business meeting with white board

The Areas of Greatest Risk and How to Cover Your Bases

Privacy officers spend so much of their time putting out fires and focusing on operational activities, that they don’t have time to see the trends (and accompanying risks) that are around the corner. Brian Lee and Stephanie Quaranta outline three major risk themes and ten emerging risks privacy and compliance officers should be aware of heading into 2018.

with co-author Stephanie Quaranta

These are challenging times for organizations. A rapidly evolving technological and regulatory environment has created exciting opportunities for data use and collection, as well as new – and potentially serious – privacy concerns. As compliance and privacy executives incorporate these risks into their 2018 planning, CEB, now Gartner has identified three major risk themes and ten emerging risks that they should monitor closely.

Theme 1: Heightened Public Scrutiny

Recent data breaches and privacy failures have increased the public’s concern for data security and use.  Consumers are becoming increasingly reluctant to share personal information – and regulators are not far behind. In addition, external threats aimed at gaining access to sensitive information inside of organizations are becoming more sophisticated. Specifically, executives should account for these emerging risks:

  • Regulatory Fragmentation: Today’s global regulatory environment is more complex and the consequences of failure are more severe. More than 100 countries now restrict the collection and use of customer and employee information. Despite the consolidation of privacy standards in the European Union through the General Data Protection Regulation, other countries (the U.S. included) have been slow to create compatible frameworks.
  • Erosion of Customer Trust: Organizations are beginning to face a backlash from customers that have become wary of sharing their information, citing concerns about how companies use it and how well they protect it. In fact, 79 percent of consumers say they are unlikely to share data with companies they do not trust. More and more, organizations are relying on data for success, but failure to appropriately safeguard it jeopardizes their ability to access it.
  • Ransomware: Global ransomware damage costs are predicted to exceed $5 billion in 2017, up from $325 million in 2015. Individual and organizational data are at risk of corruption and theft, disrupting sales and key business initiatives. In addition, failure to actively protect customer and employee information from ransomware attacks could put organizations in violation of regulations such as HIPAA and the FTC Act.

Theme 2: Analytics-Based Business Models

Data analysis is fast determining everything from target marketing to whom to hire. The benefits are obvious—sizeable revenue and productivity gains – but with these benefits comes risk, from storing the growing amount of data to ensuring its proper use. Therefore, compliance and privacy executives should pay attention to:

  • Consumer Marketing: Many organizations advertise using apps and social media, enabling the collection of even more valuable consumer data. While this data-driven, personalized marketing has significant business benefits, there are also risks to using consumer data, specifically shifting expectations (and accompanying notices) around consent.
  • Talent Analytics: Talent analytics’ growing prominence means companies are collecting more employee data and processing it to understand performance, retention and engagement – all areas of significant privacy risk.
  • Shifting Data Assets to the Cloud: Our research predicts that more than half of global enterprises currently using some form of cloud solutions will have adopted a full cloud strategy by 2021. As cloud systems gain prominence, organizations will increasingly rely on third-party providers and security. This is especially concerning – 70 percent of IT professionals worry about ensuring the security and privacy of data and systems on the cloud.

Theme 3: Corporate Digitization

Today’s consumers are impatient — they expect organizations to deliver their products and services quickly and efficiently. Meeting this demand requires organizations to overhaul their operations, relying more on digital and interconnected processes and systems. These advances often outpace privacy and security oversight, creating new or heightened privacy risk exposure. As a result, executives must monitor the following emerging risks:

  • Digital Transformation: By the end of 2017, two-thirds of Global 2000 CEOs will have “digital transformation at the center of their strategy.” This requires fundamental changes in the collection, use and storage of information, and executives must ensure business growth doesn’t come at the expense of undue risk.
  • Legacy Processes and Systems: Many compliance and privacy executives report limited visibility into the data legacy processes and systems are dealing with a problem; this has only worsened with more M&A activity over the past decade, causing one legacy system to be cobbled onto another. This makes managing an organization’s data flows a logistical challenge, increasing the chance that data is mishandled or unsecured.
  • Artificial Intelligence (AI): Businesses are capitalizing on AI advances to drive value through automation. In fact, 72 percent of business executives believe AI will be the business advantage of the future. Optimizing AI functionality means collecting more kinds of data more quickly, but can also multiply the risk of privacy failures as new types of metadata are created.
  • Internet of Things (IoT): Organizations are increasingly focused on creating “smart” products that improve the customer experience through interactivity and data processing. However, IoT technology also increases the number of access points and volume of generated data, thereby magnifying the avenues by which personal information can be compromised.

To manage the risks outlined above, executives must shift from reacting to risks the business accepts, to preventing unnecessary risk from being assumed in the first place. They can do this by:

  • Establishing a Privacy Risk Consensus: In the “gray areas” where regulation has not kept pace with technology, organizations must decide on an approach for the managing of high-risk information and codify this stance in a set of common guidelines. Privacy should serve as a strategic advisor on the organization’s data strategy, helping stakeholders understand tradeoffs and take smart risks.
  • Building Privacy Considerations Into Business Workflow: To proactively manage risk is to ensure the business considers privacy at the start and throughout the lifecycle of any project. For this to happen, Privacy must design considerations to be natural parts of business systems and processes.
  • Maintain Ongoing Risk Visibility: To keep pace with an ever-changing business, technology and regulatory environment, Privacy must move from a reliance on point-in-time risk assessments to “always-on” monitoring that enables agile response to changes in risk.

As organizations navigate this complex environment, they are taking risks to drive innovation, productivity and growth. To ensure smart risks are being taken, compliance and privacy executives need to understand how regulations, technology and corporate strategy spur new privacy risks and be prepared to adapt their programs in response.

 


Brian Lee

Brian Lee is a Practice Leader in CEB’s Compliance & Legal Practice, which provides best practices research, benchmarking and management consulting advice to more than 1,500 legal, compliance and privacy heads worldwide.  He is responsible for the practice’s overall research agenda, strategic vision and day-to-day operations.  While at CEB, Brian has led a number of qualitative and quantitative research initiatives on a wide range of legal, compliance and privacy department issues, including risk assessment and management; department strategy and effectiveness; training and communications; and building an ethical corporate culture.

Related Post