own

company in Europe you will be shocked but uh just uh thinking about GDPR which is the data privacy regulation in Europe we have 27 seven countries with the same regulation and if somebody wants to sue any company because of breach of GDPR then they have to go to the investigation department of that country and they do the investigation and then there will be charges against that company. However, in US it was very interesting that individuals actually can go to uh court and sue any company because of breach of data privacy. Well, and that is actually in 20 states of US. So, uh it is very uh important to have a um total uh overview of all kind of

regulations that you have. This practice is something that I have done for my company in uh in uh uh Norway. Uh this is the list of uh regulation that has come in 2022 up to 2026 and when they start getting in practice. And why I did this exercise is to realize what kind of regulation exist and how and where they overlap because that's actually what what's important that you have to look into. For example, when talking about AI act which is very new, we're talking about responsible AI in uh in Europe. Of of course implementation will be a mess. um it's not that easy as you speak, but we're talking about responsible AI and that has a lot of overlap with the with

the data um privacy and GDPR and so on. So what I would recommend to all all of you who are working with multinational company is to make sure that you list up all the relevant regulations and ensure that you identify the uh the overlap between these two uh or three whatever regulation it is. I want us to understand a little bit of uh of GDPR and DORA. Dura is abbreviation of digital operation resilience act has come to Europe this year effective from 17 of January 2025 and it's uh in insisting on the resilience of the financial institute including banks and insurance and all other financial financial institute to make sure they are prepared for any

cyber attack and uh and testing. uh GDPR as you know is a data privacy uh came to Europe and established in 2018. It was very interesting when I was reading this statistic I saw that in 2018 only 10% of people knew about data privacy whereas now even my grandma talking about GDPR she can also articulate what data privacy is and actually uh tell you what you have to do and what you you should not do. There are three identity about the GDPR that is very important. The first one is that you should only collect the that much data that you need to not more in case you will use it in future. So uh just limit the data

collection. The second point is that uh every person has to give consent. Today I tried to uh take picture of some uh some of the presenter but I went after them and I asked am I allowed to post and tag you on LinkedIn in case because that's how the data privacy or GDPR work and I hope that that kind of practice can be done in everywhere in the world because that gives kind of security to people how their data is uh used. The third one also is about um is about having right to the eliminate that information and uh and that's something that most of the even companies in Europe fail to do that because uh you collect the data you

process it and then you don't know I'm an auditor by nature for cyber security and GDPR. So whenever I audit the companies 85% of them get deviation because they have data that is absolutely unnecessary or they haven't uh deleted the data and it with regard to Dura is uh is that kind of regulation that you have to do the risk assessment for your company and then understand what kind of risk you have you have to prepare by proactive testing and in addition you have to uh make sure that your company is ready to uh respond to the cyber attacks whenever it comes. That means that when you do the testing uh you get also a third party to ensure

that your testing or the uh the person who has done the testing for you has done a correct job. So these are uh dura and GDPR in nutshell. Then uh okay so just wanted to uh give you a little bit of uh content as well. GDPR uh the regulation on data privacy was 88 page in total and DORA is 79 but I promise and I tell you because I'm working in the financial industry now all banks and insurance in Europe they have a storm nowadays and if you talk to them they say we can't do anything else because we're so much involved with duro assessment and regulation and it's because uh putting yourself into this

regulation it's a kind of a um uh complex issue. uh one of the things that is important to know about GDPR. I just wanted to bring a little bit more of content because uh you're in US you probably don't know everything about uh Europe but uh it says about uh the the fine is about 4% of the revenue and let's say Uber or Airbnb when it's 40 4% of their revenue it's not only the revenue of the country that they operate but it's the total global revenue that you'll get fined. So if you want to do any kind of business with Europe, you make sure that you're very good in GDPR because otherwise it goes on your global revenue

any breach of that. And then uh it increased the territorial scope that means that it's okay even if you're not a European uh national uh company, you just do some business with Europe, but you breach the security and data privacy, then you're still entitled to pay the same fine. So you make sure that you take care of that part and uh the consent is really matter as I said uh one of the other thing also is the right to access and what is called the portability meaning that for example if I'm a musician and all my streaming is available in Spotify but suddenly I want to bridge my comp contract with the Spotify move to another platform so all

my information has to be able to be uh transfer to to another uh streaming company. Here is a breathtaking Dora that I was talking about. It's essentially break down to five the different pillars. The first is risk assessment. uh also uh you have to do the incident management and uh the main important thing is uh supplier and it says up to n supplier uh supply chain uh management meaning that it's not your immediate contractor but if the contractor has 10 layers of contractors so you should be able to have the same thing for for all the supply chain that you have. So it goes a lot into your uh supply chain management. So what is the key takeaway

of this? Uh Dura is a unified framework for all the European banks and insurance and finances. Whereas US has different uh or I can say multiple overlapping regulations different for banks, different for um for insurance and also other finances and the incident reporting is uh is interesting because that also can have imp implication on the crisis management plan for every company. uh imagine bank of America has also business to do in Europe and the incident management in Europe is is defined for 24 hours whereas in US you have like 4 days or 72 hours so that's a difference and you make you need to make sure that you can navigate it properly and the third party risk regulation is

also important because uh I know that in uh in in US it's different regulation even if in different states uh whereas in Europe Dora has defined that very clearly. It even articulate what you have to do to write in your contract toward toward your immediate contractors and uh what is the advantage and what's not because uh we know that yeah it's good to have a unique regulation. It's good to have something that it's um same for everybody but there can be also disadvantage. Uh one of the challenges we face in Europe is is the implementation. It's a lot as I showed you in previous slides. It's a lot of regulation. How do you really implement it? A lot of you know service

now or other kind of GRC systems. It's very good to have them. But uh I'm interested to know how many of you have fully implemented these kind of GRC systems. Right? I see the smiles. So uh it's not enough to have a good tool because uh the the uh the the the way that you put the information inside that's how actually describes how you work with this. So implementation is extremely important that you put the right information and you get the right output and most importantly you anchor this in your management team so that the tool can be used properly in the entire organization otherwise when I go as auditor uh to audit at least European

companies I've been also in audit in US you have one compliance officer probably one management system officer risk officer and that's it that's the area that people know how to use GRC. Uh when you ask a CEO, COO or CTO, they don't even have any idea if they have access to this system or not. And that's not the the way it's supposed to be. So, US compliance landscape, they had uh it's not all bad that you have uh this segmentation and fragmentation. It's sector specific and uh it the laws actually offer a lot of details including HIPPA, GBA and other kind of uh you know assessments and it's also market driven which is good h but it

also can have some lack of uh comprehensive thing and to my assessment as a auditor I would say that the US regulation h can be a little bit more proactive comparing that to to US for example DURA has come with requesting all the companies to do a proper assessment, risk assessment, do the incident analysis and do the testing in advance before something happened because once something happened then you internationally get bad hits about your reputation. It cost you a lot and it's not good. So being proactive in that it's really good and uh uh there is al also some inconsistency across uh the industries that create problems. So if you have a unique for example GDPR that

is unique for the whole Europe that reduce a lot of inconsistencies. The key lessons from GDPR and DURA I would say the harmonization is good. Uh the proactiveness is good and responsible data governance that prepare you for uh AI act that is coming. Uh I was happy to talk to a lawyer in US couple of weeks ago and then see that US also is doing something not exactly like AI act but about responsible AI and uh creating resilience that is uh important. The actions that I would recommend is to adopt the best practices. I'm not saying copy whatever it's in EU but there are some good stuff there that you can be inspired and using

that and then you can enhance the crossber compliance program because especially when you're working together you need to understand how the the company requests you so you can uh arrange yourself and then uh you can leverage technology for compliance automation and advocating for regulatory clarity because it's a lot of regulation that is coming um uh overlapping has to be considered. A lot of people think that at least in Europe, I hear from most of the CEOs when we have the CEO forum uh in in Europe that when a new regulation comes ah it's another one. It's not supposed to be like that because at the end of the day if you are thinking about regulation of having the umbrella in a

storm it will collapse soon or late. So that's not it's supposed to be but building a resilience for yourself and setting up your your company in a way that every when everything comes then you can prepare yourself through a proper GRC system that's the way it's supposed to be and that's uh where you can actually go global and do business with other countries and that's how we are building this model to hope and and hope to reduce the school shooting in in US. So what I have done just very being very uh concrete is to take out all the GDPR regulation and all these 20 states uh data privacy regulation listed up in one long excel for myself and my team to

understand what are the minimum requirement in each states and what we are doing now is taking the most strict requirement at the end to make sure that we are in compliance with all of those regulation is all the lines of uh our excel So that was my message today and uh I have started a YouTube channel this year. Um and uh I recommend you follow up. This is to raise awareness how school security is important. Uh everybody has a kid or you have a family that has a kid and I think and I hope that one day we can really and forget this school shooting problem. The only thing I couldn't touch was the policy. I

was uh if you look at the interview there in YouTube you see that I have interviewed David Walker the controller of states h was one of the first one I interviewed and he was asking me why don't you change the policy I'm not a policy maker I will not change it and I just turn back the question to him and I say I circle back why don't you do anything with it because his wife is in the business of teaching and and uh the thing that I can do I have learned AI so what I can do is to use AI try to do something for this society and I hope everybody can support it. I'm at your

service if you have any [Applause] question. Thank you. Yes. Question. How did how did you find your way from school shooting to these finance regulations? I didn't make that connection. Okay. The the there was Dora for example regulates financial uh well Dora is actually part of compliance. So if you want to talk about compliance h it's it's dura it's GDPR it's AI act and it's a list of breathtaking uh regulation. So school shooting is part of it because you use AI act you use GDPR you use resilience testing so that there are at least 11 uh regulation that I have listed up u for this school shooting. So school shooting is a part it's one business that you can use as

example to meet a lot of regulation that is in front of you. You're welcome. Yes.

I'm not sure

in this fragile world that we have. Honestly, nowadays I'm so unsure. Every night I sleep, I'm I'm not sure what's gonna happen next day. But but what I definitely know that the governments and the politics is all about money around the world and they do all their best to get money from the people and companies. That's for sure I know. So I make sure that I'm in compliance to not pay unnecessary penalties. So a big part of GDPR US GDPR do you know

where I'm citizen Washington backis

well about the future I have I'm not a politician to make the law honestly so I I don't know the answer to that but what I definitely know for example for my business that is school shooting in US I'm taking the most strict regulation that is existing because I'm very excited about 30 other states that still don't have the data privacy they will come soon or late and my business is to make sure that I'm in compliance in all the future regulation that is coming. So the the way that I have make myself agile is to break down this regulation in the Excel file to make sure that I have listed them up. So any new

regulation come I will match the lines and find out only the gap. So the gap will be my business in future. I don't know if I answered. Yeah. Yes.

Well, nice to CRA and all of this, they are they have different uh elements of security and I think it's just uh again we're coming back to the gap. That's what I usually do. You list up what is for example in these two in Dura in other regulations that is connected to you because not everything is applicable to you also. That's important to uh to notice. So you just list up the regulation that is applicable to you and then break it down to the uh to the understandable list and every new regulation comes you just match and find a gap. Yes, this is more common for everybody else since you're not local but I have a

special interest in Dora. I'm in the midst of drafting the company's terms into the European market and if anybody else is kind of in a similar place. Great job. Yeah, that's okay. No worries. I would be happy to continue continue the conversation as well. Yeah, great. I think we're uh the time is up. Thank you so much. You have a good rest of the day.