The deadline for GDPR compliance has finally arrived and, if you\u2019re like my editor, you\u2019re probably wondering what\u2019s left to say on the subject. We\u2019ve certainly run some excellent overviews of the new legislation here at CIO. But, hold your horses. The data privacy issue isn\u2019t over just because GDPR is now a reality \u2013 far from it.\nSimilar regulations are being debated in Canada, Japan, Australia, and China. And in the US, last month\u2019s news of the US Securities and Exchange Commission\u2019s decision to slap Yahoo (Altaba) with a $35 million fine for failing to disclose a data breach has a lot of American businesses also asking what\u2019s next in data privacy rulings? Will global businesses be able to meet new incoming standards and, more importantly, satisfy customers that their personal data is safe? There\u2019s a lot we can learn from the GDPR experience over the last two years.\nDo you understand the data you\u2019re responsible for?\nWhile a lot of attention was given to privacy and consent issues, like the right of citizens to access their personal data and information, for many these concerns turned out to be just the tip of the iceberg. Some major issues were realized along the way. As many companies discovered, recognizing and mapping data was far more complex than initially believed. It wasn\u2019t just a matter of finding \u201cJohn Smith\u201d in a database. There needed to be a way to understand the identities behind the data, who are these people, what are these people, and what rights and obligations apply to the data.\n\u201cThe amount of work necessary to prepare themselves for GDPR really surprised a lot of our clients,\u201d says Christopher Glover, Chief Technology Officer of Prifender, which has turned to Artificial Intelligence to identify and map personal information across the organization. \u201cEnterprises with any sort of history have been accumulating data for years, and it\u2019s often spread across multiple databases, email systems, and other document file systems in various repositories on and off the cloud. Manually having to inventory and label all that data was an arduous and labor-intensive task. Now that GDPR has been implemented, many are recognizing the need to automate the process, so that the system is continually monitored and updated and, of course, at a much lower cost.\u201d\nDefending that data may not be as easy as you think\nSecurity of that data also presented unforeseen challenges. As they began the process of data mapping, many companies realized there were third-party issues they hadn't previously considered, and those obscure relationships presented hidden security risks.\n\u201cRegulated companies are more at risk than ever from their third-party relationships,\u201d says Richard Saville, Solutions Consultant at Opus, a New York based global risk and compliance SaaS. \u201cIn a recent Opus and Ponemon Institute survey, 56% of respondents confirmed that their organizations experienced a data breach caused by a vendor. And only 35% of respondents have a complete inventory of third parties with whom they have shared sensitive information.\u201d\nLeonid Belkind, Co-Founder and CTO of Luminate Security, agrees, and suggests that managing secure access to sensitive data, and providing full audit and governance, may be almost impossible with traditional IT networks. \u201cIn modern enterprises, data is stored across a number of IT systems and relying on network level access controls and application internal controls and audits to manage the data leaves companies in a precarious situation if they lack a single point of control over their sensitive data repositories. This exposes the organizations to heavy penalties under the new privacy laws.\u201d\nBelkind proposes an alternative approach, based on the Zero Trust Network philosophy, similar to Google\u2019s internal project called BeyondCorp. With their Secure Access Cloud all access to corporate services dealing with sensitive information is obtained first, based on a verified identity of the accessing party and security posture of the device they are using.\nThe silver lining? GDPR has companies thinking ahead\nCybersecurity expert and Founder, CEO of Illusive Networks, Ofer Israeli, says the lead time to GDPR has been crucial. \u201cGDPR has actually forced enterprises to think about future threats, and that\u2019s a good thing, because they must ensure that data collected now always remains secure,\u2019 says Israeli.\u00a0 \u201cAttackers get smarter all the time and their techniques are increasingly sophisticated, so you have to remain one step ahead of them.\u201d\nIllusive Networks, which has won several industry awards this year for this proactive strategy, is a pioneer of the concept of deception-based cybersecurity. Its intelligence-driven approach to cybersecurity leverages a range of advanced tools to manage the entire threat life cycle \u2013 from preemption, to detection and response \u2014 to mitigate advanced attacks and prevent an attack from having both business and data privacy legislation consequences.\u00a0\nOnly machine learning and AI can solve data privacy headaches\nIf we\u2019ve learned anything these past two years preparing for GDPR, it\u2019s that new thinking like this will be required to stay one step ahead of threats to data integrity in the future, and provide the data management that regulators demand and customers and employees deserve. Artificial intelligence and machine learning offer exciting opportunities to meet these demands, which will only grow as more data privacy legislation is enacted around the world.