Data Privacy and Cyber Security Outlook 2024

There are a number of changes and developments on the horizon, although these come mainly from the EU rather than the UK they are relevant for UK companies operating in the EU or providing products/services into the EU. The UK may also follow the EU on some of these measures.

1. The European Data Protection Board (EDPB) has set out its planned enforcement action for 2024. This is its third coordinated enforcement action and relates to the implementation of data subject access rights of data controllers. The EDPB is expected to issue a report in January 2025 to reflect its findings and hopefully set out the correct process to be followed by controllers for data subject access requests.
2. Transfers out of the EU: The European Commission (EC) has just completed a review of 11 adequacy decisions showing which countries will maintain their adequacy status. The report has confirmed that all 11 countries (Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay) have retained their adequacy status. There are 16 adequacy decisions currently in place and the EC will continue to monitor the developments of those countries particularly where there is further legislative reform. This means that it will be important to keep an eye on changes in the law which could result in a watering down of protection, especially in the UK and the US where the EU/US Privacy Framework applies.
3. Tech companies will be subject to a number of new laws, for example, the Digital Services Act (DSA) which places obligations on intermediary services providers, such as social platforms, digital marketplaces, app stores, content sharing sites, travel and accommodation sites. There is also expected to be stricter oversight on online profiling, ‘notice and take down’ processes, as well as on advertising. The EU has announced its first formal investigation under the Digital Services Act in proceedings against Twitter, or X as it is now known as of December 2023. The DSA partner legislation, the Digital Markets Act (DMA) is going to take effect in March 2024. The DMA is expected to tighten the responsibilities and obligations of so-called ‘gate keeper companies’, i.e. those with significant market share impact/influence. DMA also contains data profiling or data-based advertising elements which will impose more transparent consent requirements for the use or combining of data.
4. New legislation in the pipeline for 2024: The EU’s Artificial Intelligence (AI Act) is likely to have a significant impact, although it still needs to go through final steps before it becomes law, but the key parameters have now been set. Businesses will need to adapt their operations in order to meet the AI Act’s requirements. This will mean looking at risk-based transparency, fairness and compliance with the GDPR where personal data is involved. Cyber Acts are also expected to come into force in 2024, such as the draft Cyber Resilience Act. This legislation will introduce a cyber certification scheme for cloud providers. The EU is also bringing out its Information Security Directive, expected to take effect in October 2024, by which time each member state must have enacted and implemented all relevant cyber security laws. In addition, the new EU Data Act is expected to harmonise rules on fair access and use of data.

Data Privacy Considerations for Organisations Utilising AI

AI is becoming more and more widely used by organisations and businesses in their day-to-day operations and businesses need to take steps to mitigate the risks involved in using AI. The US National Institute of Standards and Technology (NIST) has published an AI Risk Management Framework (the Framework) which many organisations are starting to use as a starting point for AI risk assessments. This is a guidance document and is for voluntary use by organisations who design, develop, deploy or use AI systems to help manage the many risks of AI technologies. The International Association of Privacy Professionals’ (IAPP) AIGP certification has also become one of the go-to standards for the management of AI systems. There is a list of 7 requirements that high-risk organisations should observe in adjusting their processes. These are: risk management system; accuracy and robustness; cyber security; data and data governance; human oversight; transparency and provision of information to users; record keeping and technical documentation.

As a minimum, organisations should carry out a Data Protection Impact Assessment (DPIA) or expand their existing DPIAs to assess the risks imposed by AI, including the risk of harm to society, amongst others. Organisations who are providing AI systems should consider carrying out a DPIA specifically for AI and if they fall within a high-risk category then they should consider the above elements.

Key Priorities for DPOs and Privacy Professionals

Key priorities for DPOs and privacy professionals to consider in 2024 include:

1. Keeping an eye on upcoming legislation. As mentioned above, a number of laws are coming into force in 2024 and 2025.
2. Making sure the processing activities of their organisation are properly documented so that they are prepared for changes in the law and compliance standards. It is important to understand the data in the organisation and be able to clearly identify what data is being processed, how, when and where it is being processed. This will enable the organisation to respond accordingly to changes in the legal landscape.
3. Ensuring the Record of Processing Activity (ROPA) is accurate and up-to-date.
4. Making sure DPIA templates are fit for purpose especially is AI systems may be used in the future.
5. Checking data flows are mapped and the organisation has the right documentation to support international data transfers, including the use of standard contractual clauses (SCCs), or registration under EU/US Data Privacy Framework.
6. Keeping up to date with adequacy reviews. The EU continues to monitor developments in privacy laws in those countries which have received adequacy decisions and the issue of transfers between the EU and the UK and USA is particularly important.