作者: Nandita饶 Narla, head of technical privacy, DoorDash
发表日期: 2024年1月18日

2023 brought a dynamic global privacy landscape with new privacy legislation, increased enforcement action, 有新闻价值的罚款, massive data breaches and novel technology advancements, particularly in generative AI. 这些趋势预计将持续下去,因为2024年对隐私专业人士来说将是又一个多事的一年, 在资源有限的情况下,谁将面临应对合规性挑战和降低隐私风险的挑战.

在这篇博文中, we will look back at the significant privacy developments in 2023, 重点介绍ISACA最新隐私研究的关键见解,并讨论隐私专业人士在制定2024年数据保护路线图时关注的主要领域.

Key 隐私 Takeaways from 2023

2023年,多个司法管辖区颁布了多项数据隐私立法. 仅在美国, number of comprehensive state privacy laws enacted increased from five to 12 (possibly 13, 如果包括佛罗里达的话). While significant overlaps exist in these new state laws, 隐私专业人员必须评估合规要求和消费者权利的细微差别,以构建2024合规战略. 因为在联邦层面通过一项综合性的美国隐私法没有取得突破, 这个国家可能会看到更多的州法律被颁布,组织将需要继续投资于监管拼凑的合规计划.

隐私 also took center stage elsewhere around the globe, 2023年,一些国家将颁布新的隐私法,并修订现有法律. Notable examples included India’s Digital Personal Data Protection Act, 越南的《澳门赌场官方软件》和沙特阿拉伯王国的《澳门赌场官方软件》. In 2024, among other jurisdictions, 印尼, 巴西, Canada and Australia are expected to finalize rules/commence enforcement, 隐私专业人员将需要监控范围内司法管辖区的发展,并相应地调整他们的组织合规路线图.

Turning to personal data transfers, third iteration of the EU-US Data 隐私 Framework announced in 2023 was met with a lukewarm response from the industry. 许多组织正在采取观望的方法,以防充分性决定在法庭上受到质疑和推翻. 然而, 决定使用该框架进行自我认证的组织的隐私专业人员将需要遵守修订后的隐私义务,并在2024年更新其程序.

In addition to hot topics like data scraping, 跟踪技术, 到场, children’s privacy and biometric/health data, AI developments dominated the privacy discourse. 人工智能在技术进步、行业采用和政策发展方面取得了迅速进展.g., 美国人工智能行政命令欧盟的人工智能法案). In 2024, 隐私专家可能会看到他们的角色扩大到包括负责任的人工智能管理. 他们需要跨职能合作,建立可持续的人工智能治理计划,并扩大对人工智能用例的保障.

私隐实务 2024: Key Insights

Amid this evolving privacy landscape, ISACA surveyed more than 1,300 global privacy professionals to gather insights on privacy staffing, 组织结构, 框架, 政策, 预算, 培训, data breaches and priorities for its newly released privacy research, 私隐实务. The following three main themes emerged: 隐私 teams are understaffed across the board but technical skills are in highest demand; practicing privacy by design is a top-down initiative that requires strategy alignment; and 培训 and awareness are vital aspects of successful privacy programs.

  1. Closing the 隐私 Skills Gaps
    虽然存在一些专门的隐私角色,其范围根据组织/行业的不同而不同, 隐私专业人员通常分为技术或法律/合规职能. Legal/compliance roles have expertise in privacy laws and regulations, while technical roles focus on implementing controls to preserve privacy. 隐私 skills continue to be in high demand across the board, 到2024年,技术团队(62%)的人手不足将超过法律/合规团队(55%). 这种技术隐私技能短缺的趋势在过去几年中一直存在,并且比去年的调查结果更糟(增长了约10%)。.

    根据报告, 最大的技能差距存在于技术领域,比如隐私合规技术实施方面的经验, 隐私 Enhancing Technologies (PETs), 技术评论, 等. 隐私 practitioners looking to upskill would benefit from including 隐私认证, 技术课程, 作为2024年专业发展目标的一部分,轮岗项目或交叉培训旨在获得技术隐私技能.

    我在我的文章“招聘:不断发展的隐私角色和不断扩大的隐私技能差距”中详细讨论了这个主题,发表于 ISACA Journal Volume 1, 2024.

  2. Navigating Innovation with 隐私 by Design
    设计隐私已被业界公认为是一种经过验证的主动隐私风险管理模式, but what does it entail in practice? ISACA的报告概述了积极实践隐私设计的组织的关键特征, such as larger privacy teams with appropriately staffed technical privacy roles, privacy prioritized at the board level, 隐私策略与组织目标保持一致,并超越复选框遵从性, and viewing privacy through an ethics and competitive advantage lens. 这些趋势可以作为隐私专业人士的宝贵工具,他们希望在2024年通过设计程序来基准和成熟他们的隐私.

  3. Building a 隐私 Culture Through 培训 and Awareness Programs
    根据ISACA的调查,最常见的隐私问题是由于培训不足造成的. 我相信隐私培训和意识项目在降低泄露风险方面具有最佳的投资回报率. 然而, 大多数组织(65%)将接受培训的员工数量作为唯一的隐私培训项目指标, which does not measure the program’s effectiveness. 隐私从业者应该修改现有的培训计划,以应对当前的风险, such as using customer personal data for GenAI tools, developing engaging content that can potentially include gamification, performing continuous monitoring, 建立反馈回路, and ensuring that the program is embedded in the company’s culture.

访问ISACA隐私实践2024报告,获取完整研究报告和见解的免费副本 pysf.ahlfdc.com/privacy-in-practice-2024.
