Boards face mounting pressure to oversee data privacy for their organisations. Shareholders and various stakeholders are increasingly holding boards accountable for the business’ data privacy strategy and the risks that go alongside it.
But what exactly is the oversight function of the board when it comes to these issues? In this article, we discuss:
- factors that are shaping the data privacy and protection environment for businesses as of today
- important questions boards should ask for appropriate risk oversight
FACTORS REDEFINING DATA PRIVACY AND PROTECTION STRATEGIES FOR COMPANIES TODAY
1. Greater privacy regulations
With the rise of data proliferation, state, national or regional privacy laws have come into strong effect in recent years. Most have sweeping implications for the way data should be processed, handled, and protected. Three of the most discussed laws are the European Union’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), and the California Consumer Privacy Act 2018 (CCPA).
Let’s take a look at what these laws call for. (Note: This is by no means a complete and comprehensive discussion of the privacy laws. It merely highlights their significant components, and should not be used as basis for legal advice.)
A. European Union’s General Data Protection Regulation (GDPR)
GDPR came into effect in May 2018 and is arguably the most expansive piece of regulation for data privacy and protection in the world. GDPR not only applies to businesses in the European Union but also to any company “doing business” in the region. “Doing business” is to be interpreted loosely.
The law focuses on major aspects such as:
- Protecting consumer data rights
- The right of individuals to access their personal data
- The right of individuals to request erasure of their data
- The right to data correction (or the right to data rectification)
- The right to data portability (which is essentially the right to receive the personal data concerning him or her in a “structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller”)
- The right to object to data processing
2. Responsibilities for ‘data controllers’ and ‘data processors’
- Companies must notify authorities of data breaches
- Act in accordance with the ‘principles of data notification’ such as gaining consent to disclosure and use of data
3. Penalties for non-compliance
- Fines can be up to €20 million or 4% of global revenue for the preceding financial year (whichever is higher)
B. Brazil’s Lei Geral de Proteção de Dados (LGPD)
LGPD came into effect in 2020. It is the first and only data privacy law in South America.
Similar to GDPR, it applies to any data processing that takes place in the country, for the purposes of offering goods and services for people who are located in Brazil. The organisation also does not have to have a physical presence in the country or maintain its headquarters there. This extraterritoriality component is common to other international privacy laws such as GDPR.
Other important aspects of the law cover:
- Protecting consumer data rights
- The right to confirmation of the existence of the processing
- The right to access the data
- The right to correct incomplete, inaccurate or out-of-date data
- The right to anonymise, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
- The right to the portability of data to another service or product provider
- The right to delete personal data processed with the consent of the data subject
- The right to information about public and private entities with which the controller has shared data
- The right to revoke consent
2. Penalties for non-compliance
- Fines can reach up to 2% of the organization’s revenue, with a limit of 50 million Reals (estimated $10 million USD) per violation.
C. The California Consumer Privacy Act 2018 (CCPA)
The CCPA came into effect in January 2020. Like the GDPR and LGPD, it applies to any company that does business in California, regardless of whether a physical location is established there. It is important to note that this doesn’t apply to all businesses. It is relevant to only those that:
- Have gross revenues of $25 million USD or more in a year, or
- Companies that hold personal information of 50,000 or more customers, devices, or households
- Earn more than half their revenue from selling personal information
Some other important things to note about the CCPA is its focus on consumer rights as well:
- The right to ‘opt-out’ of having personal information sold
- The right to have personal information deleted
As for penalties, the CCPA calls for maximum civil penalties of $7,500 for intentional violations (and $2500 for unintentional violations) brought by the State of California through the Attorney General’s Office.
In a nutshell, businesses need to be mindful of the privacy and data protection laws that apply in the jurisdictions they operate in. These can have a significant impact on the organisation from a compliance and risk standpoint.
2. Consumer control and power
As evidenced by the laws above, consumers have been given more control over the use of their data. This has redefined data privacy and protection strategies for many businesses, especially by those organisations who profit off data. Consumers can decide how companies can use their data, or if they’re allowed to at all. Should companies overlook and mismanage this, they expose themselves to financial risks and penalties.
3. Supply chain and third-party providers
More companies are using more vendors. It is critical for the organisation’s supply chain/ third-party providers to meet the same privacy standards and data maintenance policies of the company. As one article states, “processes can be outsourced, but not the risks.” In the event of a data breach, stakeholders will ultimately look to the contracting organisation to shoulder the responsibility. In short, data protection and privacy laws need to be observed by the company’s supply chain network as well. Vendor risk management should be assessed and applied.
QUESTIONS BOARDS SHOULD ASK
Boards have to ask the hard questions when it involves data privacy and protection. To do so, they need to look at this responsibility from at least two different lenses: compliance and ethics.
A. THE COMPLIANCE QUESTIONS
On the area of compliance, boards should be able to obtain answers to the following questions from management:
- How is the organisation dealing with the different standards that exist regionally, state-wide, or nationally, as the case may be?
- How is it dealing with applicable privacy laws that might go into effect in the future?
- How effective are the company’s compliance processes in meeting current data privacy regulations?
- Are we allocating enough resources to support compliance programs?
- How can the organisation be proactive in data privacy and protection oversight?
The reality is that it is not impossible to be proactive when it comes to data privacy regulations. Most privacy laws are built upon common principles that can be applied against a consistent framework (e.g., customer consent, customer rights to own data, accessibility to data, etc.). With this established, companies can focus on and support compliance programs and approaches, and work towards flexibility for future regulations.
B. THE ETHICAL QUESTIONS
It can be difficult to discuss data privacy and protection strategies from an ethical perspective. But it can’t be removed from the conversation, especially as more and more companies seek to monetise data. It is therefore important for the board to help draw ethical lines and boundaries around a company’s data strategy, and ensure the incorporation of data ethics controls into the marketing, research, and product functions of the organisation. There is a lot at risk there, and the inappropriate use of data can be disastrous for the company.
The boards should ask the following:
- How is the organisation using and maintaining data while in compliance with privacy laws?
- How does that align with the company’s corporate strategy?
- How is the organisation making data security a priority?
- What are its “responsible” privacy policies?
- What policies and controls are in place to prevent improper use of sensitive data?
It begins at the top. Boards should emphasise the importance of data privacy and protection strategies for their organisations. Board members must also understand the intent behind data collected, the data they need, and as well as how they go about obtaining it. They need to be updated as these change, in order to help determine whether there are ethical red flags around it.
While non-compliance issues present obvious risks to the company, the ethical repercussions can be less straightforward (e.g. diminished brand equity, breach of trust, etc.), but equally significant.
Boards must have a solid grasp and understanding of the risks the organisation assumes in relation to its business’ data strategies.
But the bigger message is this: companies are stewards of data. Boards must recognise this. They have a responsibility and growing societal obligation to ensure that their organisations comply with applicable privacy and protection laws, while assuring stakeholders that data is protected from irresponsible use. They must be involved. The stakes are too high to be trivialised and overlooked.