Business Ethics,Cybersecurity,Risk Management,Strategy,Technology
October 8, 2019
Responsible Privacy: Is the Board Doing Its Part?
October 8, 2019
At a June 2019 roundtable event, Protiviti
met with a group of active directors to discuss their experiences with
governance of data privacy. The conversation surfaced key takeaways on how to
best oversee data privacy. A summary of the critical discussion points follows.
- Recognize that privacy programs are stressed. Drivers of change are pressure testing data privacy compliance programs and creating a complex legal matrix for companies to navigate. Factors of change include increased privacy regulations, emerging technology, consumer control over the use of personal data, growth of vendor networks, and the forces of globalization and localization. Directors and management should be cognizant of the increasing intricacy of the privacy and security environment and determine its implications for their company’s business model. Boards should foster the coordination and support for the following leaders and operational groups to stay current with and meet the most recent regulations: the chief information officer, general counsel, designated compliance officers, and business unit leaders.
- Ask the right questions. From a data privacy perspective, boards are wrestling with understanding not only what is legal but also what is ethical and aligns with a company’s brand. Compliance according to the letter of current privacy laws is one standard. Understanding to what extent data privacy is an integral part of the organization’s corporate strategy and business model, and how management defines the appropriate use of consumer data, is a different and higher standard. The participating directors at the roundtable agreed that the board’s primary role is to ask the right—and difficult—questions with regard to privacy, keeping in mind three important, interrelated issues: compliance, ethics, and corporate strategy. To that end, directors should consider the following:
- How is the organization dealing with the diverse standards that exist globally and, in some cases, nationally? How effective are the company’s compliance processes in meeting current data privacy regulations? Are our compliance processes flexible enough to meet future data privacy obligations?
- Compliance with privacy laws and regulations aside, what are “responsible” privacy practices given today’s optics and for the organization specifically? Is managing and using the company’s data about ensuring regulatory compliance, doing the right thing, or both? What are the company’s mores, policies, and standards with regard to securing and leveraging the data of its customers? As one director noted, boards need a “North Star” with regard to overseeing the organization’s data and privacy management.
- As part of the corporate strategy, what types of data usage are permissible in the organization? What policies and boundaries are in place to prevent improper use of sensitive data?
- Understand the business purpose. On the topic of emerging technology, the directors agreed that the board needs to work with management to understand the processes and technology the organization uses to grow its business, and in the process, learn how it will use the data it collects—perhaps for marketing, business development, monetization, or other purposes. Specifically, the board should understand from management what the business is doing with the data, the risks arising from how data is collected and maintained, and how those risks are managed. In understanding the business purpose of collecting information and how the collection process and the use of data are communicated to customers, it’s also important for directors to inquire if the organization really needs all of the information it is collecting.
The focus on purpose is ultimately about answering the question, “How much data is too much data?” Does the organization place guardrails around data collection to manage its risk? Or does it collect all of the information it can, understanding that there may be opportunities to monetize that data in some way, provided the company is complying with applicable laws and regulations? If it is the latter, is the return on investment from the monetization effort sufficient to make the trouble of collecting and managing data and the related risks worthwhile? If so, is this return on investment from the monetization of data collected integral to the strategy for driving shareholder value?
outside the organization. Boards also need to ensure that management
understands where critical data resides and how it is managed both within the
supply chain and among third-party providers. Privacy and data issues arising
with any third party—whether first-, second-, or third-tier suppliers, outside
processors of personal identifiable information (PII), or some other external
party—still look back to the source for ultimate responsibility. That means any
given company and its brand are ultimately liable for damages should its third-party
vendors experience a data issue. That is why the board should obtain assurances
from management, with the appropriate level of support, that the right vendor
and third-party risk management and oversight processes are in place. They
should also ensure that all third parties are operating consistently with the
same privacy standards and maintaining data in compliance with the contracting organization’s
data aggregation practices. The roundtable discussion noted that data aggregation is another
ethical and legal issue that organizations potentially face, particularly if
they sell access to that data to other organizations. The collection of
individual data is different from the aggregation of data, which may not impact
individual consumer data and privacy. Boards need to work with management to
define the activities and parameters around data aggregation and ascertain
whether the organization’s risk profile may change as a result. There also are
different ethical considerations involved, as aggregated data may no longer
contain PII or legally protected consumer information. Accordingly, the board
should understand the organization’s strategy and practices regarding data
aggregation in the context of the company’s agreed upon views on ethics,
compliance, and the desired risk profile.
For a complete look at this roundtable, including more key takeaways, read Protiviti’s full summary of the event here.