Five questions boards should ask about data privacy in 2020

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

The amount of data produced today is staggering, and companies are racing to capitalize on the opportunities that come with it. They’re using it to learn about customers and understand their behavioral patterns. They’re using it to enhance and develop new products and services. And to improve business processes and make better business decisions.

While companies may be focusing on how to get the most value from their data, they also have to understand the risks that come with it. Public policy and social expectations around data are evolving, and data privacy regulations in the US and around the world are mounting—with the potential for big fines for non-compliance. The benefits that data might provide could vanish if companies don’t manage how they collect, store and use it.

Corporate boards will want to be sure their companies are looking closely at their data strategy and data privacy risks. Here are five questions boards can ask management:

 

Are we ready for CCPA?

One of the biggest privacy laws looming is the California Consumer Protection Act (CCPA), the most far-reaching new privacy law in the US in over a decade. It gives any California consumer rights relating to their personal information: to obtain a copy of the personal information that has been collected about them, to request that it be deleted and to say no to its sale to third parties. It also gives them the right not to be discriminated against for exercising any of those rights. Companies will have 45 days to respond to requests by consumers for their information.

The California Attorney General is expected to finalize the rules by mid-October, with an effective date of January 1, 2020. But only half of affected US businesses expect to be compliant in time. The California Attorney General is scheduled to begin enforcing the individual rights provisions on July 1, 2020—up to $7,500 per intentional violation and $2,500 per unintentional violation. Starting January 1, 2020, companies can be subject to potential litigation for data breaches when they were not protecting data with “reasonable” security. 

Boards should ask management what the company is doing to comply with the CCPA and if it is on schedule to meet the requirements. Boards will also want to know if the company has a data privacy compliance program and, if so, how it will need to change to meet CCPA requirements. 

Companies can be subject to potential litigation for data breaches when they were not protecting data with “reasonable” security.

Two companies were hit earlier this year with [GDPR] fines of $230 million and $124 million, respectively. More fines are coming.

Are we building global privacy capabilities for the regulatory future?

As many companies scramble to get compliant with the CCPA, some have already felt the impact of the European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018. Companies face much bigger fines with GDPR than what they’d previously faced—two companies were hit earlier this year with fines of $230 million and $124 million, respectively. More fines are coming. Companies also need to pay attention to Brazil’s Lei Geral de Proteção de Dados (its version of the GDPR), which passed in 2018 and goes into effect next year.

To keep up with the new and conflicting privacy compliance standards across the globe, access to a unified database of global privacy and security regulatory requirements, controls and standards can help. 

Boards will want to hear from management about how the company is complying with new and expected data privacy laws and regulations. They’ll want to know what the company’s biggest challenges and concerns are. And they’ll want to ask management if the company has a robust enough team to handle compliance-related demands.

How effective is our data strategy?

Companies collect all kinds of personally-identifiable information for all different reasons. Sometimes companies want to grow sales and revenue, while others use data to retain customers and improve the customer experience. In order to capitalize on this data, they need to have a good data strategy. Too often, though, the data companies collect is incomplete or unreliable, or sometimes there’s simply too much of it. Companies need to understand and map out the data they have, the data they need and how to get it. Companies need to have a data strategy that’s based on their current and projected business and data use goals. They also need to design their applications around this strategy. Having a good data strategy and a related effective privacy compliance program can help give companies a competitive edge.

Companies need to be stewards of the data they collect and be sure to use it in a secure and ethical way. They need to build controls to protect their most valuable data—from a breach and from irresponsible use. They also need to purge any high-risk, data they no longer need as it can be the source of poor decisions and poses a big risk. 

As companies start to collect and harness more and more data, they could be vulnerable to crossing ethical lines as they pursue new ways to monetize it. Some companies are investing in data governance to create more transparency around how they use and store data. Others are starting to build data ethics controls into their marketing, data research, and development and product design functions. Companies should also conduct ethical assessments of data use to ensure the benefits and risks are balanced.

The board should talk to management about the company’s data strategy and get updates as management makes changes. They’ll want to understand the company’s data goals and discuss whether there are any ethical issues around using personal data. Boards will want to ask management whether it has the right processes and controls in place to mitigate risks to data and how it is being used.

Having a good data strategy and a related effective privacy compliance program can help give companies a competitive edge.

Companies need to be sure that any technologies used to collect and access data are secure and follow fair and ethical protocols.

Are we building privacy and data ethics into new technologies?

Data collection will be even more pervasive as technologies like artificial intelligence (AI), the internet of things (IoT), drones and robotics become more critical for business. Companies can certainly benefit from the proliferation of data these technologies provide. But they also need to meet changing social norms and expectations and build trust in how they’re using technologies to collect customer data and how that data is being used. Will their investments in these technologies pay off? Or will the privacy implications and risks turn off their customers and even employees? 

To build trust, companies can put controls in place around security, data privacy and data ethics as they adopt and deploy new technologies. Common privacy controls include collecting, retaining and sharing the smallest amount of personal data necessary to perform a service so as not to cause harm to individuals. Companies need to be sure that any technologies used to collect and access data are secure and follow fair and ethical protocols.

Boards should ask management about the company’s plans to adopt new technologies and whether they align with the company’s data strategy. They’ll want to be sure risk oversight is part of any plans from the beginning. 

Are privacy and security prominently included in our deals process?

If a company discovers that a company it has acquired has weak data privacy governance, its return on its investment could be dramatically reduced—particularly if an issue turns into fines or damage to reputation or brand. Some acquirors may change contract language that call for purchase price adjustments should the target have data privacy issues—companies don’t want to buy unknown risk.

In order to protect against data privacy issues, acquiring companies should have a robust privacy due diligence process. It’s especially important to conduct diligence on targets that are data-driven companies, ones that handle significant amounts of personal data, or when the data itself is part of the target company’s inherent value. Privacy due diligence can include procedural and technical assessments, dataflow mapping and even reviews of company culture and values. Companies that may be divesting a unit or business should prepare for this type of diligence on them.

Boards will want to know that the company is considering its data strategy and capabilities when conducting due diligence on acquisition targets. 

In order to protect against data privacy issues, acquiring companies should have a robust privacy due diligence process.

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Paula Loop

Paula Loop

Governance Insights Center Leader, PwC US

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Hide