Introduction
Data security has become a top priority for organizations in recent years due to the rise in cyberattacks and data breaches. As threats continue to evolve, governments worldwide are responding with new regulations aimed at strengthening data protection and privacy. In 2024, organizations will need to comply with several significant upcoming regulations that promise to have a major impact on data security practices.
In this article, I will provide an overview of the key data security regulations going into effect in 2024, what they will require of organizations, and how companies can begin preparing now. The major regulations poised to shake up the data security landscape in 2024 include:
- The California Privacy Rights Act (CPRA)
- The European Union’s Digital Operational Resilience Act (DORA)
- Australia’s Privacy Act amendments
- India’s updated data protection law
Let’s look at each of these regulations in more detail.
The California Privacy Rights Act (CPRA)
The CPRA will come into force on January 1, 2024 and build upon the landmark California Consumer Privacy Act (CCPA) that took effect in 2020. While the CCPA imposed obligations on businesses to provide California residents with transparency and control over the personal information collected about them, the CPRA further expands consumer rights.
Here are some key provisions of the CPRA that organizations need to prepare for:
-
Right to limit sharing/selling of personal information: Consumers can opt-out of having their personal information shared or sold. Companies will need consent before sharing data.
-
Right to correct information: Individuals can request corrections to any inaccurate personal information a business holds about them.
-
Expanded opt-out rights: The CPRA strengthens opt-out rights, requiring businesses to add opt-out links in privacy policies and honoring browser privacy signals.
-
Right to know about automated decision-making: If businesses are using algorithms or AI to make decisions about consumers (such as eligibility for services, benefits, or prices), they must evaluate these systems for accuracy, bias, and privacy risks. Results must be shared with consumers upon request.
To comply with the CPRA, companies will need to review their data handling practices, privacy notices, and consent mechanisms. Non-compliance risks hefty fines, so organizations should start planning their CPRA transition strategy in 2023.
The EU Digital Operational Resilience Act (DORA)
The EU is also ramping up data regulations with DORA slated to come into effect in 2024. This framework aims to strengthen the cyber resilience and incident reporting requirements for critical sectors like energy, transportation, banking, healthcare, and digital infrastructure.
DORA will introduce mandates such as:
-
Requiring entities to comply with stringent cybersecurity risk management and reporting obligations.
-
Mandating notification timelines for reporting cyber incidents and vulnerabilities.
-
Increased supervisory powers for regulatory bodies to oversee cyber compliance.
-
Establishing an EU framework for oversight and regulation of critical third-party digital providers like cloud services.
The extensive requirements under DORA will force impacted organizations to reassess cyber resilience strategies, third-party oversight, and incident response plans. Implementing the necessary governance and technical controls to comply with DORA will be a complex undertaking, so organizations should get a head start.
Updates to Australia’s Privacy Act
Australia is also poised to update its Privacy Act in late 2023, with changes coming into effect in 2024. Key amendments include:
-
Strengthening consent requirements for collecting, using, and disclosing personal information. Opt-out consent will face greater restrictions.
-
Right to object against the sale of personal data.
-
Right to erasure of personal data held by organizations.
-
Direct right of action – individuals can sue for serious privacy breaches without needing to go through the Privacy Commissioner.
Organizations handling Australians’ personal data, whether located in Australia or offshore, will need to evaluate consent practices, data retention policies, privacy notices, and incident response processes.
India’s Upcoming Data Protection Law
India proposed a new comprehensive data privacy law in 2022 which is expected to be tabled in 2023 and take effect in 2024. The key requirements include:
-
Strict consent requirements for collecting and processing personal data
-
Mandating appointment of Data Protection Officers (DPOs)
-
Localization requirements for storing Indian citizens’ critical personal data within India
-
Significant penalties for non-compliance
For multinational companies processing Indian users’ data, this new law will warrant close attention, given the expansive localization and compliance stipulations. Preparing for this law will require strategic planning around data storage infrastructure, data protection governance, and privacy operations.
Preparing for 2024
With major data regulations going into force worldwide in 2024, organizations have a complex regulatory landscape to navigate. However, by starting preparations in 2023, companies can proactively address compliance gaps and build more robust data privacy and security foundations.
Key steps for preparation should include:
- Gap assessment of current policies and procedures against regulatory requirements
- Improving consent management and notice delivery to customers
- Third-party risk management to assess vendor cyber practices and contracts
- Strengthening data governance through enhanced classification, retention, and deletion policies
- Building data security via encryption, anonymization, monitoring, access controls
- Establishing data incident response plans with reporting procedures
- Training employees on upcoming regulations and compliance obligations
The regulatory environment is demanding greater accountability and duty of care from companies around data protection. By taking a proactive approach, organizations can transform compliance into an opportunity to fortify customer trust and brand reputation. 2023 is the year to lay the groundwork for a successful 2024 security and privacy journey.