Trust, risk, and opportunity: overseeing a comprehensive data and privacy strategy

Data is changing the competitive landscape. The volume of data now available to companies means they can find efficiencies, develop and target new products, gain customer insights, optimize operations and tailor business strategies in ways they never could before, with a speed they never thought possible. But collecting and using data also brings risk that it could be misused or accessed by threat actors. Converting data into value securely and ethically is the business imperative for the next decade.

The companies that most effectively take charge of their data throughout the data lifecycle will have the greatest opportunities for success. Given the opportunity and risk involved, it’s essential that boards play a key role in the process.

Learn more

Data discovery

Fundamentally, the question of how companies collect, use and protect data is tied to the business strategy. For the board to make those connections, it starts with understanding what data the company collects, how it is stored and how it is used.

Key questions the board should be asking include:

  • What types of data does the company collect?
  • What data is most valuable?
  • What data is most sensitive?
  • How is the data used and is it used ethically?

Data protection

As management protects data, the board should engage in robust discussions about the adequacy of the protection and privacy program, including information on the effectiveness of controls and whether resources are sufficient. Boards will also want to make sure they are aware of key applicable cybersecurity and data privacy laws, and any major violations.

Key questions the board should be asking include:

  • What data is required to be protected?
  • What other data should be protected?
  • What processes are in place to offer that protection?

Data minimization

Once the board understands what data is collected and how it is protected, it can begin to explore with management whether any of that data could be minimized while still achieving the company’s goals.

Key questions the board should be asking include:

  • What types of data are collected but not used?
  • Do we have old data that is no longer used and can be eliminated?
  • In what ways could our company’s data collection (and risk) be minimized without losing current functionality or value?

Data governance

A company’s data governance will touch all of these areas: collecting, strategically using, protecting and minimizing data. The board’s role is to oversee management’s governance of the data and ensure the people, processes and technology in place are effective.

Key questions the board should be asking include:

  • Do we have the right people, processes and policies, and technology to govern our data and meet compliance and privacy requirements?
  • How could they be improved?


A holistic data and privacy strategy that addresses data value and related risks, combined with a thoughtful governance approach, can help the board and management create a competitive advantage and build greater trust with stakeholders.

Contact us

Maria Castañón Moats

Maria Castañón Moats

Leader, Governance Insights Center, PwC US

Joseph Nocera

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Barbara Berlin

Barbara Berlin

Managing Director, Governance Insights Center, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.