Editor’s note: The ISACA Now blog is looking ahead to 2024 with to-do lists from ISACA experts for professionals working in IT audit, risk management, information security, privacy and IT governance. Today, Gary Carrera shares his 2024 to-do list for privacy professionals. See more privacy resources from ISACA here.
2024 is shaping up to be a period of transformative shifts in the realm of privacy. As guardians of sensitive data, privacy professionals need to navigate this dynamic landscape. Here are five pivotal tasks that should top privacy professionals’ 2024 to-do lists:
1. Embrace Evolving Privacy Regulations
The ever-evolving landscape of privacy regulations demands vigilance and adaptability. Stay ahead by immersing in the intricacies of emerging regulations like the EU’s Digital Markets Act (DMA), the Digital Services Act (DSA), or forthcoming updates to existing frameworks such as GDPR and other privacy regulations like CCPA and LGPD. Keep a finger on the pulse of global privacy legislation to ensure compliance and strategic alignment.
There is a trend in the privacy landscape that sees many countries adopting a more serious approach to regulate the use of personal information in their jurisdictions. While some of the new regulations are like GDPR in nature, others seek to resolve regional or country-specific problems. Here are some of the regulations under development:
Asia-Pacific Region:
- China: China has been bolstering its data protection framework with laws like the Personal Information Protection Law (PIPL) and Data Security Law (DSL), which are expected to strengthen data privacy regulations.
- India: The Personal Data Protection Bill (PDPB) aims to regulate the processing of personal data in India, drawing parallels with GDPR. Its passage could significantly impact data handling practices.
Latin America:
- Brazil: Brazil’s General Data Protection Law (LGPD) has already come into force but might witness further developments or refinements in enforcement mechanisms and scope.
- Other nations: Countries like Argentina (with the Personal Data Protection Act) and Chile (with its Data Protection Law) continue to refine their privacy frameworks.
Middle East and Africa:
- South Africa: The Protection of Personal Information Act (POPIA) has been in effect, and its implementation phase might see developments in enforcement and compliance.
- Other nations: Various countries in this region are exploring or enacting data protection laws, aiming to strengthen privacy rights and data handling practices.
European Union:
- GDPR updates: The GDPR, while already enforceable, might witness amendments or updates to address evolving technology, data sharing and enforcement challenges.
- New regulations: Apart from GDPR, the EU is introducing the Digital Services Act (DSA) and Digital Markets Act (DMA), aiming to regulate digital services and markets, potentially impacting data privacy and consumer rights.
North America:
- Canada: Canada is considering updates to its privacy laws with the proposed Digital Charter Implementation Act, which could introduce GDPR-like standards.
- United States: While there isn’t a federal-level comprehensive privacy law, individual states (e.g., California, Virginia) have enacted or are considering privacy laws (e.g., CPRA in California).
2. Redefine Data Protection Strategies
Building on the evolving regulatory landscape, the next critical task involves redefining data protection strategies:
- Elevate data governance by reassessing policies, bolstering encryption measures and adopting advanced technologies like differential privacy or homomorphic encryption to safeguard sensitive information.
- Collaborate with IT teams to reinforce security frameworks and ensure alignment with evolving threats.
- The increase in regulatory requirements requires adaptability and scalability of privacy programs and frameworks.
It is fair to say that, at times, there may be similarities in the requirements from different privacy regulations. However, in some instances, there may be conflicts as well—maintaining flexible programs that allow for scalability becomes paramount for the success of the data protection strategies. Creating separate or standalone programs, controls or frameworks to address each regulation could be expensive and highly inefficient for companies.
3. Empower Privacy by Design
Moving forward, an essential aspect is embedding privacy into the fabric of organizational culture through Privacy by Design principles. Here’s how we can make it happen:
- Privacy integration in product development: When creating new products or services, let’s make sure we’re considering privacy right from the start. That means thinking about how we can minimize the data we collect and ensuring that any information we do gather is protected. We should aim to build user-centric features that prioritize our users’ privacy.
- Cross-functional collaboration: Privacy is not just one team’s responsibility—it’s everyone’s. Let’s bring together people from different parts of our organization—designers, developers, legal and more—to weave privacy into every step of our work.
- Encouraging a proactive mindset: Let’s not wait for problems to arise. Instead, let’s actively seek ways to enhance privacy measures. Whether it’s conducting regular privacy impact assessments or staying updated on the latest privacy best practices, adopting a proactive approach is key to keeping our data—and our users—safe.
- Training and awareness: Providing training and fostering awareness across the organization about the importance of privacy is crucial. When everyone understands why privacy matters and how their work contributes to it, it becomes a collective effort toward a common goal.
4. Amplify Transparency and Accountability
There is an increased focus from data protection regulators like the Irish Data Protection Commission on transparency practices, which is understandable as transparency is the cornerstone of trust. Here are some actions privacy professionals can take to proactively tackle this in 2024:
- Elevate transparency by refining data-handling practices, enhancing disclosure mechanisms and empowering users with clear, concise privacy notices.
- Embrace accountability by conducting comprehensive privacy impact assessments, proactively addressing vulnerabilities and fostering a culture of continuous improvement.
5. Champion Ethical Data Use and Ethical AI
Data is the heartbeat of innovation, but using it responsibly is key. Here’s how we can keep our ethical compass in check:
- Responsible data-handling: Let’s collect, use and share data responsibly. That means being mindful of what data we gather, ensuring it is necessary and handling it with care to protect privacy and confidentiality.
- Embracing ethical AI: Artificial intelligence (AI) brings immense possibilities but also ethical challenges. Let’s adopt ethical AI frameworks to guide us through these complexities. These frameworks help us ensure fairness, transparency and accountability in our AI systems.
- Balancing innovation and ethics: Innovation drives us forward, but ethics keep us grounded. Let’s foster conversations between different teams—tech, legal, ethics and beyond—to strike the right balance. It’s about innovating smartly while staying true to ethical principles.
- Continuous learning and adaptation: Ethical considerations in data use and AI evolve. Let’s commit to ongoing learning, adapting our practices and staying informed about new ethical standards. This way, we can ensure our innovation aligns with ethical values.
In conclusion, the year 2024 presents a pivotal moment for privacy professionals to recalibrate strategies, navigate regulatory nuances and champion ethical data practices. By embracing these imperatives, privacy professionals can lead the charge in fortifying privacy landscapes and shaping a responsible, data-driven future.
In addition to industry privacy certifications, there are many resources out there that can help privacy professionals be ready for the never-ending changes in the privacy landscape, including:
- European Data Protection Board – Guidelines, Recommendations and Best Practices
- European Commission – Digital Markets Act (DMA)
- European Commission – Digital Services Act (DSA)
- European Commission – Upcoming Artificial Intelligence Act
About the author: Gary Carrera is a Governance, Risk and Compliance Leader at Meta. He has 15 years of experience supporting large tech companies in Information Security and Privacy programs, most recently at Meta and Apple. He holds an MS in Business Administration and Project Management and CDPSE, CISM, CISA, CCSP, HITRUST CCSFP, ISO27001 among other certifications. The postings on this site are the author's own and don't necessarily reflect his employer's positions or opinions on the subject.