Article

5 considerations for boards to improve data privacy

Awareness and compliance are crucial to handling emerging threats

May 06, 2020
#
Risk consulting Cybersecurity consulting Cybersecurity

Data privacy is another formidable wave in the rising pool of datacentric business challenges. Protecting the personal information of every individual your company comes across can equate to defending millions of records. An effective plan that minimizes regulatory and operational risks can give your business a competitive advantage with customers and business partners. On the other hand, a faulty approach can result in staggering financial penalties and reputational loss. 

Your board can make data privacy a strength of the company by emphasizing two complementary elements: awareness and compliance. Within that framework, here are five strategic and tactical considerations for boards and their audit committees:

1. Establish oversight at different levels

Prioritizing data privacy begins with a commitment to internal oversight. Establishing a data privacy or information security committee would connect each of your company’s risk functions. The group could include members of the board and the audit committee, the chief information officer and the data protection officer. “Don’t shy away from bringing all the smart people to the table from Day 1,” said Charles Barley Jr., an RSM principal who specializes in risk advisory services. “They all have a vested interest in ensuring the same thing: the fundamental success of your organization.”

Looking down only from the top, however, is not enough. “You need to ensure that you have champions embedded within the business,” Barley said, “so that they can be your eyes and ears when new products, services, downloads of data or—dare I say breaches?— occur.” Empowering vigilant employees with lines of communication to the data privacy committee should expedite response times when problems arise. Audit committees can use those frameworks to press internal custodians of data about specific risks. They can also ensure that new products, technologies and services build in data privacy safeguards from the start.  

2. Create your data map

The starting point—and focal point—for protecting data privacy is a set of basic questions that boards and senior management must continuously ask and assess.

What data must be protected? Why do we collect it? Where do we store it? How do we process it? How long do we keep it? “When you go home at night, you understand what’s important to you and how you want to keep your personal assets safeguarded from others,” Barley said. “We think about organizational safeguards in the same manner.”

The answers to those questions create a compass to direct your board through decisions and operations that ensure data privacy. The questions challenge underlying assumptions about the costs, risks and benefits of collecting data; data safeguards and third-party access to data.

3. Promote awareness in all forms 

Recognizing the challenges and pitfalls of data privacy is a cornerstone to protecting it. Awareness is crucial, from training to transparency to knowing potential penalties for noncompliance. It starts with the set of basic, specific questions: What data must be protected? Why? Where? How?

Understanding what’s at stake should motivate your entire company to embrace a comprehensive data privacy strategy. Consider the two main types of risks—operational and regulatory—and how they are intertwined. Simply put, if your operational safeguards are inadequate, regulatory fines can soar into the billions of dollars in some cases; unfortunately, fines are governed by relatively new rules. At the same time, though, there’s an upside to emphasizing thorough data privacy processes. In this digital age, that can be a differentiator in competitive industries. 

“You may not be trusted with the personally identifiable information available to you if you cannot truly say you are aligning with the risk management expectations of the data privacy regime,” Barley said. “When you’ve built the privacy posture that aligns with the global expectation, it can become a true competitive advantage for you. We often tell organizations that privacy is a business issue.”

That includes customer awareness of your privacy practices. For example, consider a hotel that collects a customer’s name, address, email and credit card information in order for the customer to stay in the hotel. Does the customer understand why the hotel takes that information and how it will be protected? “You must be transparent,” Barley said, “And you must assure them that you are managing that data in line with your other internal risk management practices.”

4. Structure and test your action plan

As your board or audit committee devises and enacts its risk management program, it should include data breach scenarios. What are the playbooks for business continuity and the various responses, whether it be with regulators, shareholders or the media? Are the right people empowered with responsibilities in the proper areas?

In the event of an incident, your company’s relationship with regulators can influence whether you face heavy punitive fines or lighter penalties designed to encourage compliance. “The good news is, to the extent companies take action toward compliance, they automatically reduce the risk and move potential enforcement action to the left of the spectrum,” said RSM’s Alain Marcuse, a director who specializes in security, privacy and risk. 

Once the plan is in place, your board’s work does not stop there. “Don't rest on your laurels and build an environment once, walk away and assume that it's going to remain secure or compliant with the regulation of choice,” Barley said. “Conduct ongoing risk assessments to really validate those assumptions and define mitigating control strategies going forward. Validate the collection of use limitations and ensure that you are minimizing what you're collecting from the data subjects.” 

5. Look outward for help

Many states have fusion centers that businesses from any industry can join to share information on emerging threats. Law enforcement can disseminate that intelligence across industry sectors. You might find your business is not alone in being threatened. These centers can help bring to light best practices, as well. They underscore the value of awareness.

Related insights

Subscribe to Critical Insights for Board Members

We work to understand the responsibilities of public and private boards of governance and share our views on what matters—for board members and those who report to them.