Whilst the data headlines in 2023 were dominated by the omnipresence that is generative AI, our data law experts have reflected on the trends and predictions that are likely to be making waves in 2024 - and what those trends may mean for your organisation:

  1. Compliance Review and Refresh
  2. New Year/New Laws?
  3. Continued rise of AI
  4. Cyber Risk – Not going away
  5. Data Transfers
David Goodbrand

David Goodbrand -
Partner Head of Data Privacy
TECHNOLOGY & COMMERCIAL
+44 (0)131 357 4464
david.goodbrand@burnesspaull.com

Compliance review and refresh

At the start of the year, now is a great time for every organisation to audit and review their existing data and information compliance policies and practices. Alongside changes in the volume and nature of the data that organisations routinely process, there are ever-increasing values placed on, and risks associated with, such data.  We would certainly recommend a more structured, balanced and holistic approach be taken when looking at data management, security and governance.

There are three main pillars that collectively form the backbone of good data protection compliance:

  1. POLICIES AND PROCEDURES:
    Implementing and maintaining effective and suitable policies, practices and procedures can help support your organisation in meeting its legal obligations.  These ought to be dynamic and should be reviewed regularly to ensure they remain fit for purpose and adequately address any new challenges that may thrown up, including: cybersecurity, AI adoption and ESG best practice

  2. TRAINING AND AWARENESS:
    Organisations should prioritise the adoption of comprehensive training programmes to ensure employees are well-informed and aware of their obligations – particularly with all the legal changes we have seen recently and that will be adopted in 2024.

  3. ACCOUNTABILITY & GOVERNANCE:
    Having a good governance structure is the foundation of managing data protection risk and compliance. 

New Year / New Laws?

There has been a number of data related legislative changes and proposals in Europe and the UK in the last couple of years.  The current focus in the UK is on the Data Protection and Digital Information Bill No.2 (DPDI), which it is anticipated will become law in mid-2024 (subject to any knock-on complications and delays that may be thrown up by the upcoming UK general election).  Some of the highlights contained in the DPDI include:

  • Non-exhaustive list of approved scenarios relating to lawful processing for legitimate interests and scientific research.
  • Maintaining a Record of Processing Activities may only be required for high-risk processing.
  • Clarifying the need to conduct reasonable and proportionate searches when responding to Subject Access Requests.
  • The increasing movement towards adopting a risk-based approach to processing personal data.

The DPDI needs to be considered alongside the volume of other legislative developments in Europe, including the following:

  • The Data Governance Act
  • The EU AI Act
  • The EU Data Act – which intends to create a single market for data
  • The Digital Services Act
  • The Digital Markets Act

The increasing number of data related legislative requirements and the potential inter-relationship (or conflict) between these in the UK, Europe and further afield will continue to raise novel and often complex compliance questions for many organisations. We will continue to monitor and update on these developments.

Continued rise of Artificial Intelligence

Artificial Intelligence (AI), and generative AI in particular, has received significant attention and focus in 2023. Many organisations are already embracing AI and the benefits that it has to offer, and will continue to bring.  However, the associated legal, regulatory and security risks need to be considered and managed carefully too in order to ensure that a potential asset does not turn into a significant liability.

Whilst the UK ICO cautions about a potential decline in trust in AI throughout 2024, current indications show a rising adoption and reliance on these developing technologies. Organisations who are leveraging generative AI in the workplace may wish to take steps to mitigate the risks associated with it’s use, including:

  • Adopting a Generative AI policy detailing the rules that apply and the processes which must be followed when using AI.
  • Training and awareness raising in relation to AI technologies and the related policies.
  • Managing contractual risks with third party AI suppliers and partners.
  • Considering and managing any data protection, discrimination and bias related risks.

Cyber Risk – Not going away

The risk to an organisation’s data posed by cybersecurity risks is not showing any signs of easing and continues to top the list of key risks impacting all organisations.  Cyber risk will continue to evolve in 2024, especially with the emergence of new and increasingly sophisticated threats associated with the use and adoption of AI and quantum computing.

Regulatory frameworks looking to address cybersecurity risks are evolving too, with the adoption in Europe of the Critical Entities Resilience (CER) Directive – with a focus on resilience and the NIS 2 Directive – which covers incident response.  The UK is also looking to set out minimum security standards that consumer networks must comply with in the UK Product Security and Telecommunications (PSTI) Act 2022 which comes into force on 29 April 2024.  

The risk of cyber events may result in regulatory scrutiny and investigation, and therefore ensuring you are prepared and have an appropriate plan to handle these instances is becoming critically important.

Data transfers

In October 2023 we saw the introduction of a new data bridge (the much-anticipated replacement to the Privacy Shield) between the UK-US, which is an extension of the new EU-US Data Privacy Framework (DPF), which was introduced in Summer 2023. This essentially allows UK and EU businesses to transfer personal data to certified US organisations.  However, the likelihood of uptake of this mechanism remains in doubt as it seems fairly certain that the DPF will face a number of legal challenges in 2024.  Therefore, we will have to see whether the DPF will remain an effective data transfer mechanism. 

Separately, the EU-UK Adequacy Decision, which is a decision made by the European Commission that maintains the free flow of personal data between the EU to the UK, is set to be reviewed this year.  The European Commission will start work later in 2024 to determine whether to extend the adequacy decision for another four years. The European Commission is likely to scrutinise the UK’s Data Protection and Digital Information Bill as part of this review.

At the end of 2023, the ICO issued guidance for organisations completing transfer risk assessments for transfers of personal data from the UK to the US.  We also anticipate further guidance from the ICO regarding international transfers including detailed guidance on the International Data Transfer Agreement and the UK Addendum to the EU standard contractual clauses.

Lastly, ahead of 21 March 2024 deadline, we expect to see a focussed effort from a number of organisations to implement the new EU standard contractual clauses (SCCs) and the UK Addendum or the UK standalone international data transfer agreement.  Organisations, still relying on the pre-GDPR SCCs to transfer personal data from the UK have until that date to transition to the new arrangements.

Central to all these themes and trends is trust. Businesses are operating in a trust economy and this brings both challenges and opportunities. You can read our recent paper with thoughts on the trust economy here.

2024 is already shaping up to be a really important and busy year for data driven businesses and organisations. Our Data Protection and Regulatory experts continually monitor developments in this area and would be delighted to arrange a call to see how we can help and support your organisation.

Written by

Related News, Insights & Events

RISK HORIZON SCAN 2025

Risk horizon scan: 2025

January is the optimal time for businesses to review risk registers against management plans and goals for the next 12 months.

Read more
Cyber Security Looking Back On 2024 And What Businesses Can Expect In 2025

Cyber security – looking back on 2024 and what businesses can expect in 2025

2024 was another year in which UK businesses battled to combat cyber security threats, which continue to impact organisations of all sizes across all sectors.

Read more
Christmas Is Coming… And The Cyber Threat Is Heightened

Christmas is coming… and the cyber threat is heightened

The increased cyber risks around the Christmas and New Year period.

Read more

Want to hear more from us?

Subscribe here