A glimpse into cloud security's future: advanced measures safeguarding data in the digital realm.

Risk Trends in 2024 and Beyond: Privacy and Data Governance

Risk Trends in 2024 and Beyond: Privacy and Data Governance

Synopsis
4 Minute Read

Quebec's Law 25 has ushered in an era of much stricter privacy regulations in Canada, with requirements that are much more significant than currently required by federal privacy law.

However, it’s not just Quebec-based organizations that need to be more transparent with how and why they collect user data and who they share it with. Law 25 applies to any organization that does business in Quebec or stores personal identifiable information (PII) on Québec residents — and it’s merely one of many frameworks of its kind.

Those organizations that can demonstrate their ability to protect user data and use it ethically will gain favour with increasingly privacy-conscious consumers — especially if they can do so before more provinces and jurisdictions follow suit with their own legislation.

Partner, Privacy & Data Governance
This insight is one of 15 risks in our 2024 Risk Trends Report. Navigate back to the main page for the full list of risk trends that you should be monitoring for in the year ahead.

Are you confident your data is secure and used ethically?

Quebec introduced stringent regulations in September 2022, which will have downstream impacts across Canada in the years to come. Law 25 includes numerous provisions and penalties which go far beyond the current requirements of the federal Personal Information and Electronic Documents Act (PIPEDA). Law 25 is equalled only by Europe’s General Data Protection Regulation (GDPR) — widely accepted as the most robust legislation anywhere in the world.

Law 25 already has teeth beyond Quebec’s borders, as it applies to any organization (Canadian or international) that does business in the province or stores personal identifiable information (PII) on Quebec residents. Given the trend toward greater accountability and stewardship over PII, it is only a matter of time before other provinces and the federal government follow suit with enhancing existing privacy laws.

Stricter regulations present both an obstacle and an opportunity for organizations that have come to rely on data for critical insights and market opportunities. Compliance will require significant updates to policies and procedures governing the collection, use, and transmission of data. These will need to be resilient to the numerous and often differing privacy regulations organizations are exposed to across the various jurisdictions they do business in. It will also require that organizations be more transparent with how and why they collect user data and who it will be shared with — potentially triggering some uncomfortable conversations.

Many organizations will lament the potential financial costs of hiring new privacy officers, curtailing analytics programs which are beyond the scope of why data is collected, implementing additional strategies to ensure compliance, and any regulatory fines they might face.

At the same time, it’s worth noting that users are already much more aware of how much organizations value their data and the risks involved with sharing it. This is shifting the competitive edge to those entities that can demonstrate when, how, and why PII will be used, and the mechanisms they’ve put in place to protect it.

Related risks

  • Privacy breaches due to lack of governance around AI and third-party solutions
  • Emerging legislative impacts on the use of third-party data sets may increase non-compliance risk
  • Impacts of transparency requirements on cross-channel management of user preferences and experience
  • Increasing Insider risks due to remote/hybrid environment and turnover
  • Regulatory non-compliance

""Key questions to ask

  • Are you confident that private and confidential data is kept in a secure location with sufficient controls?
  • Do you understand which privacy laws apply to your organization and the related compliance requirements?
  • Has your organization identified where all critical data is stored and how it moves between systems and jurisdictions?
  • Do you know if your private and confidential data may have lost integrity and/or adequate segmentation in the transition to new digital systems (i.e., the cloud)?
  • Is it possible for a third party to gain inappropriate access to your critical data?
  • Does your organization have a policy concerning the use of AI tools such as Chat GPT and the management of confidential or personally identifiable information?

""Red Flags

  • Inability to isolate personal identifiable information and confidential data
  • No training or policy related to data governance and controls
  • No policy concerning AI tools such as ChatGPT
  • Minimal use of data analytics for decision support or risk assessment, given data is private and confidential
  • History of data breaches

Internal Audit Project Opportunities

Data Privacy Compliance Audit
This audit ensures that the organization complies with relevant data privacy laws and regulations, including the General Data Protection Regulation (GDPR) in Europe, Quebec’s Law 25, and/or the California Consumer Privacy Act (CCPA) in the United States.
Data Access and Authorization Audit
This audit reviews the access controls and authorization mechanisms in place to ensure that data is only accessible by authorized personnel and that data access rights are appropriately managed.
Data Quality Audit
This audit examines the quality and accuracy of the data maintained by the organization. It includes assessing data validation, cleansing processes, and data documentation practices.
Data Retention and Deletion Audit
This audit assesses whether the organization is retaining data for the appropriate periods of time and is following proper procedures for data destruction when it is no longer required.
Data Security Audit
This audit evaluates the security measures in place to protect sensitive data from unauthorized access, breaches, or cyberattacks.
Data Governance Policy and Procedures Audit
This audit ensures that the organization has well-defined data governance policies and procedures in place and that they are effectively implemented and followed.
Data Classification and Handling Audit
This audit reviews how data is classified based on its sensitivity and criticality, and whether appropriate handling measures are in place for each classification level.
Data Lifecycle Management Audit
This audit examines how data is collected, stored, used, and eventually archived or deleted throughout its entire lifecycle.
Data Governance Training and Awareness Audit
This audit assesses the training and awareness programs provided to employees regarding data governance policies and best practices.
Data Governance Metrics and Reporting Audit
This audit reviews the organization's data governance metrics and reporting mechanisms to ensure that they effectively measure the success and performance of data governance initiatives.
Data Governance Committee Effectiveness Audit
This audit evaluates the effectiveness and efficiency of the data governance committee or similar governance bodies responsible for overseeing data management activities.
Data Governance Communication and Stakeholder Engagement Audit
This audit assesses how effectively the organization communicates its data governance initiatives to stakeholders and engages them in data management efforts.

Risk Trends in 2024 and Beyond

View all the risk areas featured in this year’s report. 

Insights

  • Agility

    November 05, 2024

    Agronomy 101: Navigating the trends shaping crop farming

    As crop farming evolves, so do the challenges — from soil health to chemical-resistant weeds. That’s where agronomy comes in.

  • Progress

    November 05, 2024

    Outsourced HR: Your partner in support

    Feeling overwhelmed as the only HR professional in your company? You’re not alone.

  • Confidence

    October 31, 2024

    How can the mortgage industry comply with FINTRAC’s anti-money laundering obligations?

    FINTRAC expanded its regulatory scope to include the mortgage industry starting on October 11, 2024. How can your business comply with the new AML requirements?