Framing the Data Privacy Discussion in the Boardroom
Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions.
While cybersecurity continues to be an issue for boards, a more targeted focus on data privacy is increasingly necessary to ensure compliance across a rapidly expanding number of privacy regulations. Privacy risk represents a unique challenge driven by the volume and type of data an organization captures and retains. The evolving regulatory environment, and changes to business and technology, further complicates this risk. The takeaway for directors: be familiar with the key components of data privacy and prepared to ask the right questions.
Privacy regulations focus on proper handling of personal data (data connected to an individual), which may include protected health information, Social Security numbers, bank accounts, medical histories and other classes of protected information of varying designations and regulated by various bodies and jurisdictions. The definition of personal data is also broadening as new technologies and data are created and collected. Whatever its composition, directors should inquire of and discuss with management the proper governance over personal data for collection, use and protection in accordance with applicable laws and regulations. As more data is collected, purchased, transformed, stored, shared and monetized, this task becomes more challenging.
Directors should position themselves to participate in boardroom discussions with executive teams and the company’s cyber and data privacy professionals regarding data governance and information security matters as regulatory scrutiny, the risk of cyberattacks and consumer demands for privacy protections continue to escalate. To that end, below are eight topics relevant to the boardroom conversation around data privacy.
In addition to knowing what their “crown jewels” — the enterprise’s most important information-related assets — are, organizations need to understand what personal data they hold, that appropriate privacy controls are in place, and that the data may either qualify for data subject access or deletion requests or have disclosure obligations. Recurring data inventory and classification assessments are standard best practice for all organizations storing personally identifiable information. Directors should ask management how the organization leverages external parties to validate that appropriate privacy-related controls are in place.
Directors should understand the organization’s business purpose in collecting information, the collection process itself and the notice communicated to customers for the use of data. The “why” is just as important as the “what.” Some questions directors should consider include:
- Is the company limiting data collection and retention only to the specific data points needed to drive its strategy while ensuring compliance with applicable privacy laws and regulations?
- How does the company acquire and use the information it collects?
- Are there industry-specific factors to consider, e.g., healthcare providers and financial institutions have specific data collection and management requirements?
- Has the company reviewed its policies and processes directed to the various media channels through which it engages consumers (however the company segments them)?
Thus, the organization’s mission and values have a bearing on the data it obtains. This conversation can lead to policies that place guardrails around data collection to manage data privacy risk. This is another area that may warrant a professional review.
Currently, there are at least 62 countries that have implemented, or are in the process of developing, their own privacy rules or mandates. So, there are privacy laws all over the planet — including in many U.S. states. To comply with emerging, unique privacy requirements in multiple jurisdictions, increased investment is likely required in addition to specialized talent to ensure that business processes are compliant. Boards should inquire how in-house or outside legal counsel is sharing responsibility (and documenting evidence) across the organization for staying abreast of evolving privacy laws and expanding their knowledge of data privacy requirements in the jurisdictions in which the organization operates. A further complicating factor is that case law is evolving rapidly, which may expand the risks and penalties to organizations and directors.
Directors should inquire, for example, whether the company is using the standard contractual clauses (SCCs) pre-approved by the European Union (EU) pertaining to the sharing of data between EU and non-EU countries. These clauses provide standard terms and conditions to which both the sender and the receiver of personal data agree, with the objective of considering and upholding the rights and freedoms of the individual. Adopting these SCCs is a regulatory requirement for exchanging data with EU countries and is enforced by the European Commission.
The prevalent trend in the marketplace is to utilize zero-trust architectures to ensure secure access to everything by everyone all the time. The idea is to shift cyber controls closer to the data that the organization must protect, a notion that is fit for purpose in addressing the complexities of today’s digital customer and supplier interactions, hybrid work environments, ever-expanding data protection requirements, and increasingly sophisticated cyber and ransomware attacks. Practices becoming more pervasive over time include:
- Implementing strong “continuous verification” authentication technology
- Segmenting network access to reduce attack surfaces to limit the “blast radius” in the event of a breach
- Verifying end-to-end encryption and continuous network monitoring
- Applying least-privileged access by permitting only minimum privileges when granting access to data and applications
- Implementing privacy-by-design and cybersecurity-by-design methodologies that encourage proactive integration of privacy regulation and data management
Notwithstanding that data privacy is a priority, businesses face obstacles when it comes to compliance preparedness. Lack of time and bandwidth, followed closely by the complexity of laws and regulations are examples. Boards should encourage management to identify the trouble spots for privacy compliance, assess their severity and apply best practices to enhance the privacy program. This conversation may entail an assessment of the sufficiency of budget and resources as well as accountability for results. Stress-test protocols, tabletop exercises and the insights they provide are also of interest to the board.
Myriad privacy tools are becoming available that can provide confirming metrics that measure access to and usage of consumer personal data and enterprise privacy governance. These tools can help executive teams and their boards understand and effectively communicate an organization’s performance against its strategic objectives. Key performance indicators on the CEO’s and board’s dashboard are an imperative, but the quantity of tools may present a challenge. Going forward, companies are likely to streamline their current automated systems and models through significant consolidation of tools and rely on fewer tool vendors, creating more sustainable processes and reporting.
The pervasiveness of data creates a challenge for boards. Multiple functions are accountable for the privacy and security risk of the data their activities collect, use and store, e.g., information technology, cybersecurity, human resources, legal and compliance. Some boards have a technology committee that reviews data privacy matters. Others assign these matters to the audit committee, and still others, in a highly regulated environment, to a compliance committee. For public companies, these matters merit consideration in every formal meeting of the committee that advises on data privacy, or more frequently as necessary— which underscores the importance of putting effective analytics and dashboards in place. Companies with substantial business-to-consumer operating models will require more attention to these issues. The full board should be privy to a report or briefing on data privacy performance at least annually.