Using information governance to manage data privacy risk

Regulatory compliance and beyond

Regulatory requirements and business drivers are prompting companies to focus more attention and resources on managing data privacy risk.

• Regulatory requirements: Data privacy and cybersecurity rules not only require the protection of customer data, but also impose obligations to assure the data’s quality, completeness, and governance—including limited acquisition and use, as well as appropriate retention and disposition. Today, a number of states are considering legislation similar to the CCPA. These regulations span every aspect of a company’s interactions with its customers.
• Business drivers: Companies are seeking competitive advantages in the marketplace by better mining existing information and taking advantage of nontraditional sources and uses of data, advanced analytics, artificial intelligence, and new ways of interacting with customers, such as digitization.

A comprehensive and coordinated information governance (IG) program can enable companies to more effectively address both the regulatory requirements and the business drivers.

These require more than just tougher information security. They require a comprehensive and effective IG program—along with the infrastructure necessary to collect only the required information and retain it no longer than necessary. For example, section 500.13 of the NYDFS Cybersecurity Regulation states that companies “shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information that is no longer necessary for business operations or other legitimate business purposes, except where such information is required to be retained by law or regulation.”

Back to top

Are your data privacy capabilities up to the task?

Thoughtful questions about the state of data privacy risk at your organization can help start the conversation and drive toward the right answers. Here are some key questions your organization should be asking:

• Are we being proactive in identifying and complying with all the laws and regulations that govern data capture, use, retention, security, and disposal at our company?
• Do we have an adequate information governance foundation in place that allows us to deal with current and upcoming data privacy challenges, such as consumer access and deletion requests, and consumers opting out of the sale?
• Do we know what information we have, how complete and accurate it is, where it is, and how it’s used and protected?
• Do we have the appropriate leadership, structure, capabilities, resources, and support to address these risks comprehensively—in the context of our business model and goals?
• Do we receive and retain the necessary information to support key business decisions and actions?
• Have we organized the compliance and privacy functions to best support and oversee our business and operations?
• How do our IG program and capabilities align with industry standards and peer organizations?
  

Back to top

Key process areas for managing data privacy risks

Complying with regulations can be difficult and complex, requiring companies to assess a wide range of activities—strategy, people, process, and technology. It also necessitates the development of diverse capabilities and tools in four key process areas—records management, privacy/compliance, crisis management/cyber, and IG. These capabilities and tools encompass:

• Data inventory: Companies need to know the type and source of data collected, stored, and used—and how accurate and complete it is. Inventories should be risk‑ranked to reflect inherent risk and quantify business needs for the data.
• Classification: Companies need to define the types of data collected and retained—and which data is personal versus public. This must be done in a manner that’s compliant with privacy regulations and clearly classifies individuals affected by the information to ensure customer access requests are properly addressed.
• Third-party relationships: Companies need a comprehensive inventory of third-party relationships—and of the data collected, stored, or shared with third parties—to implement programs that properly address issues related to data quality, use, privacy, and security. Contracts must be created or amended to hold these third parties to new privacy standards.
• Portability and erasure: Companies must manage customer requests that involve moving or eliminating personal information.
• Data security: Companies need to implement and maintain reasonable security procedures and practices. They also need to respond effectively to data breaches.
• Consent: Companies need management tools capable of handling consumer requests in a timely manner, including specific authentication and permissions for cross-affiliate marketing.
• Oversight and monitoring: Companies must implement programs that are comprehensive and strong, yet flexible enough to adapt to continued changes and ongoing regulatory/business implementations. Such programs can benefit from an increased focus on training and change management procedures to ensure they’re properly implemented through the three lines of defense, which can help avoid regulatory enforcement, fines, and penalties.

Back to top

Data privacy risk and reputation risk

The increased number of laws and regulations is the vanguard of a paradigm shift in which the general population is growing more concerned about their private data. Recent headlines have shone a spotlight on the potential misuse of consumer data, and the reality is that any organization collecting data about consumers—especially if they share the data with vendors or third parties—may be at risk of having their data misused.

Significant reputation damage can result from misused data and/or data breaches. Organizations should understand and prepare for the reputational risks that extend beyond noncompliance with the myriad of data privacy laws and regulations.

Back to top

The three lines of defense

In designing and implementing their approaches to IG, companies should assign accountability using the three lines of defense model.

To advance the effectiveness of this model, some organizations are placing the privacy function and its resources squarely within the compliance organization. After all, data privacy represents one of the most critical compliance risks for these organizations. Tying the privacy and compliance functions together promotes oversight, clarity of roles and responsibilities, effective management of regulatory matters and relationships, and timely reporting to senior leaders and the board.

Back to top

Getting started

Although the task of organizing and implementing IG can seem daunting, the end results are worth the attention and effort. In addition to enabling compliance with data privacy regulations, IG can pay significant business dividends—particularly when accomplished through careful planning and execution, collaboration with all key stakeholders, and strong executive sponsorship. Here are some considerations for getting started:

• Assess the current state of IG capabilities across the enterprise
• Develop a vision for IG tailored to the organization's data privacy risks and requirements, as well as its business strategy and goals
• Craft a multiyear roadmap, with priority on high-impact initiatives
• Develop, fund, staff, and roll out the IG program organization
• Select and begin to implement IG tools
• Consider an experiment or pilot to understand value and opportunity

Ultimately, the path to the effective management of data privacy risk through IG starts by making it a high priority within your organization. Are you ready to take that critical first step?

Back to top

Let's talk