2023年,新的隐私立法带来了动态的全球隐私格局, 加强执法行动, 有新闻价值的罚款, 大规模数据泄露和新技术进步, 特别是在生成人工智能方面. These trends are expected to continue as 2024 promises to be another eventful year for privacy professionals, who will be challenged to navigate compliance challenges and mitigate privacy risks with limited resources.
在这篇博文中, 我们将在2023年回顾隐私方面的重大发展, highlight key insights from ISACA’s latest privacy research and discuss major focus areas for privacy professionals as they build their 2024 data protection roadmaps.
从2023年开始的关键隐私要点
2023 saw the enactment of numerous pieces of data privacy legislation in various jurisdictions. 仅在美国, 各州颁布的综合性隐私法增多 从5岁到12岁(可能是13岁) 如果包括佛罗里达的话). 虽然这些新的州法律中存在着重大的重叠, privacy professionals must evaluate the nuances in compliance requirements and consumer rights to build their 2024 compliance strategy. As there was no breakthrough in passing an omnibus US privacy law at the federal level, country will likely see more state laws being enacted for which organizations will need to continue investing in a regulatory patchwork compliance program.
隐私问题在全球其他地方也占据了中心位置, with several countries enacting new privacy laws and amending existing laws in 2023. 值得注意的例子包括印度的《澳门赌场官方软件》, Vietnam’s Personal Data Protection Decree 和 Kingdom of Saudi Arabia’s Personal Data Protection Law. In 2024, 其他司法管辖区, 印尼, 巴西, 预计加拿大和澳大利亚将最终确定规则/开始执行, and privacy professionals will need to monitor developments for in-scope jurisdictions and accordingly tailor their organizational compliance roadmaps.
谈到个人数据传输 欧盟-美国数据隐私框架的第三次迭代 该计划于2023年宣布,但业界反应冷淡. Many organizations are adopting a wait-and-watch approach in case the adequacy decision is challenged and overturned in court. 然而, privacy professionals at organizations deciding to self-certify with the framework will need to comply with the amended privacy obligations and update their programs in 2024.
除了像数据抓取这样的热门话题, 跟踪技术, 到场, 儿童隐私和生物识别/健康数据, 人工智能的发展主导了隐私讨论. AI saw rapid technological advancement, industry adoption and policy developments (e.g., 美国人工智能行政命令 和 欧盟的人工智能法案). In 2024, privacy professionals will likely see their roles expand to include responsible AI management. They will need to work cross-functionally to build sustainable AI governance programs and extend safeguards for AI use cases.
实践中的隐私2024:关键见解
在这个不断变化的隐私环境中, ISACA调查了超过1家,300名全球隐私专家收集隐私人员的见解, 组织结构, 框架, 政策, 预算, 培训, 数据泄露和其新发布的隐私研究的优先事项, 私隐实务. The following three main themes emerged: 隐私 teams are understaffed across the board but technical skills are in highest demand; practicing privacy by design is a top-down initiative that requires strategy alignment; and 培训 and awareness are vital aspects of successful privacy programs.
- 缩小隐私技能差距
While several specialized privacy roles exist that differ in scope based on the organization/industry, privacy professionals are generally bucketed into technical or legal/compliance functions. 法律/合规角色在隐私法律和法规方面具有专业知识, 而技术角色则专注于实现保护隐私的控制. 各个领域对隐私技能的需求仍然很高, with larger understaffing in technical teams (62%) than in legal/compliance teams (55%) for 2024. This technical privacy skill shortage trend has been consistent over the last several years and has worsened from last year's findings (~10% increase).
根据报告, biggest skill gap exists in technical areas such as experience with privacy compliance tech implementation, 增强私隐技术, 技术评论, 等. 希望提高技能的隐私从业人员将受益于包括 隐私认证, 技术课程, rotational programs or cross 培训 as part of professional development goals for 2024 for gaining technical privacy skills.
I discuss this topic in detail in my article “Help Wanted: Evolving privacy roles 和 widening privacy skill gap,发表于 ISACA期刊第1卷,2024年. - 通过设计引导创新与隐私
隐私 by design has been recognized in the industry as a proven model for proactive privacy risk management, 但它在实践中需要什么呢? ISACA’s report outlines critical characteristics for organizations that actively practice privacy by design, 比如拥有适当技术隐私角色的大型隐私团队, 隐私优先在董事会级别, privacy strategy aligned with organizational objectives and beyond checkbox compliance, 从道德和竞争优势的角度来看待隐私. These trends can serve as valuable tools for privacy professionals looking to benchmark and mature their privacy by design programs in 2024. - 通过培训和意识项目建立隐私文化
The most common privacy failures, according to the ISACA survey, result from inadequate 培训. I believe privacy 培训 and awareness programs have the best ROI in reducing the risk of breaches. 然而, most organizations (65%) report the number of employees trained as the sole privacy 培训 program metric, 哪一个不衡量项目的有效性. 隐私 practitioners should revise existing 培训 programs to address current risks, 例如将客户个人数据用于GenAI工具, 开发可能包含游戏化的引人入胜的内容, 进行持续监测, 建立反馈回路, 并确保该项目融入公司文化.
Access the ISACA 私隐实务 2024 report for a free copy of the complete research report and insights at kurosems.mokmingsky.com/privacy -实践- 2024.
