No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

8 questions for framing board, executive discussions

by Jim DeLoach
March 15, 2023
in Data Privacy, Governance
risk tunnel

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning to such discussions is the inextricable link between data privacy compliance and information security. Protiviti’s Jim DeLoach shares eight questions companies need to answer in their pursuit of data privacy compliance and best practices.

While cybersecurity is a fundamental business risk for most organizations, a more targeted focus on data privacy is increasingly necessary to ensure compliance across a rapidly expanding number of regulations. The privacy data component of cybersecurity represents a unique challenge driven by the volume and type of data an organization captures and retains. Reliable data classification may reveal information that is confidential, proprietary or sensitive in nature, including data that is a source of competitive advantage and of considerable value to the enterprise — e.g., intellectual property (IP).

Privacy data may consist of personally identifiable information (PII), including protected health information (PHI), in the form of Social Security numbers, bank accounts, medical histories and other classes of protected information of varying designations that are regulated by various bodies and jurisdictions. Whatever the composition of PII, organizations must engage in a balancing act. In addition to enabling both access to protected data and the performance of necessary corporate functions using that data, companies must secure and protect that data in accordance with applicable laws and regulations. As more data is collected, purchased, transformed, stored, shared and monetized, this balancing act becomes more challenging to navigate.

In this environment, directors and senior executives should position themselves to participate in boardroom and C-suite discussions with cyber and data privacy leaders on data governance and information security matters as regulatory scrutiny, the risk of cyberattacks and consumer demands for privacy protections continue to escalate. To that end, below are eight topics relevant to these conversations around data privacy.  

minidata_b
Compliance

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations and laws require businesses to do just the opposite. Sarah Hutchins and Robert Botkin from Parker Poe are here to tell you why that’s good news.

Read more

1. Do we know what data we have and where it is? 

In addition to knowing what their “crown jewels”— the most important enterprise information-related assets — are, organizations need to understand what privacy information they hold, the legal protections that are in place, and whether the data qualifies for data subject access or deletion requests or has disclosure obligations. 

This conversation often leads to a realization that data should be classified and stored in a manner — whether structured or unstructured — that allows the organization to determine whether there is exposure to any of the privacy requirements of the jurisdictions in which it operates. If there is any question about data existing inside the company, that data should be maintained with encryption techniques, particularly when the data is available in real time. In addition, data access should be managed, which could entail updating access management rights.

Recurring data inventory, classification and assessments is standard best practice for all organizations retaining PII. Engaging third parties to assess data veracity and security controls offers additional assurance. As the external auditors may force this conversation, management should be prepared by classifying all data inside the organization and determining that protected data is properly stored, secured, shared and disposed.

2. Do we have a clear view as to why we acquire and retain data? 

Directors and senior executives should understand the organization’s business purpose in collecting information, the collection process itself and the notice communicated to customers regarding the use of data. The “why” is just as important as the “what.” Some questions to consider include the following:

  • Is the company limiting data collection and retention only to the specific data points needed to drive its strategy while ensuring compliance with applicable privacy laws and regulations?
  • How does the company require and use the information it collects?
  • Are there industry-specific factors to consider (e.g., healthcare providers and financial institutions have specific data collection and data management requirements)?
  • Has the company reviewed its policies and processes directed to the various media channels through which it engages consumers (however the company segments them)?

The organization’s mission and values have a bearing on the data it obtains. This conversation can lead to policies that place guardrails around data collection to manage data privacy risk. This is another area that may warrant a professional review.

3. Are we on top of the compliance requirements to which we are subject? 

The number of countries that have enacted data protection laws is expanding constantly. Currently, some 137 countries have put in place legislation to secure protection of data and privacy, with the level of adoption varying country by country. The trend is unmistakable, as most countries in the world recognize the right of privacy explicitly in their constitution. Bottom line, privacy laws are virtually everywhere on the planet — including in different states within the U.S.

To comply with emerging, unique privacy requirements in multiple jurisdictions, increased investment is likely required in addition to specialized talent to ensure that business processes are compliant. Executive management and the board should inquire how in-house counsel or outside legal counsel is sharing responsibility (and documenting evidence) across the organization for becoming familiar with evolving privacy laws and expanding their knowledge of data privacy requirements in the jurisdictions in which the company operates. Additionally, a complicating factor is that case law is evolving rapidly, which may expand the risks and penalties to organizations and directors.

4. Are we fostering a zero-trust environment to protect the data of consumers, employees and third parties?

The level of sophistication of adversarial parties trying to access information has risen dramatically over the years, including carefully orchestrated, deceptive phishing tactics, distribution of data on the dark web and advanced persistent threats. The prevalent trend in the marketplace is to utilize zero-trust architectures to secure access to everything by everyone all the time. The idea is to shift cyber controls closer to the data that the organization must protect, a notion that is fit for purpose in addressing the complexities of today’s digital customer and supplier interactions, hybrid work environments, ever-expanding data protection requirements, and increasingly sophisticated cyber and ransomware attacks.

Practices that are becoming more pervasive over time include:

  • Implementing strong “continuous verification” authentication technology
  • Segmenting network access to reduce attack surfaces, limiting the “blast radius” in the event of a breach
  • Verifying end-to-end encryption and continuous network monitoring
  • Applying least-privileged access by permitting only minimum privileges when granting access to data and applications  
  • Privacy-by-design and cybersecurity-by-design methodologies that encourage proactive integration of privacy regulation and data management.

From the standpoint of executive management and the board, the intention is to achieve the strongest privacy protections possible.

5. Do we know how well we are doing managing data privacy?

Myriad tools providing metrics that measure access to and usage of consumer PII and enterprise privacy governance are available to help executive teams and their boards understand and effectively communicate an organization’s performance against its strategic objectives. Key performance indicators on the CEO’s and board’s dashboard are an imperative, but the quantity of tools may present a challenge. Going forward, companies are likely to streamline their current automated systems and models through significant consolidation of tools and rely on fewer tool vendors, creating more sustainable processes and reporting.

There is also the reputational impact of ESG reporting. Such reporting is likely to increase the focus on measuring an organization’s data protection capabilities as companies are increasingly measured on their ESG ratings. That is why policies directed to internal reporting, external disclosure of breaches, and clarifying the financial and reputational impact from loss of consumer PII and enterprise IP merit the attention of senior executives and boards alike in fulfilling their duty of care responsibilities.

6. From a data protection compliance standpoint, do we know what our stress points are? 

Notwithstanding data privacy as a priority, businesses face obstacles when it comes to compliance preparedness. Lack of time and bandwidth, as well as the complexity of laws and regulations, are examples. Management bears the responsibility to identify the trouble spots for privacy compliance, assess their severity and apply best practices to enhance the privacy program continuously. As management exercises this vital due diligence, the board should be apprised of the results. Conversations in the C-suite and boardroom should include an assessment of the sufficiency of budget and resources as well as accountability for results. Stress test protocols and tabletop exercises and the insights they provide should also be incorporated into the discussion.

7. Are our legal agreements aligned with data protection requirements? 

Executives and directors should inquire, for example, whether the company is using the standard contractual clauses (SSCs) preapproved by the European Union pertaining to the sharing of data between EU and non-EU countries. These clauses provide standard terms and conditions to which both the sender and receiver of personal data agree, with the objective of considering and upholding the rights and freedoms of the individual. Adopting these SCCs is a regulatory requirement for exchanging data with EU countries and is enforced by the European Commission.     

8. How should the board and management engage on data privacy? 

The pervasiveness of data creates a challenge for boards. Multiple functions own responsibility for protecting the data their activities collect, use and store, including information technology, cybersecurity, human resources, legal and compliance.

Some boards have a technology committee reviewing data privacy strategy and compliance. Others assign data privacy oversight to the audit committee, while those in a highly regulated environment may assign these duties to a compliance committee. For public companies, these matters merit consideration in every formal meeting of the committee advising on data privacy, or more frequently as necessary, which underscores the importance of putting effective analytics and dashboards in place. Companies with substantial business-to-consumer operating models will require more attention to these issues.

The full board should be privy to a report or briefing on data privacy performance at least annually. Directors should engage the company’s leadership with the intention of gaining confidence that a coherent privacy data governance process is in place, aligned with the business strategy and complemented by effective controls enabling data privacy protections.

In summary, data privacy has escalated as a long-term concern for executive management and the board. According to a recent global survey, looking out 10 years, data privacy is the fifth-rated risk — up from 11th last year — overall across the globe. As the complexity of the data privacy regulatory environment continues to evolve, it is necessary for executives and directors to engage continuously in strategic conversations around policy, execution and compliance. At the present time, there is no light visible in this long, (maybe) never-ending tunnel.


Tags: Big DataBoard Risk OversightCyber RiskData GovernanceRisk Assessment
Previous Post

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

Next Post

It Takes a Village: Preventing FinCrime Means Everybody Needs Skin in the Game

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

shifting sands risk

Shifting Sands: Leaders Are Feeling the Pressure of an Uncertain, Dynamic Risk Landscape

by Jim DeLoach
February 22, 2023

The global risk landscape has rarely been more unsettled over the past half-century than it is right now, and a...

Next Post
money laundering concept

It Takes a Village: Preventing FinCrime Means Everybody Needs Skin in the Game

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT