2023 brought a dynamic global privacy landscape with new privacy legislation, increased enforcement action, newsworthy fines, massive data breaches and novel technology advancements, particularly in generative AI. These trends are expected to continue as 2024 promises to be another eventful year for privacy professionals, who will be challenged to navigate compliance challenges and mitigate privacy risks with limited resources.
In this blog post, we will look back at the significant privacy developments in 2023, highlight key insights from ISACA’s latest privacy research and discuss major focus areas for privacy professionals as they build their 2024 data protection roadmaps.
Key Privacy Takeaways from 2023
2023 saw the enactment of numerous pieces of data privacy legislation in various jurisdictions. In the US alone, the number of comprehensive state privacy laws enacted increased from five to 12 (possibly 13, if we include Florida). While significant overlaps exist in these new state laws, privacy professionals must evaluate the nuances in compliance requirements and consumer rights to build their 2024 compliance strategy. As there was no breakthrough in passing an omnibus US privacy law at the federal level, the country will likely see more state laws being enacted for which organizations will need to continue investing in a regulatory patchwork compliance program.
Privacy also took center stage elsewhere around the globe, with several countries enacting new privacy laws and amending existing laws in 2023. Notable examples included India’s Digital Personal Data Protection Act, Vietnam’s Personal Data Protection Decree and the Kingdom of Saudi Arabia’s Personal Data Protection Law. In 2024, among other jurisdictions, Indonesia, Brazil, Canada and Australia are expected to finalize rules/commence enforcement, and privacy professionals will need to monitor developments for in-scope jurisdictions and accordingly tailor their organizational compliance roadmaps.
Turning to personal data transfers, the third iteration of the EU-US Data Privacy Framework announced in 2023 was met with a lukewarm response from the industry. Many organizations are adopting a wait-and-watch approach in case the adequacy decision is challenged and overturned in court. However, privacy professionals at organizations deciding to self-certify with the framework will need to comply with the amended privacy obligations and update their programs in 2024.
In addition to hot topics like data scraping, tracking technologies, AdTech, children’s privacy and biometric/health data, AI developments dominated the privacy discourse. AI saw rapid technological advancement, industry adoption and policy developments (e.g., the US AI Executive Order and the EU’s AI Act). In 2024, privacy professionals will likely see their roles expand to include responsible AI management. They will need to work cross-functionally to build sustainable AI governance programs and extend safeguards for AI use cases.
Privacy in Practice 2024: Key Insights
Amid this evolving privacy landscape, ISACA surveyed more than 1,300 global privacy professionals to gather insights on privacy staffing, organizational structure, frameworks, policies, budgets, training, data breaches and priorities for its newly released privacy research, Privacy in Practice. The following three main themes emerged: Privacy teams are understaffed across the board but technical skills are in highest demand; practicing privacy by design is a top-down initiative that requires strategy alignment; and training and awareness are vital aspects of successful privacy programs.
- Closing the Privacy Skills Gaps
While several specialized privacy roles exist that differ in scope based on the organization/industry, privacy professionals are generally bucketed into technical or legal/compliance functions. Legal/compliance roles have expertise in privacy laws and regulations, while technical roles focus on implementing controls to preserve privacy. Privacy skills continue to be in high demand across the board, with larger understaffing in technical teams (62%) than in legal/compliance teams (55%) for 2024. This technical privacy skill shortage trend has been consistent over the last several years and has worsened from last year's findings (~10% increase).
According to the report, the biggest skill gap exists in technical areas such as experience with privacy compliance tech implementation, Privacy Enhancing Technologies (PETs), technical reviews, etc. Privacy practitioners looking to upskill would benefit from including privacy certifications, technical coursework, rotational programs or cross training as part of professional development goals for 2024 for gaining technical privacy skills.
I discuss this topic in detail in my article “Help Wanted: Evolving privacy roles and the widening privacy skill gap,” published in ISACA Journal Volume 1, 2024. - Navigating Innovation with Privacy by Design
Privacy by design has been recognized in the industry as a proven model for proactive privacy risk management, but what does it entail in practice? ISACA’s report outlines critical characteristics for organizations that actively practice privacy by design, such as larger privacy teams with appropriately staffed technical privacy roles, privacy prioritized at the board level, privacy strategy aligned with organizational objectives and beyond checkbox compliance, and viewing privacy through an ethics and competitive advantage lens. These trends can serve as valuable tools for privacy professionals looking to benchmark and mature their privacy by design programs in 2024. - Building a Privacy Culture Through Training and Awareness Programs
The most common privacy failures, according to the ISACA survey, result from inadequate training. I believe privacy training and awareness programs have the best ROI in reducing the risk of breaches. However, most organizations (65%) report the number of employees trained as the sole privacy training program metric, which does not measure the program’s effectiveness. Privacy practitioners should revise existing training programs to address current risks, such as using customer personal data for GenAI tools, developing engaging content that can potentially include gamification, performing continuous monitoring, building feedback loops, and ensuring that the program is embedded in the company’s culture.
Access the ISACA Privacy in Practice 2024 report for a free copy of the complete research report and insights at www.isaca.org/privacy-in-practice-2024.