2020 and beyond: 10 privacy issues and trends - Part 3

Cristina Onosé Lead, Privacy Advocacy and Thought Leadership, PwC Canada 26 March, 2020

Note: This article follows previous publications of top privacy issues and trends that companies in Canada should consider in 2020 and beyond. Read Part 1 and Part 2.

9. More data, less innovation? The dangers of reticence risk

Data is at the heart of modern business success, empowered heavily by technology and data-driven business opportunities. Organizations seek to optimize their data use to operate more efficiently, to derive better insights, to move intelligently into new markets and services, and even to create entirely new business models. 

Data also adds huge value to national economies. According to a Forbes study, every new data center generates CDN$677-$743 million a year in new value for a country.

Before they can meet these market expectations, organizations need to ask: Should I use data in this way? Will it be considered “fair”? Will it surprise customers? These considerations, plus the uncertainty of public policy or regulatory reactions, create broad risk decisions for organizations that are well beyond compliance. 

As a result, data value is often left unrealized because of “reticence risk”. Reticence risk refers to an organization not using data due to perceived risk, including uncertainty over any potential impacts or liabilities that such data use may introduce. 

In today’s environment, companies are questioning how to use data against a backdrop of an ever increasing set of risks including regulatory risk, financial liability and/or reputational consequences. 

This outcome is having a negative impact both on the number and quality of creative and innovative data-driven projects that companies may undertake. Much of this reticence risk is created by the lack of risk-based decision making systems inside the organizations. In fact, some Chief Marketing or Data Officers estimate the resulting  reticence risk is leaving 40-60% of data driven value on the table.

To effectively address and minimize reticence risk, organizations must significantly invest in a comprehensive and well-executed data privacy program. It should include not only compliance with legal requirements, but also an assessment of data strategy and risk, ethical considerations, customer expectations, and opportunities to engage with regulators to manage and execute business strategies. 

Reducing reticence risks also requires an accountability model that thinks in terms of ‘ethical data stewardship’ as envisioned by the Information Accountability Foundation. It also necessitates new, pan organization governance and decision making models and systems that also view privacy as part of enabling a digital strategy.  

Without a strategic privacy program in place, companies will likely leave a lot of data driven value on the table. With a strategically-oriented privacy program, data stewardship accountability capability and an effective pan organization decision making model, many of the risks outlined in Part 1 can be effectively mitigated. This can enable more data driven value creation.

10. Who has your data? Data transfer liability and vendor risk management

PwC’s Third Party Risk Management report emphasizes that “in a business landscape loaded with potential pitfalls like cyber threats, corruption, data loss and natural disasters that result in supply chain interruption, making sure your partners are following appropriate procedures is vital and will enable you to avoid risks and reputation damage”.

Canadian organizations are responsible for the personal data they have under their control and which they transfer or provide to a third-party. Unlike the European Union’s GDPR which provides accountability to both controllers and processors, Canada’s federal privacy law, PIPEDA, doesn’t make such a distinction. The Office of the Privacy Commissioner of Canada (OPC) has traditionally taken the view that it is the first party (or controller) who is ultimately liable for any privacy violations of a third party (or processor).  

The potential benefits of outsourcing data processing (e.g. cost advantage, having a strategic partner, etc.) come with considerable risks which need to be assessed. For example, organizations should consider whether the third party is aligned to their privacy and security strategy, and if it allows for its practices to be audited. 

Organizations must have comprehensive contracts in place that address data transfer, use and deletion. They must work collectively with their contracting partners to ensure these third parties remain compliant. This includes having a program to support third party onboarding, ongoing monitoring, and offboarding. 

Problems and breaches will inevitably arise with third parties. In case of a regulatory investigation, an organization’s practices and contracts will be assessed to determine whether appropriate due diligence was applied. The responsibility of managing the risk of the third party relationships falls on the first party (controller). To mitigate risks associated with profitability, reputation, regulation and even litigation, it is important for companies to establish processes that will allow them to oversee these issues.

Bonus: What do climate change and data minimization/retention have in common?

Data can help solve many societal problems, including climate issues. But the storage and processing of data is also harming the environment in key respects. Data centres consume massive amounts of power and emit as large and broad a carbon footprint as the entire aviation industry. 

According to recent predictions the energy consumption of data centres is set to account for 3.2% of total worldwide carbon emissions by 2025 and consume no less than a fifth of global electricity. By 2040, storing digital data is set to create 14% of the world’s emissions.

Among the potential solutions, shifting to ‘green’ data centers that use wind and solar power could help reduce the carbon footprint. To help with the overall energy use, privacy principles may, in fact, be able to help as well. 

In his vision for ‘Privacy 2030’, the late Giovanni Buttarelli, the former Data Protection Supervisor for the EU, viewed  digital technology and privacy regulation as two elements of a coherent solution for both combating and adapting to climate change.  

The privacy principle of ‘data minimization’ or ‘limiting collection’ is one tool within the solutions box that may help the environment. Organizations have legal responsibilities to limit their data collection to only what is needed for a specific, identified use. They must ensure that irrelevant data isn’t collected. 

The challenge that many organizations face is that those identified purposes of data collection may not always be for traditional uses like providing services and maintaining customer accounts, but rather for service improvements, development of artificial intelligence, and other uses which require large sets of seemingly irrelevant data. 

Even more challenging, organizations have a duty to limit retention of personal data, even if data minimization has been undertaken; personal data should be retained only so long as it is necessary to fulfill the business purpose, or as required by law. Undertaking a ‘spring cleaning’ is not only a privacy de-risking exercise, it supports green initiatives.

Conclusion

Technology innovation and economic growth are both key to making Canada a global economic powerhouse, but not without effective privacy measures. Canadians must be able to trust that their privacy is protected, that their data will not be misused, and that companies communicate in a simple and straightforward manner with their users. This essential trust is the foundation upon which our digital and data-driven economy must be built.

The issues and trends highlighted should become topics of conversation in team and board meetings. Privacy professionals, executives, marketers, technologists and others should consider their impact on their organizations - now and in the future. To effectively surmount some of the ensuing challenges, organizations need to invest in robust and effective data privacy programs, maintain effective technical and policy measures to keep personal data safe, and reinforce their commitment to transparency, providing value and using data ethically.

The author would like to acknowledge the following individuals for their valuable contributions to the ‘2020 and beyond: 10 privacy issues and trends that will impact Canadian companies’ series: Peter Cullen, Maria Koslunova, Constantine Karbaliotis and Jordan Prokopy.

At PwC, we are committed to advancing the public policy discussion and thought leadership on responsible data use, privacy and innovation. We engage with companies, policymakers and privacy professionals to develop solutions to some of the most pressing privacy and cyber issues. If you have questions, or are seeking unique solutions for your own organization, set up a consultation with one of our PwC advisors.

Contact us

Cristina Onosé

Cristina Onosé

Lead, Privacy Advocacy and Thought Leadership, PwC Canada

Tel: +1 416 687 8104

Follow PwC Canada