Privacy Priorities for 2024 (and Beyond)
The upcoming year will continue to hold challenges for data privacy programs. The Quarles Privacy Week 2024 programming from this week has provided an overview of the upcoming issues and challenges that are on the horizon. However, budgets and time are not unlimited, so how do you prioritize? Below are our top five recommendations for the most bang-for-your-buck priorities, worth your limited budget spend to help decrease risk, stay up to date with the current (and evolving) regulatory landscape, and set yourself up for a strong compliance program into 2024 and beyond.
As you undertake this task, don’t forget to pay attention to laws addressing specific industries and types of data (e.g., AI, health data, the protection of minors, breach reporting, and financial transactions). For example, if you are in the health care industry, you should familiarize yourself with Washington and Nevada health data requirements and the HHS AI transparency rule.
2. Understand Your Data Disclosure and Transfer Practices.
Knowing where your organization’s data is going should also be part of your compliance program (likely in the form of a data map). For 2024, we specifically recommend revisiting this with an eye toward (a) the upcoming privacy laws (discussed above) and (b) whether your organization transfers data across borders and determine whether this is prohibited or restricted by applicable law. As you are giving thought to these data transfers, don’t forget to address data transfers that may be taking place in AI tools (input, output, and everything in between).
If you are transferring data across borders, specifically out of the European Union, give thought to whether the Data Privacy Framework is a good fit for those data transfers now that it is effective. The Data Privacy Framework is an optional self-certification for organizations to ensure cross-border transfers are consistent with European Union law. If the Data Privacy Framework is not workable, be sure at least that you have the correct Standard Contractual Clauses in place, using the updated forms published by the European Commission in 2021.
3. Take Steps Regarding AI.
AI can no longer be something we wait until tomorrow to contemplate. AI is here to stay and in all likelihood, your organization is using AI as you are reading this, whether directly or through a vendor. You need to understand how your organization is using AI, including the use cases and the type of AI (e.g., open vs. closed systems, predictive vs. generative AI). For more information on privacy considerations of AI, take a look at our Privacy Week primer on AI and check our Privacy Week webinar on Hot Issues and priorities for privacy in AI.
Be prepared to document the use cases, authorization for data collection, transparency of the algorithm, bias, and data use rights for AI and build rights and responsibilities into your software contracts. To this end, identify your high value, high risk, integral software tools and review the applicable contracts for those tools. If those contracts are more than 3 years old, it’s likely time to revisit the terms and any applicable data impact assessments given the changes in technology and the changing regulatory and litigation landscape.
Particularly if you are developing AI, take a look at the developing legal authorities, including the HHS AI Transparency Rule (Dec. 2023) and the EU AI Act (Jan. 2024), as consensus begins to build around AI best practices and governance.
4. Get a Vendor Management Process in Place.
No matter what industry you are in, the size of your organization, or the maturity of your privacy program, implementing and maintaining an ongoing vendor risk management process is necessary to ensure your organization is protected. Vendors are one of the most significant privacy risks to your organization.
As 2024 gets under way, we recommend the following as best practices in vendor management:
- Assess and update your due diligence practices and policies. Ensure you understand what data the vendor will process, what security practices they have in place, and whether they are able to comply with privacy and security requirements that are applicable to your organization.
- Determine whether a data processing agreement, data transfer agreement, (or business associate agreement) is necessary. Update your templates in light of new requirements.
- Track vendors that have access to your data and understand the scope of that data. Tracking vendors should not be based on organizational spend but should focus on the type and amount of data that vendor can access. Terminate access rights when contracts terminate and confirm data access and sharing comply with privacy and security requirements additional requirements under evolving laws and regulations.
- If you have budget money and capacity, build a feasible audit program to review vendor compliance with security and regulatory requirements through. Do not set yourself up for audit obligations that you cannot meet.
- Remember that vendor management is not a one-time process during contracting.
We recognize that vendor management is a big lift. Demonstrating steps to a robust vendor management program will go a long way with regulators. We are happy to help you prioritize initial steps.
5. Do Not Forget About Security.
We do not expect security incidents to slow in 2024. We are also seeing updates to current breach reporting laws at both the state and federal levels and expect more sophisticated cyberattacks with the use of new technologies (e.g., AI, deep fakes).
Legal and information security teams should work together to get some baseline security practices in place and up to date. Where is your data maintained and processed? Do you have offshoring or data localization requirements applicable to your organization? Is all of your organization’s personal information encrypted? Do you have appropriate access controls? Are your employees trained on current practices? Do you have any end-of-life software in your environment? As you give thought to these questions, consider the below:
- Ensure that your organization has an incident response plan. Key players in your organization should have access to the plan offline (in case you go down), and you should test your incident response readiness with an attorney-client privileged tabletop exercise. Statistics show that organizations with tested incident response plans have significantly less expensive security incidents. Consider how your vendors and customers fit into this plan.
- Get a security analysis to identify threats and vulnerabilities, but complete the audit under attorney-client-privilege. Don’t just put the report in your files. Prepare a documented risk mitigation plan with your legal and compliance teams.
- Engage vendors before you experience a security incident (e.g., forensics vendor, legal counsel, public relations firm, etc.). Negotiating terms of these arrangements before an incident occurs will save your company from investing time and resources into those negotiations when those resources are needed to respond to the incident at hand.
- Analyze your insurance coverage- specifically, your organization’s cyber insurance coverage to determine whether it is appropriate based on your organization’s industry, practices, and risk tolerance.
While no two organizations are alike, given the current landscape of privacy laws, evolving technologies, and risks of noncompliance / security incidents, it has never been more important for an organization to prioritize privacy this year. These priorities can be operationalized in organizations of all sizes and industries, and we are here to help.
Thank You for Joining Us for Privacy Week! For all of our Privacy Week content and events, please click here. To join our data privacy and security email list to stay up to date on industry and legal developments, please click here.
For guidance and advice on setting priorities for your data privacy program in light of these changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team or: