Building a Comprehensive Data Privacy Programme: Four Actionable Steps for Technology Companies
Most technology companies today understand that ensuring data privacy and protection is an imperative for their business; however, few manage this process well or even invest enough resources in that effort. As governments and consumers around the world continue to raise their expectations of how technology businesses should handle and process private and sensitive data, the need to both formalise and improve data privacy practices will become increasingly critical. Global technology companies in particular should reevaluate their geographic footprint with an eye towards ensuring compliance with global privacy laws.
High-profile data breaches and concerns about poorly managed data-sharing practices with third-party vendors and service providers are helping fuel the concerns of regulators and consumers. They are also driving the development of more and more stringent regulations stipulating how companies should handle sensitive consumer data.
In December 2020, for example, the U.S. Federal Trade Commission (FTC) launched an inquiry into the privacy policies, procedures and practices of several major social media and video streaming service providers, including Amazon, Facebook, Twitter, WhatsApp, YouTube, TikTok, Snap and Reddit.
In a joint statement on the inquiry, FTC Commissioners Rohit Chopra, Rebecca Slaughter and Christine Wilson decried that despite the central role of prominent online platforms in our daily lives, the decisions that they make regarding consumers and consumer data remain shrouded in secrecy. “Critical questions about business models, algorithms, and data collection and use have gone unanswered,” the statement read. “Policymakers and the public are in the dark about what social media and video streaming services do to capture and sell users’ data and attention. It is alarming that we still know so little about companies that know so much about us.”
Several countries including Brazil, Canada and South Africa have implemented comprehensive privacy regulations. In recent years, these efforts have been driven by the need to create stricter data privacy rules around new technological and market developments. Within the European Union, for example, Parliament is finalising new rules governing the processing of information by electronic communications service providers. After more than four years of difficult negotiations, the European Council announced in February 2021 that member states have reached an agreement on the new ePrivacy regulations to replace the 20-year-old ePrivacy Directive.
The ePrivacy regulations will cover electronic communications content transmitted using publicly available services and networks, and metadata related to the communication, as well as machine-to-machine data transmitted via a public network. In a statement, Pedro Nuno Santos, the president of the European Council, admitted the path to reaching an agreement has not been easy, but "we now have a mandate that strikes a good balance between solid protection of the private life of individuals and fostering the development of new technologies and innovation."
Among these technologies, artificial intelligence is a growing area of focus. In March 2021, the Centre for Information Policy Leadership, a global data privacy and cybersecurity think tank, issued a white paper on how to implement a risk-based approach to AI regulation and compliance. With the intention of informing current EU discussions on the topic, the organisation recommended, among other things, a regulatory framework focusing only on high-risk AI applications and a risk-based organisational accountability framework that calibrates AI requirements and compliance to the specific risks at hand.
Conditions for a federal privacy law in the United States are now likely to be more favorable under the Biden administration. The incoming team, including several members who worked in the Obama administration, have experience working on privacy issues. Also, federal privacy legislation would be in keeping with Vice President Kamala Harris’ “track record and interest in privacy-related topics during her career as California attorney General and U.S. senator,” as The National Law Review notes.
As California’s attorney general, Harris created the state’s Privacy Enforcement and Protection Unit in 2012 to regulate the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organisations and the government. Prior to that, she helped forge an industry agreement among the nation’s leading mobile and social application platforms to increase privacy protections for consumers who use apps on their smartphones, tablets and other electronic devices. Apple, Amazon, Facebook, Google, Hewlett-Packard, Microsoft are among the platform companies that signed on to that agreement.
There is also an expectation that the Biden administration can help smooth the path to negotiations with the European Commission over a new version of the EU-U.S. Privacy Shield. In 2020, the Court of Justice of the European Union declared the programme invalid as a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the United States.
Any work toward creating federal data privacy legislation in the United States is likely to take a back seat in 2021 while the new administration addresses the COVID-19 pandemic, its economic and societal impacts, and other pressing issues for the country. Given these priorities, the administration is likelier to kick off its privacy agenda in 2022.
Meanwhile, states including Virginia, Maine, Massachusetts and Nevada have recently joined California in enacting their own privacy, data security, cybersecurity and data breach notification laws. California is preparing to create a new consumer data privacy agency following approval by its voters of the California Privacy Rights Act (CPRA) last November. Despite strong opposition from technology, media and telecommunications firms to state-based privacy rules, the fragmentation in U.S. privacy laws is expected to continue until a federal privacy law is in place. Enthusiasm for more privacy rules remains high among state legislators, many of whom are closely watching their counterparts in states like California iron out the details of their law before setting their own policies.
Changes in the regulatory environment aside, there are other reasons technology companies should prioritise building a comprehensive data privacy programme. Consumer sentiment is one. Recent data shows that 64% of consumers in the United States consider a company’s data privacy policies very important. In a recent survey of more than 1,000 North American consumers, over half of the respondents said they are likelier to trust a company that asks only for information relevant to its products or that limits the amount of personal information requested — a signal, perhaps, that these consumers perceive the company as taking a thoughtful approach to data management.
In the post pandemic recovery period, technology companies will want to ensure that they are well-positioned to use customer data for innovation and deliver new products and services. Transparent and easy-to-understand policies and practices for data privacy and protection will help businesses earn users’ trust along with their willingness to permit the company to collect and use their data to create new and more personalised customer experiences.
Also, as the responsible investment trend continues to expand, a growing number of investors are giving a more critical eye to how technology companies protect their customers’ personal data. Current trends suggest data privacy practices are becoming more important to environmental, social and governance
(ESG) reporting. As an example, S&P Global has added several cybersecurity data and privacy questions to its Corporate Sustainability Assessment which it issues to companies. Some leading tech companies are already detailing data privacy policies and practices in their corporate social responsibility reports and other public-facing outlets, including their websites.
Many technology companies have invested significantly in data privacy and protection efforts in recent years, though those investments have often fallen short. In many cases, revenue maximisation has trumped privacy, and as companies have grown larger and more complex, tracking data usage and ensuring compliance with laws and commitments has become a much more difficult activity. This is underscored by the fact that the issue of ensuring data privacy and protection consistently ranks among the top risks for technology companies in Protiviti’s annual global risk survey.
What's at Stake?
A strong privacy programme can help your organisation avoid:
- Major fines
- Loss of customers (and trust)
- Diminished investor confidence
- Decline in market share
- Damage to brand reputation
Legal and compliance teams at technology companies understand that building a comprehensive data privacy programme can no longer be a back-burner initiative. There’s simply too much at stake, whether it’s the potential for major fines for noncompliance or losing customers, investor confidence and market share. These teams know data privacy challenges are emerging and evolving, and the actions the company takes now to identify and manage these issues require improvement. To identify these issues, these teams should consider the following questions:
- Is the company moving and growing so fast that privacy is always an afterthought?
- How is the tone at the top influencing data privacy practices? Is leadership emphasising the importance of data privacy, or communicating messages effectively, so that the company can build a culture of compliance?
- Is the company inadvertently violating its data privacy policies and commitments when different business units and teams take a siloed approach to launching new initiatives and don’t consider how those efforts may impact current policies and commitments?
- Are our engineering and product development teams standing in the way of the business implementing a data privacy programme because they worry it will have a negative impact on their work?(And is business leadership knowingly allowing them to resist change because they also worry about stifling innovation?)
- Is the business doing only the minimum when it comes to ensuring data privacy and protection, and thus creating risk by not doing enough?
- Does the company approach compliance with data privacy and protection mandates like one-and-done projects and not an ongoing programme?
It is fair to assume that most technology companies will answer in the affirmative to some, if not all, of the above questions as these are common problems that many are struggling to address effectively. But it also means technology companies have an opportunity to meet this key risk for their business head on and manage it far better than they likely are doing today.
Positive change comes from treating data privacy and protection efforts like a formal compliance initiative. That will help to ensure that the business, at all levels, starts to look at everything it does through a privacy lens. How does every new partnership, marketing strategy, product or service rollout, or other change potentially impact data privacy and protection commitments that the company has made, or the compliance mandates it needs to meet?
It takes time, focus and resources to transition to this way of thinking and make data privacy and protection an embedded process. Based on Protiviti’s experience working with leading technology companies, the following four steps are fundamental to laying the groundwork for a comprehensive data privacy programme that can help the business preserve customer confidence and meet evolving and intensifying regulatory expectations:
01: Conduct a data privacy risk assessment
This assessment is essential for identifying weaknesses in data privacy compliance and protection efforts. The objective of a typical risk assessment is to identify:
- The data collected, stored and processed by the organisation
- The privacy risks to that data (e.g., confidentiality, security)
- Controls in place at the organisation to address those risks
- Residual risks not addressed by those controls (i.e., the gaps)
Ultimately, the assessment can help leadership better understand which data privacy and protection regulations are most critical to the business and determine compliance obligations.
02: Establish a baseline
Baselining involves capturing the totality of an organisation’s privacy commitments; determining exactly what the company has promised its customers regarding how the business collects, processes, stores and transfers their data; and, most important, whether or not the company is honoring those commitments. In the absence of a federal privacy law and the prevalence of disparate state laws, it is critical that organisations adopt a baseline to control the framework they are building. Organisations should consider extending these commitments to contracts, third-party vendor relationships and training.
03: Manage change
Organisations must continually assess how new privacy decisions, changes to services and products, or changes to how consumer data shared with third parties can impact data privacy commitments and compliance requirements. Traditionally this has been a major challenge for organisations, particularly large technology companies, where changes happen at a code or data level literally every minute. Building a sustainable change-management programme that can manage this change is critical. For leaders, this means ensuring that data privacy is a strategic priority for the business and that a “culture of compliance” around data privacy is established. Effectively managing change ensures that privacy commitments to customers are honored and trust is maintained.
There are two critical documentation approaches that are essential to building a successful data privacy programme. First, it’s important to document the privacy procedures, processes, risks and/or controls. This is a deficiency for many technology companies because it takes time, effort and investment to do it in a comprehensive way. Second, the processes within the business that deal with customer information (or covered information) also require documentation because they generate the risks that firms need to understand and carefully manage. Having a proper understanding of the existing processes requires capturing how changes to those processes would impact privacy risk. Inevitably, organisations that do not maintain clearly verifiable and readily accessible documentation of plans and processes tend to encounter challenges managing their programme. As such, an employee dedicated to managing document security and compliance, as well as ensuring that all records are complete and updated, is highly recommended.