India, the world’s largest democracy, last year declared that “privacy is the constitutional core of human dignity” and is pursing a national data protection law. In Europe, the General Data Protection Regulation (GDPR) has already been put into effect, while California took the lead this summer in the United States to pass its own data privacy law. Even China and Vietnam have passed cybersecurity laws that include stipulations for the storage of user data.
As nearly every commercial and social transaction has become linked to the Internet of Things, the definition of privacy has evolved as well. NACD and Baker Tilly Virchow Krause LLP recently cohosted a roundtable discussion with directors and industry experts in Philadelphia, Pennsylvania, to assess the board’s role in data privacy oversight in light of the current regulatory environment and the growing expectations of consumers and investors. The discussion resulted in five key takeaways for how to think about data privacy as a whole and what concrete steps boards can take to improve oversight of data privacy programs:
1. Data now belongs to the data subject, not the entity in possession of the data. Although a national data privacy law has not yet been implemented in the United States, the European Union and the state of California have taken the lead in adopting regulations that give consumers a right to control their own data. “There has been a fundamental shift in thinking around who really owns data,” said Baker Tilly Partner David Ross. “In the United States our [corporate] perspective has always been, ‘If I have the data, then it’s mine and I can do whatever I want with it.’ Then the Europeans started saying that the data subject really has the rights to control the data and how it’s used.” As consumers globally demand a greater right to privacy, boards should preemptively prepare for further data privacy regulations both internationally in the United States.
2. Data privacy and cybersecurity are not synonymous terms, although they are intertwined. Baker Tilly Partner Jeff Krull distinguished data privacy from cybersecurity this way: “Privacy is protecting people’s data in compliance with the law. Cybersecurity is whether or not you have the right mechanisms in place to keep that data from being breached.” Krull emphasized that there is a heavy legal component to data privacy and a heavy operational component to cybersecurity. “You can have a great privacy program and get breached one hundred times over. You can also have a terrible privacy program and a great cybersecurity program, and even though your data might not get breached, you may not be in compliance with the law.” If directors properly understand the distinction between these terms, they will be better equipped to oversee how data privacy and cybersecurity programs are implemented at their companies.
3. Directors need to have a fundamental understanding of the data privacy landscape, not necessarily an expertise. The 2018–2019 NACD Public Company Governance Survey indicates that only half of public company directors (52%) believe they personally have enough understanding to provide effective cyber-risk oversight, although slightly more (58%) believe their boards collectively have enough understanding to do so. “If you’re going to be a true expert in cybersecurity or privacy, you have to be out there doing it day in and day out, because six months from now what you know may be obsolete,” said Krull. “The key is to get access to the right information when you need it to make a strategic decision. If you don’t think you have the right expertise, it’s really hard to set an appetite for how much risk you’re willing to accept.” Roundtable participants discussed hiring outside advisors, using an advisory board, or taking certification courses to ensure directors have access to this expertise.
4. Management responsibilities for cybersecurity and data privacy programs should be clearly defined so directors know who to go to for information. According to Krull, the board’s first step is to decide where on the management team primary responsibility for cybersecurity and data privacy lie. “Boards should assign direct lines of responsibilities to specific members of management who will report to the board on cyber and privacy and have the authority, responsibility, and accountability to oversee cybersecurity and privacy for the organization as a whole in alignment with the board’s cyber and privacy objectives and risk appetite,” said Krull.
Just as the chief information security officer (CISO) has become a staple C-suite position, attendees discussed how there will likely be a similar trend with the adoption of chief privacy officers, although the approach currently varies by industry. “I’m a chief privacy officer, which at my company means anything that has even a little data—including email—is my responsibility. So, it’s good to have a centralized person to handle data protection,” said one director. “However, the CISO and I are [attached] at the hip because I don’t have the technical knowledge and he doesn’t have the legal knowledge.” Regardless of whether of or not a chief privacy officer is currently in place at their organizations, boards should ensure responsibility for cybersecurity and data privacy is properly assigned to members of management, accounting for the strong link between the two domains.
5. Gap assessments around the data privacy and cybersecurity programs can be used to develop a plan to address program risks. Krull and Ross suggested boards take a calculated approach to assessing their data privacy and cybersecurity programs by defining their acceptable risk envelope with regards to privacy. This usually starts with identifying the critical data pools, including where the data is stored, the size of the data, and how sensitive it is. Then management should rank the data in order of importance according to the potential risks posed to the organization and develop a program to address the most high-risk data first. “With our clients, we adopt the attitude of eliminating the most risks in the most efficient way, because you’re never going to eliminate all the risks due to the high cost,” said Krull. Setting goals over the next 12 months for what the program should look like and using metrics to measure success can help ensure accountability.
In conclusion, the strength of the company’s data privacy program will directly impact its reputation and bottom line. As more regulations regarding data privacy come into force, and as consumers demand more control over their data, boards need to be agile in defining their companies’ data privacy programs in this rapidly changing environment. Boards should conduct a gap assessment of their data privacy programs and ensure responsibilities are delegated appropriately to management, with the ultimate goal of creating a risk culture where the board, management, and employees understand the reasons behind protecting data and work as a collective to do so.