Our experts from the Consultancy Team within PrivacyEngine have set out to shine a light on the year ahead as privacy legislation has increased across the globe, cybersecurity has become an ever-increasing need as data breaches, hacking and ransomware attacks have become more commonplace, and technology has advanced throughout the year while its impact has become increasingly difficult to calculate. Companies will need to begin planning now for 2024 and your business operations will need to include how you will manage privacy risks.
Depending on the business, building a strong privacy communication strategy will be a part of many business strategies considering the number of data breaches as well as ensuring your suppliers have adopted similar strategies which may require collaborative security approaches. Another problem may be cross-border transferring of data and depending on the safeguards and controls that are required to be in place before the data transfers can begin, the company will need to ensure that they are not breaching any new privacy legislation or digital regulations. When it comes to business continuity, customers want reliability and security for their transactions and personal information. Reputation can be damaged by privacy concerns and doubtful security policies meaning privacy is no longer just an issue for the DPO of a company, it is a problem from top to bottom for a company.
PrivacyEngine’s Experts know that these problems will only become more difficult to navigate as the year continues and that is why we have expanded our platform to encapsulate the controls required for compliance with digital regulation as it comes into effect. We have started to expand our use of international standards to ensure companies can achieve certification while making progress with the requirements set out in legislation. Our platform has expanded to provide users with more control over their policies, logs and documents while Consultants can offer programmes and advice on achieving compliance, transferring data across borders through binding corporate rules or standard contract clauses and on how to mitigate risks identified through your privacy risk assessments. When it comes to 2024, data will become an even more valuable asset but with that data becomes responsibility. Manage your responsibility with PrivacyEngine.
Digital Legislation Impacting 2024
A.I Act – Formally Adopted in January 2024
With a political agreement reached on the EU Artificial Intelligence Act as of the 8th of December, 2023, businesses will see an increase in AI in 2024 with a focus on preparing for the AI Act implementation which may take place in late 2025.
NIS2 – Deadline of the 31st of October 2024
Network Information Security Directive singificantly expands its applicability with entities required to implement cybersecurity measures and specific controls depending on your relevant sector. In 2024 we can expect national authorities to implement the measures outlined within the Directive and businesses will be required to follow suit
MiCA – Formally Adopted in Late 2024
Despite the regulatory framework and its benefits around certainty and establishing clear guidelines, questions remain about how to ensure privacy will be safeguarded. Based on caselaw in the United States we could see cryptocurrency become further centralised in 2024.
DORA – (Digital Operation Resilience Act) Enforced on the 17th of January 2025
Digital Operation Resilience Act will act as lex specialis to the NIS2 Directive as it aims to strengthen the IT security of financial entities such as banks, finance companies and investment firms to prevent the operational disruptions that occurred in 2023.
DPDI – Royal Assent in February 2024
Data Protection and Digital Information Bill is worth keeping an eye on as it proposes to regulate the sharing of personal data between users and businesses. Businesses within the UK will be provided with further guidance from the ICO once Royal Assent is given to the Bill.
Data Act – Deadline of early 2025
The Data Act fell under the radar within the Digitial Regulation that the European Union announced as part of the digitilisation of the EU. This Act will require businesses to increase their data interoperability while improvements will be made for SME’s in terms of contractual imbalances, all to look forward to throughout 2024.
These are some of the new digital regulations that businesses in each sector of the economy will need to consider as we enter 2024. The importance cannot be understated as companies will need to seek guidance to understand what sections of the regulations are relevant to their industry, how to implement proportional controls based on your market share and the penalties for failing to adhere to the incoming legislation.
Reasons for Considering Privacy in 2024
This section of the paper will focus on privacy-related concerns that may be of interest to business entities that are considering business continuity investments for 2024-2030 as part of their business operability strategies.
GDPR as the Foundation for Compliance
Nearly 75% of the world’s countries have implemented Data Protection legislation. This will impact counties expansion into other countries with safeguards required to be implemented if expanding into countries outside the EU or transferring data to a parent company outside the EU. It is also worth considering the distinction between General Data Protection Regulation (GDPR) and the third countries own Data Protection legislation when implementing privacy controls as there will be certain controls that you will need to be aware of as they will be different from the controls set out in the GDPR. Companies should pay particular attention to the distinct difference when it comes to:
Consent
- We have noticed that consent has been decreasingly utilised as a legal basis for processing with companies seeking to expand their purposes for processing through the legal basis of legitimate interests. In most cases this year, consent has been often used in the UK and EU for processing special category data or processing data through a potentially intrusive method of acquiring personal data.
- The GDPR has made it more difficult for organisations to rely on consent, by setting high standards for obtaining a valid and informed consent such as requiring a separate consent for each processing activity and each extended purpose, rather than seeking a single blanket consent to the privacy policy which is no longer accepted.
DPIA
- Many countries outside the EU and certain US States have required or recommended carrying out Data Protection Impact Assessments (DPIA) on high-risk processing activities or activities that may have a significant impact on the rights of individuals.
- As Data Protection legislation continues to become a common trend, we can see that countries are continuing to recognise the importance of business entities creating records and maintaining documented records and assessments of decisions made on processing within the business when it relates to personal data of consumers/employees/users.
- Data Protection Impact Assessments can even be amended in the future to accommodate artificial intelligence processing systems instead of creating an entire new assessment for AI.
The human-centred approach to privacy is beginning to become globally recognised meaning that complying with the General Data Protection Regulation is the perfect starting point for compliance but companies will need to take into account the distinctions between regulations.
Advances in Technology
It will be important for companies to track the current rapid developments in technology closely and to identity the areas of difference that affect them most in the markets in which they operate. The biggest concern for business entities going into 2024 will be how they correctly integrate new technology into their existing systems while adhering to privacy legislation and security standards. The key technology for 2024 will be artificial intelligence.
Artificial Intelligence
Unsurprisingly, Generative and Foundational Model AI has surged and will continue to do so over the next number years. It is predicted that the AI market will grow by 36.8% by 2030. The legislation will continue to be forthcoming with the US and China poised to follow the European Union in announcing AI regulation. The goal for all governments being to catalyse on technological advances while mitigating any risks posed by AI to the fundamental rights and interests of citizens. The increase in legislation will lead increase the compatibility and interoperability of AI. The outlook for 2024 for businesses considering to in the progress of implementing AI will benefit from considering the following:
- We can expect to see more companies using AI’s ability to ingest text, voice, and video to create new content thus, increasing productivity, innovation, and creativity.
- Due to open-source pre-trained models, generative AI applications that solve specific business challenges will become part of businesses’ operational strategies. Forecast accuracy based on data-driven AI will become more persistent, as can be seen in the marketing to predict consumer behaviour to provide insights that will be useful for resource allocation.
- Most companies will focus on AI as part of their research and development funds to understand where the implementation of AI could increase profitability or decrease running costs. This will ultimately depend on the economic area that your company operates within as well as the specific problems and/or goals that you are seeking to address/achieve by using AI.
- Businesses will begin to use AI to carry out repetitive and mundane tasks to free up valuable time and resources for strategic activities, we can see this becoming increasingly used for handling customer queries using chatbots.
Artificial Intelligence overlaps with privacy in relation to the data that is used to train the AI, how to operate AI if a user opts-out, what is the legal basis for processing, whether the data is hashed or encrypted for the purposes of making it non-identifiable etc. Various trade-offs may arise in the development of AI, and it is important to find the right balance between aspects such as accuracy, privacy, transparency, and responsibilities to explain the AI.
Increased Risk & Liability
Businesses are transforming how they navigate everything from customer experience to third-party relationships, to regulations, to an expanding threat landscape borne of the sheer volume of data. And they must do it all while being innovative, finding new opportunities, delivering value, and remaining competitive. The risks for businesses have increased in parallel with the liability for senior management for failure to address risks, especially risks associated with information security and personal data. Interestingly, we have seen various approaches across the globe when it comes to holding businesses responsible for privacy regulations:
European Union
Under the GDPR, Data Protection Authorities (DPA) can impose fines of up to €20 million or 4 per cent of worldwide turnover for the preceding financial year, whichever is higher. Under the NIS2 Directive, senior management and board members can be held personally accountable for failing to implement measures set out in the Directive. This personal liability can even bring criminal proceedings if the Member State wishes to include this as part of the implementation of NIS2 into Member State law.
The concept of immaterial damage stemming from GDPR will also be a topic of interest for 2024 with national courts determining whether appropriate controls mitigated the outcome of the data breach and liability may fall at the feet of the data controller if appropriate controls were not implemented beforehand.
United Kingdom
The Information Commissioner has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the Data Protection Act [2018]. Any penalty that they issue is intended to be effective, proportionate and will be decided on a case-by-case basis.
The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under the Act or in relation to any transfers of data to third countries.
United States
A new EU-US Data Privacy Framework was adopted in July 2023 to facilitate personal data transfers to US entities participating in that scheme. Given the continued uncertainty over whether the framework will survive an expected legal challenge (and other limitations) it is likely that many personal data transfers to the US will continue to rely on safeguards in 2024. These can be liable to legal challenges meaning cross-border transfer to the US is continuously tense for companies that rely on it.
Moreover, the January 2023 Executive Order, the FTC can now hold senior management liable for the company’s inaction in relation to information security measures. This is similar to the European Union’s approach within its incoming legislation where senior management can be held personally accountable for inaction in relation to NIS2.
Risk from Supply Chain
The risk from third-party and supply chain will be a trending topic going into 2024 with companies beginning to be held responsible for failing to carry out third party questionnaires and risk assessments for a third-party process. Failing to adopt appropriate controls will result in liability and fines for the board of management and senior management. Hacking and ransomware have evolved to target any gaps in security meaning companies that lack a centralised information security infrastructure will be leaving themselves vulnerable.
PrivacyEngine has expanded its platform to encapsulate the risks posed by hackers to supply chains by allowing companies to require third parties to do training, fill out third party questionnaires on their processes and set up policies/codes of conduct that increase the documentation required to show that your company set appropriate safeguards in place in the event of a data breach.
Summary
The enforcement trends outlined above show the importance of companies and other organisations continuing to place emphasis on compliance with privacy and related laws as penalties and personal liabilities will continue to be a trend in 2024 with DPA’s and the FTC using various methods to ensure compliance. The difficulty for companies is understanding how management can show their top-level support and addressing any concerns that may hold them personally liable. This varies depending on the legislation, but the focus will be on ensuring the appropriate training has taken place, that policies are being used and that staff are aware of their responsibilities. Clear auditable evidence of these steps can be seen using the PrivacyEngine platform.
Conclusion
Companies ranging from large enterprises to small-medium enterprises will all face the same privacy concerns in 2024, the key will be allocating appropriate funds towards risk management, especially risks stemming from privacy and cybersecurity. It follows then that:
- Companies can increase their profitability and interoperability by using new technology such as AI, cloud computing and data driven solutions, but privacy risks will continue to persist especially with the enormous amounts of data that these technologies require from companies to be effective. 2024 will see new technological advances but companies will be required to make themselves aware of their responsibilities when using certain technology, especially where privacy is a concern.
- Privacy legislation has increased globally with many legislators adopting certain aspects of GDPR, mostly the legal basis, documentation and the risk management aspect, meaning companies that are considering entering a market will need to make themselves aware of the privacy legislation within that country and account for the distinctions between that legislation and GDPR in 2024.
- Data Protection authorities will take into consideration documentation and mitigation measures as well as policies implemented to prevent disclosures and breaches. In 2024, the penalties vary but depend heavily on the financial standing of a company and the role of senior management, who may face criminal or personal liability for failing to adopt certain measures. This marks the importance of executive buy-in.
- The incoming legislation that will be adopted, taking effect or implemented in 2024 will impact the global economy which means the ‘first-movers’ will benefit from taking the first steps in in preparation for compliance with key legislation such as the NIS2 and the AI Act. Cost-effective measures require planning, allocation and strategic business meaning taking the first steps to comply with legislation will put you ahead of the market but spending early brings the risk of implementing irrelevant controls and policies.
- The current economic climate is unprecedented with businesses seeking to take advantage of the recession by allocating resources to consolidating their place in the market or acquiring new business. The 2024 financial year will be difficult to predict, especially with war and an ever-changing political landscape having considerable influence on the markets, companies in Ireland & the UK are conscious of their markets and how any advantage can see their profitability soar.
The forecast for 2024 is based on the exciting trends seen throughout 2023 as we see the rapid expansion of technology and companies in this field, 2024 will bring the regulations and legislation that sets out to protect the interests and rights of the individual but at what expense to innovation and companies?
