Watch Out for These Privacy Trends in 2024
December 14, 2023
In 2021, Gartner predicted that three quarters of the personal information in the world would be subject to one or more privacy laws. Since then, we’ve witnessed the proliferation of regulations and regulators exercising their authority more forcefully. Soon enough, privacy laws and regulations will affect everything that private enterprises and public organizations are doing almost everywhere and all the time.
If the laws were consistent, this might be a relatively manageable task. But they are not. The basic principles may be consistent, but the actual responsibilities and requirements can differ significantly across various jurisdictions. Fortunately, the fundamentals of a strong privacy program are relatively consistent. A good starting point is the Privacy Compliance Trifecta, a set of principles focused on clarity and transparency around your organization’s privacy policies.
- Say It: Make clear and transparent statements about your privacy policies.
- Do It: Implement and follow through on the privacy promises you make
- Prove It: Be ready and able to demonstrate compliance and accountability.
As more and more regulations go into effect,organizations must lay the foundation for compliance with time- and cost-saving technology and defensible processes to meet these requirements. This article dives into two important issues that privacy programs must grapple with in 2024, but you can learn about more in our recent whitepaper, Privacy Trends to Watch in 2024.
Privacy Trend #1: Artificial Intelligence
Historically, AI has meant “the simulation of human intelligence processes by machines, especially computer systems,” typically abilities like visual perception, speech recognition, decisionmaking, and translation. However, in 2023, generative AI, a type of deep learning AI that can produce new content outputs based on its understanding of input training data, has earned the most headlines and public attention.
While the US lacks a law governing AI, the White House has stepped up and issued a Blueprint for an AI Bill of Rights and an Executive Order on AI. Both actions demonstrate the administration’s desire to make AI more transparent, less discriminatory, and safer to use. Before using personal data in training sets, organizations must consider how purpose limitations and consent apply or risk noncompliance.
Put guardrails in place. Put policies in place and train employees on permitted use cases for generative AI and how to avoid compromising sensitive data. While some business units may want to move ahead as quickly as possible, the risks of generative AI mishaps like hallucinations, bias, and privacy violations are quite considerable. Leverage existing privacy programs and principles to for the foundation of your AI program.
Christy Hawkins, Special Counsel, Consumer Financial Services, Data and Technology (CFS+) Practice Group, Akerman LLP, asks, "Do you know enough about the AI tool to explain it to someone in a disclosure? AI can be very complex. Does transparency mean that we have to describe everything the tool is doing behind the scenes? Organizations should at least be able to tell someone that the AI tool is being used or applied, how decision making takes place, and what the consequences might be for the consumer.
Privacy Trend #2: Data Retention
Data poses risks to organizations through breaches, ransomware, consumer requests, or litigation. In one ruling under GDPR, fines were levied against a bank for over-retention of data despite its not being compromised in a data breach. Organizations should have operational plans to minimize the data they hold and dispose of data they no longer need to mitigate these risks.
Many of the extremely damaging data breaches that have happened in the last five years or so have been breaches of outdated or unused information in legacy systems rather than crucial business systems. Consequently, the organization wasn’t paying attention to it—either from a security or minimization perspective. In some cases, individual executives may be held liable for failure to respond appropriately to the risk of data breaches.
Focus on business practices and processes as much as technology platforms and data sources when you’re conducting a data inventory. You can uncover unnecessary risks by disposing of data that isn’t being leveraged for valid business purposes. Data discovery technology can help uncover sensitive data even in unexpected places, helping mitigate the risks of a breach.