Top 10 Data Governance and Compliance Predictions for 2024

When this year began there was tremendous macro uncertainty in the markets, M&A and venture funding was deep in the doldrums, and few people predicted the transformational year that followed. At the risk of a Swiftie backlash, perhaps in addition to all things Taylor Swift, this year was all about data. Artificial intelligence went mainstream, the legal industry learned that an LLM meant something other than a Master of Laws degree, and organizations built-out their C-suites with a role dedicated to data (the CDO). Data is now front and center to how nearly every organization and government will operate, new value is generated, and where risk lurks. With this as a background, it is time to consider what it portends for 2024:

1. AI/ML models, training, and decisions become new class of business and government records

As organizations increasingly rely on AI and ML to create, process, and analyze huge volumes of data, the decisions and outcomes that result from their use will bring new obligations. AI Generated content will be subject to existing enterprise security, privacy, retention, and legal obligations.  More challenging will be retaining sufficient information regarding how models were developed, which models were used, and how they were trained. Since organizations will increasingly rely on analysis and decisions by AI, parallel requirements to maintain this information will develop.

2. First set of significant regulatory enforcement actions based on AI/ML driven decisions or analysis

Beneath the calls for new legislation or regulation of AI globally, the telltale signs of impending enforcement actions are already with us. Earlier this year, Italy briefly banned ChatGPT until they made changes to address privacy concerns, and the EU Data Protection Board launched a dedicated task force to coordinate potential enforcement actions
against ChatGPT.

Earlier this year, the Consumer Finance Protection Bureau (CFPB), U.S. DOJ Civil Rights Division (DOJ), the Federal Trade Commission (FTC), and the Equal Employment Opportunity Commission (EEOC) issued a joint statement on “efforts to protect the public from bias in automated systems and artificial intelligence.” These agencies, along with the EU DPB have indicated they have sufficient statutory and regulatory authority already, to enforce their mandates against AI driven actions, as they would with humans engaging in proscribed conduct.

Any attempts to draft new laws or regulations around AI will take years, and at best we see recommendations and frameworks evolving given the complexity and speed of development. As a result, regulators are unlikely to wait for new statutory guidance, and will leverage what is already on the books for enforcement actions.

3. Government agencies slow to adopt Generative AI, despite calls for its use

Perhaps predicting governments slow to adopt new technologies is not exactly far reaching, however there are calls at all levels to bring AI into agencies. The US Office of Management and Budget even issued a requirement that all agencies appoint a Chief AI Officer within 60-days (of Nov 1, 2023). It is not a surprise given the real value and hype around AI, but adoption will likely be slow, and not for lack of available budget or capacity to spend a lot of money.

Many of technologies used by governments were custom developed for specific workloads or resulted from significant integration efforts of many different solutions. This resulted in data that is more siloed than in the commercial world, and lacks some of the modern architectures (especially cloud-based) that provide means for AI applications to analyze, model, and consume data from these systems. An emphasis on “Trusted AI” across governments globally will require that they get much better governance over their existing environments, before they can make the best use of AI.

4. Organizations look to consolidate number of data sources, after years of broad-based expansion

Organizations have seen significant expansion of collaboration applications, and sources creating and sharing large volumes of data. This was in part driven by COVID and now hybrid work forces, as well as a general change in how employees and customers expect to engage.

Enterprises are now realizing this also increased potential risks associated with security and privacy and increased the complexity in managing their affirmative legal and compliance obligations. We expect to see consolidation, and if not an outright decrease, serious attempts to maintain current levels.

5. Accelerated migration of on-prem data to secure cloud-environments

It seems counter-intuitive that with significant adoption of cloud environments already in place, we would be talking about accelerating migration of on-prem data. However, there remains a tremendous amount of data residing in data centers managed by enterprises and governments globally. One analyst commented there is approximately 1,000 exabytes of unstructured data that resides on-prem, destined for the cloud.

On a regular basis, with our current and prospective clients, we hear them discuss a need to move petabytes of data because of data center consolidation or exits, or to improve risk posture. A KPMG survey of Chief Risk officers high-lighted the importance of cloud-technologies for data management and access to mitigate risk. We agree with importance and the trend.

6. Business and cyber resiliency requirements codified in regulations and statutes, enforced in practice

The EU released the final language on its Digital Operations and Resiliency Act (DORA), targeted at the Financial Services Sector. Recognizing the importance of this sector, the heavy reliance on technology, and the interconnectedness of many parties, introduced and harmonized specific requirements ensuring resiliency of regulated firms. The U.S. SEC has proposed updates to its Reg SCI (Systems Compliance and Integrity), expanding the scope of firms included, and sharing many of the same characteristics as DORA.

The biggest impact is not necessarily how a given regulated firm operates, but rather the analysis and impact of third parties, interconnected and used to deliver their services. This will add layers to third-party risk analyses, which will also push down additional operational resiliency requirements to many entities not directly regulated.

Watch Now

What 2024 Holds for Compliance Trends and Forecasts

Review key changes in regulatory, legal, and compliance obligations in 2023 and look ahead to Top 10 predictions for compliance in 2024 in this webinar.

7. Data sovereignty continues across jurisdictions, and increases in scope where already in place

Data sovereignty requirements continue to grow and evolve, as we move from a regime focused on “national security” to “national interest.” The latter is broader, and governments globally have recognized certain types of information (e.g. privacy related), or certain sectors (energy, financial services, infrastructure) are critical to their interest, even when not part of national security related classifications.

For multi-national organizations, this has added to the complexity of their data governance practices. It has also driven the hyperscale cloud providers (e.g. Microsoft, AWS, Google) to increasingly deploy environments in these regions or countries. Where ubiquity in technology and ease of data movement drove data sovereignty, cloud solutions ironically will help meet these requirements.

8. Retirement of legacy data and applications high on priority list for organizations

Legacy applications remain a high-cost, high-risk environment in most cases. Difficulty upgrading and patching these systems, make them vulnerable to cyber and privacy breaches. Organizations also lose institutional knowledge necessary to operate these systems with each passing year, adding to operational risk. Retirement of legacy systems will remain high on the priority list for most organizations.

9. Use of ephemeral messaging and off-channel communications becomes broader compliance and business records issue

The use and resulting regulatory fines for financial services firms, where employees were using off-channel (unapproved) communication channels to conduct business is well-known; adding up to $2.8B to date. Organizations outside financial services may not appreciate how much of their business is being conducted in a similar manner, and even where not specifically proscribed by regulation, undoubtedly presents risks.

Employees working through unapproved and unmanaged channels increase privacy and cybersecurity risks. In addition, business records and operational information may not be appropriately captured, while company confidential information is also exposed. Organizations across industries should revisit the tools they make available to employees and third-parties, and also make sure they have solid policies and practices on the subject.

10. Drive to “Manage-in-Place 2.0” will revisit similar issues as v 1.0, and organizations will recalibrate their approach

Managing-in-Place (MIP) is a concept, where most of the data governance (retention, disposition, eDiscovery, security, and privacy) can be managed in source systems. Version 1.0 of this concept was driven by solutions trying to bridge many short-comings in source systems, where they lacked adequate (or any) search, retention/disposition, or basic eDiscovery capabilities. And while these attempts filled many of these gaps, the source systems limitations ultimately prevented the dream of becoming reality.

Recently we have seen MIP v 2.0 introduced, as source systems have improved many of the basic data governance capabilities. However, most of these systems are not designed to do this at scale, over a long period time, especially as data ages and is of nominal operational use. This also results in bloat of operational systems, decreasing their efficacy, while increasing costs without the associated increase in value. We expect organizations will realize some data is appropriately managed in operational/source-systems, but a lot of other data belongs in dedicated governance platforms.

While 2024 continues the “all things data” trend from 2023, it will be a year that sees maturation and complication. AI will continue through the hype cycle, use cases will evolve, and areas of high value will emerge. Organizations will look to gain better governance over data, so its value and risk are balanced. In parallel, governments and their regulators will remind the market they have a role to play in AI and the use of data more generally. Altogether this means 2024 is likely the year enterprises and solution providers must move beyond the hype, and need to deliver technologies and practices that will stand the test of time.