Surfing the wave of big tech regulations
The global regulatory landscape is changing—fast. Landmark regulations have sharper teeth than those that have come before.
The next wave of technology regulations
The global regulatory landscape is changing—fast. Landmark regulations—such as the European Union’s Digital Services Act and Digital Markets Acts—herald a new wave of regulations impacting technology firms. These laws cover a broader range of Risk and Compliance topics, invite significantly more public scrutiny on internal controls and operations, and have sharper teeth than those that have come before.
Key themes in BigTech regulation
- Platform responsibility for third party content
- Algorithmic transparency
- Consumer privacy&data protection
- User safety
- Content moderation
- Anti-competitive behaviour
- Consumer fairness
- Transparency and reporting requirements
- Consumer choice and empowerment
The increasingly public and politicized role of technology, particularly with respect to artificial intelligence, disinformation, and digital safety, has led to increasing social pressure on regulators to do more to curb online harms and protect user privacy as well as promote competition. The next wave of Big Tech regulations is coming.
* Mentioned legislation is meant as an indication of global developments and does not provide a complete overview of all relevant legislation
Learning to surf
The impacts of non-compliance with these new regulations are potentially significant, from both a financial and reputational standpoint. However, the approach to this new regulatory landscape should not be to limit consequences, but to seize the advantage for your business. Technology firms can capitalize on this opportunity to demonstrate leadership and build public trust in a new era of responsible technology development to maintain or achieve a competitive edge. Increasing regulations offer the opportunity to showcase the energy and investments you have already made in offering services that provide value to the public, foster growth and innovation, and make the Internet a safer place. And so, to apply the famous Jon Kabat-Zinn principle that you can’t stop the waves, but you can learn to surf:i how can you achieve a strategic advantage in this regulatory and business environment?
01 Be proactive
Anticipating regulatory movements and engaging directly with regulators reduces the overall cost of regulatory response by giving your policy teams a chance to shape the regulations, as well as their practical implementation and timeline. This helps to avoid a reactive or crisis response, which can be disruptive and costly to the business.
It is equally important for compliance teams to adopt a proactive stance. The Digital Services Act requires a suite of compliance and reporting activities under a very tight timeline, but making the choice to invest in a holistic and integrated compliance structure will pay significant dividends as additional similar regulations—like the UK Online Safety Act—roll through. Failure to harmonize compliance and risk management across the various regulatory requirements will result
in a regulatory response environment that is unsustainable for your team. But a holistic and streamlined compliance function will provide you with a competitive advantage in the market, reducing the burden of regulatory compliance and enabling your teams to confidently release new products and services in full compliance with applicable laws.
Additionally, there is limited precedent for the type of regulation we are seeing today, in particular for components related to online safety and systemic risk. Early respondents to this new wave of regulations will set the standard by which
other technology firms are judged. A reactive posture means retrofitting your story to the mold built by companies with different metrics, successes, and challenges. With a robust and proactive posture, you can set the standard and tell your story the way it is told best.
02 Be transparent
The nature of this new wave of regulations is public—both in the attention the regulatory activities are garnering as well as the external and public nature of the significant reporting requirements. This too can be leveraged to strategic advantage.
Limited awareness of Big Tech’s efforts to curb online harms, protect user rights, and be a good neighbor overall can leave an information gap that breeds misinformation. But proactive, clear, consistent communication will build trust with both regulators and the public that will enable your company to weather any incidents that may arise.
Practice radical transparency. Showcase the resources, energy, and capability you have already invested in making your platforms safer and more secure. Describe the processes you have put in place to weigh risks and trade-offs on the tough decisions. Big Tech has a good story to tell. You have the resources and know-how to lead the way in responsible design and in the development of controls and other mechanisms to keep making the Internet a safer place. And the more clearly and consistently you share that message, the more trust you will build.
03 Be pragmatic
There is no perfect technology platform or service. It is impossible to completely eliminate bad actors and harms from digital platforms. And there is an inherent tension between various regulatory movements, which requires trade-off and risk balancing. Big Tech should take a pragmatic approach in the integrated application of risk management and compliance functions for this new wave of regulations.
While best practices tout developing services with villains rather than heroes in mind, no platform or service can entirely avoid the potential for misuse. Demonstrating progress year over year, showing improvements such as faster detection and more effective mitigation or expansion of capabilities across surfaces and languages, is a more pragmatic target, for both regulatory bodies and the tech sector.
Understanding the various drivers behind regulatory action can help in balancing risks, prioritizing mitigation, and adjusting activities to help address root issues.
For example, Technology firms can demonstrate good faith and highlight the value of Big Tech resources and experience in countering online harms by continuing to share information, join coalitions, and support smaller technology firms as they develop responsible platforms. Technology firms can also invest in local communities, use local vendors, and contribute otherwise to the local economy to supplement efforts to address the root issues driving competition regulations.
Entering the line up
So what does a holistic and integrated compliance program look like? How do you streamline regulatory compliance functions to build trust and achieve a competitive advantage? How do you build a regulatory risk and compliance structure that will enable a proactive posture through each wave of new regulations?
This Regulatory Compliance Framework can serve as a starting point for evaluating your existing compliance structure against key requirements of this wave of technology regulations.
KPMG is invested in supporting our technology clients to help achieve a strategic advantage in this evolving regulatory environment. Here are some services we can offer to help you prepare, transform, and execute on your regulatory risk and compliance requirements:
1
Full Spectrum Regulatory Compliance
Our global team has developed a holistic framework for comprehensive risk and regulatory compliance management. We support our clients across the three lines of defense from light touch advisory to full-service implementation, from gap assessment to compliance program transformation and everything in between.
2
Risk Management Design and Implementation
Our team designs and implements streamlined risk assessments, quantitative risk monitoring, and integrated risk management programs to meet requirements across key regulations, including the EU DSA, and the UK OSA, as well as relevant Responsible AI frameworks.
3
Audit Readiness and Internal Audit
We support our clients to prepare for and manage external audit engagements end-to-end, developing Risk and Control Matrices, supporting audit evidence documentation, and preparing your stakeholders for audit expectations to help ensure streamlined engagements and reduce the overall burden on your stakeholders.
4
Safety by Design
Our team blends expertise from civil society organizations, regulatory bodies, peer tech firms, and risk and compliance professionals to develop and recommend responsible, pragmatic, and audit-ready product features.
5
Responsible AI
Our team applies industry-leading practices for conducting responsible AI gap assessments, documenting algorithmic systems, and designing, implementing, and testing AI controls to meet regulatory requirements and Responsible AI frameworks.
6
Control Design and Governance
Our team evaluates controls, recommends enhancements to your control environment, trains control owners, develops control testing strategies and tests your controls, covering the spectrum of controls from compliance process controls to Algorithmic System testing.
Meet our team
