Over the last few years, compliance has become an increasingly challenging industry, with ever more complex regulations, high fines, and new and untested technologies such as AI presenting difficulties. As we begin a new year, “compliance will be a multifaceted challenge requiring organizations to be proactive, adaptable, and forward-thinking,” according to Vicky Withey, Head of Compliance at Node4.
Withey argues, “Boards and compliance professionals need to address current risks and anticipate emerging challenges to steer their organizations toward sustainable success.” But what will those challenges look like over the next year? Planet Compliance spoke to seven compliance experts to get their insights.
Adapting to New Legislation
One theme of the past few years is likely to continue into 2024: Organisations will have to spend a good deal of time coming to grips with new regulations. Jakub Lewandowski, Global Data Governance Officer at Commvault, highlights the EU-US Data Privacy Framework (DPF) as one such example. “The DPF has created a sort of “bubble” around the EU and the US in which organizations can exchange data freely, with the trust that there is an adequate level of protection in place for personal data,” he explains.”
Since October 2023, this agreement has been extended to also include the UK through what is called the ‘UK-US data bridge.’ British businesses can now also benefit from the simplified data transfer rules. In a globalized world where transatlantic business relations are positive and prosperous, the easy sharing of data is crucial. The DPF’s ability to accelerate the process of data transfers while removing a heavy workload of paperwork has, therefore, won a huge amount of support from businesses.
“Despite its popularity, the DPF could be short-lived,” Lewandowski adds. “All eyes are again on Max Schrems, Austrian lawyer and data privacy activist, as he will attempt to challenge the Data Privacy Framework again, as he did with its predecessors, the Privacy Shield & Safe Harbour Agreement. That is definitely a development worth following in 2024. Important to note, however, that invalidation of the Data Privacy Framework this time will not directly affect the UK-US data bridge.”
In terms of other new regulations, Richard Starnes, Chief Information Security Officer at Six Degrees, believes that we’re likely to see a “rise in Government regulation of the supply chain.” He believes the “Government will continue to place emphasis on securing the supply chain with light touch frameworks such as NCSC Cyber Essentials (UK) and NIST Small Business Cybersecurity Corner (US). Small companies will begin to be required to attest to at least compliance with one of these frameworks.”
As a result of these kinds of regulations, Alev Viggio, Director of Compliance at Drata, adds: “Both security and compliance teams will focus on improving communication and collaboration by sharing information on emerging threats, updates to compliance/regulatory requirements, and security incidents.
“As regulatory penalties become steeper, and organizations increasingly prioritize adherence to new and existing compliance frameworks, security and compliance teams will work to align their objectives. Both will recognize that they have a critical role to play in protecting the organization’s infrastructure and data and minimizing security risks.”
Shiny New Tech
Obviously, the biggest story this year has been around the rise of AI as debates continue about how far the technology will revolutionize industries.
“AI has certainly taken the world by storm in 2023, and I think in the coming year we’ll see more organizations embracing how they can use it to take the biggest advantage of their own data,” explains Guillaume Crapart, Senior Director of Channel Sales at Quantum.
“Organisations have vast amounts of data now, and according to Gartner, 80-90% of all new enterprise data is unstructured. Trying to find something specific within that data is like looking for a needle in a haystack. AI can help you do this by tagging your data based on its metadata – it can then find any of these tags when you search in a matter of moments, saving hours and hours of manual effort from employees.”
Gary Lynam, Managing Director, EMEA at Protecht, agrees that AI will bring benefits: “Currently, many companies lack the ability to effectively test their processes end-to-end, including third parties and suppliers. In 2024, the risk function will evolve to embrace the digitized landscape by using AI and advanced analytics to capture internal and external data, manage the third-party management lifecycle, and drive meaningful insights for decision-making processes based on the correlations between interdependent risks.”
AI Regulation and Compliance in 2024
However, AI also brings with it a huge regulatory challenge. “As AI continues to advance and become an increasingly accepted part of society, there will be a growing demand for regulation to address ethical, privacy, and safety concerns inherent to the technology,” explains Troy Fine, Director of Compliance Advisory Services at Drata. “Stronger guidelines will be needed to ensure responsible and accountable development and deployment of AI-based solutions.”
“With the rise of AI, there is a need for regulations at both governmental and organizational levels to ensure its ethical use,” agrees Mark Wilson, Technology and Innovation Director at Node4. “AI technologies are powerful and can have significant impacts on society, economy, and environment as well as pose risks or challenges such as bias, discrimination, error, misuse, or abuse. Therefore, there is a need for regulations that can ensure that AI is used in a responsible, trustworthy, and beneficial manner.”
While legislation is still being established, Wilson suggests that businesses should focus on regulation at the organizational level. “Within every business, there is a need for regulations that can align the AI strategy with the organizational vision, mission, and values; implement ethical principles and practices for AI development and deployment; ensure accountability and transparency for AI decisions and actions; and monitor and evaluate the impacts and outcomes of AI use.”
He concludes, “In 2024, all organizations should be working towards establishing solid AI regulations so that we can move forward with the technology, reaping the benefits, whilst knowing that it is being used safely and responsibly.”