Eight Questions to Frame Data Privacy Discussions in the Boardroom
Data is proliferating and data privacy regulatory activity is increasing across the globe. As the risk of cyberattacks and consumer demands for privacy protections continue to escalate, directors need to discuss data governance and information security matters with their executive teams and with cyber and data privacy management leaders.
To that end, the following eight questions can help guide boardroom conversations around data privacy:
1. Do we know what data we have and where the data live? In addition to knowing what their “crown jewels” are—the enterprise’s most important information-related assets—organizations need to understand what privacy information they hold, which legal protections are in place, and whether the data may qualify for data-subject access or deletion requests or present disclosure obligations. This conversation often leads to a realization that data, whether structured or unstructured, should be classified and stored in a manner that allows the organization to determine whether there is exposure to any privacy requirements in the jurisdictions where the business operates. If there’s any question about data existing inside the company, that data should be maintained with encryption techniques, especially when the data are available in real time.
2. Do we have a clear understanding of why we acquire and retain data? Directors should understand the organization’s business purpose in collecting information, the collection process itself, and the notice communicated to customers for the use of data. The “why” is just as important as the “what.” The organization’s mission and values have a bearing on the data it obtains. This conversation can lead to policies that place guardrails around data collection to manage data privacy risks. This is an area that may warrant a professional review.
3. Are we on top of relevant compliance requirements? By 2023, according to Gartner, 65 percent of the global population will have its personal data covered under privacy mandates. Boards should inquire how in-house or outside legal counsel is sharing responsibility (and documenting evidence) for becoming familiar with evolving privacy laws and expanding the organization’s knowledge of data privacy requirements in the jurisdictions where it operates.
4. Are we fostering a zero-trust environment to protect the data of consumers, employees, and third parties? The prevalent security trend in the marketplace is for organizations to use zero-trust architecture to ensure secure access to everything by everyone all the time. The idea is to shift cyber controls closer to data that the organization must protect, a notion that is fit for purpose in addressing the complexities of today’s digital customer and supplier interactions, hybrid work environments, ever-expanding data protection requirements, and increasingly sophisticated cyber and ransomware attacks. Practices becoming more pervasive over time include implementing robust “continuous verification” authentication technology and segmenting network access to reduce attack surfaces and to limit the blast radius in the event of a breach, among other things. From the board’s standpoint, the intention is to achieve the strongest privacy protections possible.
5. Do we know how well we’re managing data privacy? Myriad tools are available to measure the access to and use of consumers’ personal identifiable information and manage enterprise privacy governance. These tools provide confirming metrics that help executive teams and their boards understand and effectively communicate an organization’s performance against its strategic objectives. Key performance indicators on the CEO’s and board’s dashboard are imperative. In this discussion, the board should also consider the reputational impact of environmental, social, and governance reporting, as such reporting will likely intensify the focus on measuring an organization’s data protection capabilities. That’s why policies in this area merit the board’s attention in fulfilling its duty of care responsibilities.
6. From a data-protection compliance standpoint, do we know our stress points? Businesses face obstacles to achieving compliance preparedness—first, a lack of time and bandwidth, followed closely by the complexity of laws and regulations. Boards should encourage management to identify the trouble spots for privacy compliance, assess their severity, and apply best practices to enhance the data privacy program. This conversation may entail assessing budget and resource sufficiency, as well as establishing accountability for results. Stress-test protocols and tabletop exercises, and the insights they provide, are also of interest to the board.
7. Are our legal agreements aligned with data protection requirements? Directors should inquire, for example, whether the company is using the standard contractual clauses preapproved by the European Union (EU) on data sharing between EU and non-EU countries. These clauses provide standard terms and conditions to which both the sender and the receiver of personal data agree, with the objective being to consider and uphold the rights and freedoms of the individual. Adopting standard contractual clauses is a regulatory requirement for exchanging data with EU countries and is enforced by the European Commission.
8. How should the board engage management on data privacy matters? The pervasiveness of data creates a challenge for boards. Multiple functions, such as information technology, cybersecurity, human resources, legal, and compliance, own responsibility for protecting the data that their activities collect, use, and store. Some boards have a technology committee that reviews data privacy matters. Others assign these matters to the audit committee. In a highly regulated environment, the board assigns these matters to a compliance committee.
For public companies, these matters merit consideration in every formal meeting of the committee that advises on data privacy, or more frequently as necessary—which underscores the importance of putting effective analytics and dashboards in place. Companies with substantial business-to-consumer operating models will need to devote more attention to these issues. Additionally, the full board should be privy to a report or briefing on data privacy performance at least annually.
Overall, directors should engage the company’s leadership with the intention of gaining confidence that a coherent data privacy governance process is in place, aligned with the business strategy and complemented by effective controls enabling data privacy protections.
Jim DeLoach is managing director of Protiviti. DeLoach is the author of several books and a frequent contributor to NACD BoardTalk.