Moving the needle on data privacy and infosec can be a Sisyphean task. In the struggle, many directors and executives have reached a point of cybersecurity fatigue. But threat actors are only gaining steam. With updating security protocols, the goal posts are moving further and further away every year.
The meteoric rise of data proliferation worldwide has spawned new privacy laws, including the General Data Protection Regulation (GDPR) in the EU and various derivative laws either on the books or on the way at regional, national and state/province levels across the globe. The rapid pace of emerging technology is affecting not only existing IT infrastructure but also compliance management systems. New technologies are exposing organizations to additional and possibly unanticipated risks.
As if this were not enough, privacy laws have given consumers control over whether and how companies can use their personal data. And consumers have taken notice of their opportunity to call the shots. As a result, companies face significant risks by failing to effectively manage the consumer’s data directives.
Privacy Programs Are Stressed
With the goalposts constantly being moved in a game in which severe penalties are levied on companies not playing by the rules, it’s no wonder that privacy programs in many organizations are stressed. The risk profile is further nuanced as companies leverage extended global networks of suppliers, contractors, consultants and other third parties with access to protected and regulated data, creating exposure to greater risks. Just as organizations now reach customers and clients worldwide with ease, the multitude of privacy laws worldwide crosses borders, creating a complex, far-reaching legal matrix to navigate.
In considering just how relevant privacy issues are to organizations, one need only start with the class-action lawsuits these issues spawn. Two themes have emerged. First, the suits often allege that the board and senior management are not exercising the appropriate oversight. Second, the defendant company’s filings with the U. S. Securities and Exchange Commission typically disclose that appropriate security and privacy practices are in place, but the court rules that they, in fact, are not.
To illustrate, a little-known 2008 law in Illinois in the United States, the Biometric Information Privacy Act, requires written consent to collect biometric information from consumers. But organizations using biometric devices were not complying, nor were authorities enforcing the law. After a consumer learned of this issue and filed a class-action lawsuit, many more lawsuits followed. The result was class-action suits filed at a rate of four to five per day. Initially set at $1,000 per consumer incident, the legal settlement for many organizations amounted to $500 per consumer incident — still a hefty sum when one does the math. In this instance, the key question was whether proper consent was obtained.
To date, the U.S. Congress has expressed no intent to standardize privacy laws and regulations, leaving such regulation to each state. While action at the federal level is possible down the road, it is not likely in the near term. Eyes are also on the E.U.’s handling of treatment of significant fines for data and privacy practices that are allegedly not in compliance with GDPR. For example, in July 2021, a 746 million-euro fine was levied against a high-profile technology company along with a request for change in certain business practices relating to consumer data processing.
Given this environment, following are points senior executives and directors should consider.
Ask the Right Questions
From a data and privacy perspective, it is important to understand not only what is legal but also what is ethical — “the right thing to do.” Yes, compliance according to the letter of current privacy laws is a useful standard. But understanding to what extent data and privacy are an integral part of the organization’s corporate strategy and business model, and how management defines what is appropriate use of consumer/customer data, is a different and higher standard. Therefore, the organization should address these issues and, in the process, obtain clarity on the desired risk profile and appetite regarding data collection and management and the related responsibilities accruing to the organization according to established laws and regulations.
Questions regarding processes the organization has in place to comply with applicable privacy laws at regional, national and state jurisdictions are worth exploring, given the sheer complexity of the environment. So, too, are potential new regulations that could go into effect in those jurisdictions. For example, while the United States does not have any federal laws governing data privacy that compare to the GDPR (other than laws targeted to specific industries, such as healthcare and financial services), many states have been addressing this front on their own. This dynamic is creating a plethora of state privacy requirements, raising the question as to how data and privacy management processes are staying current.
Another line of inquiry is how data is being used to drive and enable the execution of corporate strategy, as well as how the strategy itself shapes the methods by which the organization collects and uses customer data. Both executive management and the board should have a process to monitor how the organization is using and maintaining its data while ensuring compliance with privacy laws.
Then there is the question of balancing compliance with privacy laws versus behaving in an ethical manner. How does management know the organization behaves ethically around privacy and data management? Has there been a strategic conversation regarding the ethics and appropriateness of collecting, using and selling consumer data — behavior culminating from many years of commercial activity with the objective of monetizing data? Are past practices acceptable in today’s environment? Do they align with the organization’s corporate strategy? Which compliance issues present themselves from engaging in such practices? Where does the organization draw the line? Answers to these questions and their strategic underpinnings should be understood at the top of the organization.
For B2B organizations, data collection and management, as well as compliance with privacy regulations, may be less of an issue, because they are likely not managing large data sets of consumer information. However, boards and executive management still need to determine whether and where consumers are touched as part of ongoing data collection and management processes. Only by doing this can they understand where the risk with that data is sourced.
Key takeaway: There are three important, interrelated issues — compliance, ethics and corporate strategy. To that end, senior executives and directors should consider the following questions:
- What should we do beyond oversight of the traditional compliance and risk assessment approaches relating to privacy and data? Should our oversight role extend beyond these areas?
- What is responsible privacy practice given today’s optics (beyond compliance with privacy laws and regulations)? Is managing and using data about ensuring regulatory compliance, or doing the right thing, or both? What are the company’s mores, policies and standards regarding securing and leveraging the data of its customers? Is there an alteration of the idea of privacy today? Is privacy strictly an issue of compliance for companies to address, or is ensuring privacy more than just complying with current laws? In other words, is privacy also about legitimate and ethical practices among companies?
- As part of the corporate strategy, which types of data usage are permissible in the organization? What policies and boundaries are in place to prevent improper usage of sensitive data?
Executive management and boards need a standard, i.e., a “North Star,” with regard to overseeing the organization’s data and privacy management. They should have a clear understanding of data and privacy regarding the balance between risk (protecting the organization) and strategy (innovation and growing the organization).
Smart executives and directors who are effective in working with chief information security and data privacy leaders to understand and address data and privacy issues are proactive in their oversight versus reactive. As both the U.S. and the rest of the world continue to undertake significant policy changes with the resultant increases in data privacy obligations, an effective approach to data privacy is creating a compliance program and approach that meets today’s and the future’s data privacy requirements.
Key takeaway: Accordingly, senior executives and directors should question not only how the company’s compliance processes meet current data privacy regulations but also whether they are flexible enough to meet future such obligations. This approach is not as hard as it seems, as most global privacy laws follow common principles that can be addressed in a consistent framework.
Understand the Business Purpose
Regarding emerging technology, executive management and the board need to understand the technology the organization uses to grow the business and, in the process, how the organization plans to use and/or leverage the data it collects — for example, protection, marketing, business development, monetization and other purposes. Specifically, they should understand the business purpose of collecting information from customers; how the collection process and the use of data are being communicated to customers; what the organization is doing with the information it collects; the risks arising from how data is collected, maintained and stored; and how those risks are being managed.
It’s also important for leaders to inquire whether the organization really needs all the information it collects. Is the organization trying to collect everything it can get? Or is it limiting data collection and retention only to the specific data points it needs to drive its strategy while ensuring it complies with applicable privacy laws and regulations? Or is it somewhere in the middle?
There may be industry-specific considerations, as well. For example, there are unique requirements for healthcare providers regarding data collection and management. Such considerations make it important to understand the mission and values of the organization.
Assume, for example, that a healthcare organization collects and ends up selling and monetizing data to drive revenue that would enable it to acquire leading-edge healthcare equipment and technology as part of its overall mission to save lives. Some may argue that the organization is using data in a way that is not appropriate from an ethical standpoint, yet the organization’s strategy is about saving lives by using the most advanced practices and technologies available. Driving revenue by monetizing data can help the company achieve its mission; however, at the end of the day, the organization may be collecting and selling information in a way that is inappropriate. The debate is not an easy one.
Key takeaway: The focus on purpose is ultimately about answering the question, “How much data is too much data?” Does the organization place guardrails around data collection to manage its risk? Or does it collect all the information it can, understanding that there may be opportunities to monetize that data in some way provided there is compliance with applicable laws and regulations? If this is done, is the return on investment on the monetization effort sufficient to make the trouble of collecting and managing the data and assuming the related risks worthwhile? But even if it is worthwhile, is it the right thing to do and truly integral to the strategy for driving shareholder value?
Look Outside the Organization
In today’s environment, smart leaders understand where the critical data resides, and how it is being managed, within the supply chain and among third-party providers. These leaders know that the process can be outsourced but the risks cannot. Therefore, privacy and data issues arising with any third party — whether first-, second- or third-tier suppliers, outside processors of personal identifiable information (PII), or some other external party — still go back to the source for ultimate responsibility. That means the company and its brand are ultimately on the hook and liable for damages should any third party experience a data issue. That is why it is critical to ensure all third parties are operating with the same privacy standards and maintaining data in compliance with the sourcing organization’s policies.
Key takeaway: Third-party risk management is critical, especially with data management. It affects the entire value chain. Organizations failing to perform effective third-party risk management could face serious brand-eroding data and compliance issues. Executive management and the board should obtain assurances, with the appropriate level of support, that the effective vendor and third-party risk management and oversight processes are in place.
Examine Data Aggregation Practices
Data aggregation is another ethical and legal issue responsible organizations potentially face, particularly if they sell access to certain data to other organizations. The aggregation of data is different from the collection of individual data, as it does not impact or expose individual consumer data. If data is scrubbed and not identifiable to a specific individual, is this acceptable?
For example, consider a healthcare organization that is collecting and testing blood samples. Is it appropriate for that organization to use the data from the blood sample and markers to aggregate and understand broader trends, and even make that aggregated data available to other healthcare organizations?
Leaders should be engaged in the process of defining the activities and parameters around data aggregation and ascertain whether the organization’s risk profile may change (e.g., risk may be increased or reduced) as a result. Again, there may be different ethical considerations involved, even though the aggregated data may no longer contain PII or legally protected consumer information. Accordingly, senior management and the board should understand the organization’s strategy and practices regarding data aggregation in the context of the agreed views on ethics, compliance and the desired risk profile.
Key takeaway: Is data aggregation the right thing to do? How effective is the company’s process for aggregating data in maintaining compliance with privacy laws and regulations? Is the data being scrubbed and anonymized appropriately? These and other considerations underscore the importance of understanding the company’s values, ethics, process and purpose in using data the organization collects. Ultimately, executive management should determine the propriety of the data aggregation and usage practices the organization undertakes. The board should understand and approve management’s determination.
Recognize It’s Everyone’s Job
Senior leaders and directors should be cognizant of the increasing complexity of the privacy and security environment, especially given the increasing power of consumers and vigilance of regulators. To meet data privacy regulations and statutes, irrespective of whether they are required by the U.S. or EU or by Brazil, India or other countries, organizations must understand the environment and its implications to the business model and foster the appropriate coordination, focus and support of a number of internal groups and functions.
It’s not someone’s job, it’s everyone’s job. This means that the organization’s CIO, general counsel, designated compliance officers and business unit leaders should work closely together to stay current with and meet the most recent data privacy regulations. Understanding the data and how it should be processed to meet the various regulations and the gaps with how it is being processed requires this kind of collaboration. Accordingly, senior management should engage the appropriate parties within the organization to work together to create and sustain a shared and comprehensive data privacy solution.