Last week, on Data Protection Day, I was honored to speak at the EU Parliament at an awesome event organized by the Federation of European Direct and Interactive Marketing (FEDMA), aimed at promoting self-regulation as a compliment to the EU’s upcoming data protection regulation. The audience included a number of MEPs, new European Data Protection Supervisor Giovanni Buttarelli, MEP staff members, representatives from the European Commission and self-regulatory organizations.

FEDMA, an important umbrella organization for the EU Data-Driven Marketing industry, did an amazing job at organizing this event. The cast of speakers, all all-stars in their own right, including such luminaries as MEP Anna Maria Corazza Bildt, Oliver Proust of Fieldfisher, Nicolas Dubois of the European Commission, Marty Abrams of the Information Accountability Foundation, Assistant European Data Protection Supervisor Wojciech Wiewiórowski and Chris Sherwood of Allegro, all came at self-regulation from different angles and raised thought-provoking issues for the EU legislators to think about.

For my part, I spoke from the business perspective and discussed not only the limitless potential of data, from the ways big data and the Internet of Things can change society, but also some of the more mundane ways data can be used by business to drive revenue. As importantly, though, I discussed many of the inherent risks that the new uses of data carry, including the loss of transparency and control over the electronic bits that comprise our digital selves.

With disclosure that I am the chief privacy officer at Ghostery, a company that supports and thrives from the digital advertising industry’s self-regulatory programs in the U.S., EU and Canada, I riffed about life in what I call the Post-Internet Age, an age that has the Internet as its foundation but also includes the billions of connected devices talking and sharing data between them. In this Post-Internet Age, the collection and movement of data is not only accelerated, but uses of data to drive new channels of revenue are often not even conceived when the data is collected.

And there is where we, as privacy advocates, are challenged. How do we structure new data protection laws, which are by definition rigid, to allow for not-yet-conceived technologies and uses of information?

It’s a challenge, no doubt.

This challenge can be addressed however. My message—one of optimism—was that self-regulation, when done right, can be a compliment to legislation but not a substitute. When done right, self-regulation can help to establish best industry practices for companies to benchmark against, is a dynamic tool to build trust between organizations and their consumers and is flexible enough to quickly adapt to and incorporate new technologies and uses of data that couldn’t be dreamed of when the legislation was enacted.

Self-regulation is predicated, however, upon the notion that there must be industry-wide adoption, robust monitoring and enforcement by an independent accountability agent and backstopped by the data protection regulators who have meaningful enforcement authority.

In conversations with many of the MEPs, it feels like we are on the homestretch, and that one way or another, we will have a vote on the data protection regulation this year. From the level of interest I saw and from conversations I had with various MEPs, there is keen interest in structuring the data protection regulation in a way that is close to right as possible—and I hope that this includes giving certain digital industries, such as the marketing industry, the space to grow their already-successful self-regulatory programs to compliment what surely will be the global gold standard of data protection laws.