Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning to such discussions is the inextricable link between data privacy compliance and information security. Protiviti’s Jim DeLoach shares eight questions companies need to answer in their pursuit of data privacy compliance and best practices.
While cybersecurity is a fundamental business risk for most organizations, a more targeted focus on data privacy is increasingly necessary to ensure compliance across a rapidly expanding number of regulations. The privacy data component of cybersecurity represents a unique challenge driven by the volume and type of data an organization captures and retains. Reliable data classification may reveal information that is confidential, proprietary or sensitive in nature, including data that is a source of competitive advantage and of considerable value to the enterprise — e.g., intellectual property (IP).
Privacy data may consist of personally identifiable information (PII), including protected health information (PHI), in the form of Social Security numbers, bank accounts, medical histories and other classes of protected information of varying designations that are regulated by various bodies and jurisdictions. Whatever the composition of PII, organizations must engage in a balancing act. In addition to enabling both access to protected data and the performance of necessary corporate functions using that data, companies must secure and protect that data in accordance with applicable laws and regulations. As more data is collected, purchased, transformed, stored, shared and monetized, this balancing act becomes more challenging to navigate.
In this environment, directors and senior executives should position themselves to participate in boardroom and C-suite discussions with cyber and data privacy leaders on data governance and information security matters as regulatory scrutiny, the risk of cyberattacks and consumer demands for privacy protections continue to escalate. To that end, below are eight topics relevant to these conversations around data privacy.
It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations and laws require businesses to do just the opposite. Sarah Hutchins and Robert Botkin from Parker Poe are here to tell you why that’s good news.Read more
1. Do we know what data we have and where it is?
In addition to knowing what their “crown jewels”— the most important enterprise information-related assets — are, organizations need to understand what privacy information they hold, the legal protections that are in place, and whether the data qualifies for data subject access or deletion requests or has disclosure obligations.
This conversation often leads to a realization that data should be classified and stored in a manner — whether structured or unstructured — that allows the organization to determine whether there is exposure to any of the privacy requirements of the jurisdictions in which it operates. If there is any question about data existing inside the company, that data should be maintained with encryption techniques, particularly when the data is available in real time. In addition, data access should be managed, which could entail updating access management rights.
Recurring data inventory, classification and assessments is standard best practice for all organizations retaining PII. Engaging third parties to assess data veracity and security controls offers additional assurance. As the external auditors may force this conversation, management should be prepared by classifying all data inside the organization and determining that protected data is properly stored, secured, shared and disposed.
2. Do we have a clear view as to why we acquire and retain data?
Directors and senior executives should understand the organization’s business purpose in collecting information, the collection process itself and the notice communicated to customers regarding the use of data. The “why” is just as important as the “what.” Some questions to consider include the following:
- Is the company limiting data collection and retention only to the specific data points needed to drive its strategy while ensuring compliance with applicable privacy laws and regulations?
- How does the company require and use the information it collects?
- Are there industry-specific factors to consider (e.g., healthcare providers and financial institutions have specific data collection and data management requirements)?
- Has the company reviewed its policies and processes directed to the various media channels through which it engages consumers (however the company segments them)?
The organization’s mission and values have a bearing on the data it obtains. This conversation can lead to policies that place guardrails around data collection to manage data privacy risk. This is another area that may warrant a professional review.
3. Are we on top of the compliance requirements to which we are subject?
The number of countries that have enacted data protection laws is expanding constantly. Currently, some 137 countries have put in place legislation to secure protection of data and privacy, with the level of adoption varying country by country. The trend is unmistakable, as most countries in the world recognize the right of privacy explicitly in their constitution. Bottom line, privacy laws are virtually everywhere on the planet — including in different states within the U.S.
To comply with emerging, unique privacy requirements in multiple jurisdictions, increased investment is likely required in addition to specialized talent to ensure that business processes are compliant. Executive management and the board should inquire how in-house counsel or outside legal counsel is sharing responsibility (and documenting evidence) across the organization for becoming familiar with evolving privacy laws and expanding their knowledge of data privacy requirements in the jurisdictions in which the company operates. Additionally, a complicating factor is that case law is evolving rapidly, which may expand the risks and penalties to organizations and directors.
4. Are we fostering a zero-trust environment to protect the data of consumers, employees and third parties?
The level of sophistication of adversarial parties trying to access information has risen dramatically over the years, including carefully orchestrated, deceptive phishing tactics, distribution of data on the dark web and advanced persistent threats. The prevalent trend in the marketplace is to utilize zero-trust architectures to secure access to everything by everyone all the time. The idea is to shift cyber controls closer to the data that the organization must protect, a notion that is fit for purpose in addressing the complexities of today’s digital customer and supplier interactions, hybrid work environments, ever-expanding data protection requirements, and increasingly sophisticated cyber and ransomware attacks.
Practices that are becoming more pervasive over time include:
- Implementing strong “continuous verification” authentication technology
- Segmenting network access to reduce attack surfaces, limiting the “blast radius” in the event of a breach
- Verifying end-to-end encryption and continuous network monitoring
- Applying least-privileged access by permitting only minimum privileges when granting access to data and applications
- Privacy-by-design and cybersecurity-by-design methodologies that encourage proactive integration of privacy regulation and data management.
From the standpoint of executive management and the board, the intention is to achieve the strongest privacy protections possible.
5. Do we know how well we are doing managing data privacy?
Myriad tools providing metrics that measure access to and usage of consumer PII and enterprise privacy governance are available to help executive teams and their boards understand and effectively communicate an organization’s performance against its strategic objectives. Key performance indicators on the CEO’s and board’s dashboard are an imperative, but the quantity of tools may present a challenge. Going forward, companies are likely to streamline their current automated systems and models through significant consolidation of tools and rely on fewer tool vendors, creating more sustainable processes and reporting.
There is also the reputational impact of ESG reporting. Such reporting is likely to increase the focus on measuring an organization’s data protection capabilities as companies are increasingly measured on their ESG ratings. That is why policies directed to internal reporting, external disclosure of breaches, and clarifying the financial and reputational impact from loss of consumer PII and enterprise IP merit the attention of senior executives and boards alike in fulfilling their duty of care responsibilities.
6. From a data protection compliance standpoint, do we know what our stress points are?
Notwithstanding data privacy as a priority, businesses face obstacles when it comes to compliance preparedness. Lack of time and bandwidth, as well as the complexity of laws and regulations, are examples. Management bears the responsibility to identify the trouble spots for privacy compliance, assess their severity and apply best practices to enhance the privacy program continuously. As management exercises this vital due diligence, the board should be apprised of the results. Conversations in the C-suite and boardroom should include an assessment of the sufficiency of budget and resources as well as accountability for results. Stress test protocols and tabletop exercises and the insights they provide should also be incorporated into the discussion.
7. Are our legal agreements aligned with data protection requirements?
Executives and directors should inquire, for example, whether the company is using the standard contractual clauses (SSCs) preapproved by the European Union pertaining to the sharing of data between EU and non-EU countries. These clauses provide standard terms and conditions to which both the sender and receiver of personal data agree, with the objective of considering and upholding the rights and freedoms of the individual. Adopting these SCCs is a regulatory requirement for exchanging data with EU countries and is enforced by the European Commission.
8. How should the board and management engage on data privacy?
The pervasiveness of data creates a challenge for boards. Multiple functions own responsibility for protecting the data their activities collect, use and store, including information technology, cybersecurity, human resources, legal and compliance.
Some boards have a technology committee reviewing data privacy strategy and compliance. Others assign data privacy oversight to the audit committee, while those in a highly regulated environment may assign these duties to a compliance committee. For public companies, these matters merit consideration in every formal meeting of the committee advising on data privacy, or more frequently as necessary, which underscores the importance of putting effective analytics and dashboards in place. Companies with substantial business-to-consumer operating models will require more attention to these issues.
The full board should be privy to a report or briefing on data privacy performance at least annually. Directors should engage the company’s leadership with the intention of gaining confidence that a coherent privacy data governance process is in place, aligned with the business strategy and complemented by effective controls enabling data privacy protections.
In summary, data privacy has escalated as a long-term concern for executive management and the board. According to a recent global survey, looking out 10 years, data privacy is the fifth-rated risk — up from 11th last year — overall across the globe. As the complexity of the data privacy regulatory environment continues to evolve, it is necessary for executives and directors to engage continuously in strategic conversations around policy, execution and compliance. At the present time, there is no light visible in this long, (maybe) never-ending tunnel.