split finger print


Using information governance to manage data privacy risk

Enabling growth and innovation

Motivated by the rising importance and visibility of data privacy risks, organizations have an opportunity to benefit from a comprehensive and coordinated approach to information governance. This approach can help organizations effectively tackle data privacy and use their data privacy capabilities as a potential source of competitive advantage.

Regulatory compliance and beyond

Regulatory requirements and business drivers are prompting companies to focus more attention and resources on managing data privacy risk.

  • Regulatory requirements: Data privacy and cybersecurity rules not only require the protection of customer data, but also impose obligations to assure the data’s quality, completeness, and governance—including limited acquisition and use, as well as appropriate retention and disposition. Today, a number of states are considering legislation similar to the CCPA. These regulations span every aspect of a company’s interactions with its customers.
  • Business drivers: Companies are seeking competitive advantages in the marketplace by better mining existing information and taking advantage of nontraditional sources and uses of data, advanced analytics, artificial intelligence, and new ways of interacting with customers, such as digitization.

A comprehensive and coordinated information governance (IG) program can enable companies to more effectively address both the regulatory requirements and the business drivers.

These require more than just tougher information security. They require a comprehensive and effective IG program—along with the infrastructure necessary to collect only the required information and retain it no longer than necessary. For example, section 500.13 of the NYDFS Cybersecurity Regulation states that companies “shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information that is no longer necessary for business operations or other legitimate business purposes, except where such information is required to be retained by law or regulation.”

Data minimization: More isn’t always better

One consequence of the complex and expanding set of data-related regulations is that many companies have begun to rethink their traditional posture of “keeping everything.” Instead, they’re taking steps to determine what information is needed, how it’s protected and used, and how long to keep it. This emerging focus on data minimization is quickly rising to the top of the information governance agenda, driven in significant respect by regulations, including the GDPR and NYDFS Cybersecurity regulations.

Until recently, the prevailing mindset about data was “more is better.” But companies and regulators are now recognizing that it’s possible to have too much of a good thing. Like a cluttered garage, collecting and retaining too much data creates a whole host of problems, including:

  • Cost: The more data you have, the more it costs to store.
  • Security: The more data you have, the harder it is to secure—and the greater the potential risk of a security breach.
  • Reduced effectiveness: When you have too much data, it’s harder to find what you actually need.
  • Compliance: The traditional "keep everything" approach now violates some of the new and emerging data regulations.

Companies need to actively determine what information to keep and for how long. This will require careful analysis and reconciliation of the various regulatory requirements—many of which are overlapping or conflicting—as well as careful consideration of the company's information needs. It will also require new policies and system capabilities, including data-driven disposition and retention, that can help the company efficiently and effectively handle the day-to-day task of data minimization without losing valuable information or causing unnecessary risk.

Are your data privacy capabilities up to the task?

Thoughtful questions about the state of data privacy risk at your organization can help start the conversation and drive toward the right answers. Here are some key questions your organization should be asking:

  • Are we being proactive in identifying and complying with all the laws and regulations that govern data capture, use, retention, security, and disposal at our company?
  • Do we have an adequate information governance foundation in place that allows us to deal with current and upcoming data privacy challenges, such as consumer access and deletion requests, and consumers opting out of the sale?
  • Do we know what information we have, how complete and accurate it is, where it is, and how it’s used and protected?
  • Do we have the appropriate leadership, structure, capabilities, resources, and support to address these risks comprehensively—in the context of our business model and goals?
  • Do we receive and retain the necessary information to support key business decisions and actions?
  • Have we organized the compliance and privacy functions to best support and oversee our business and operations?
  • How do our IG program and capabilities align with industry standards and peer organizations?

mother board

Key process areas for managing data privacy risks

Complying with regulations can be difficult and complex, requiring companies to assess a wide range of activities—strategy, people, process, and technology. It also necessitates the development of diverse capabilities and tools in four key process areas—records management, privacy/compliance, crisis management/cyber, and IG. These capabilities and tools encompass:

  • Data inventory: Companies need to know the type and source of data collected, stored, and used—and how accurate and complete it is. Inventories should be risk‑ranked to reflect inherent risk and quantify business needs for the data.
  • Classification: Companies need to define the types of data collected and retained—and which data is personal versus public. This must be done in a manner that’s compliant with privacy regulations and clearly classifies individuals affected by the information to ensure customer access requests are properly addressed.
  • Third-party relationships: Companies need a comprehensive inventory of third-party relationships—and of the data collected, stored, or shared with third parties—to implement programs that properly address issues related to data quality, use, privacy, and security. Contracts must be created or amended to hold these third parties to new privacy standards.
  • Portability and erasure: Companies must manage customer requests that involve moving or eliminating personal information.
  • Data security: Companies need to implement and maintain reasonable security procedures and practices. They also need to respond effectively to data breaches.
  • Consent: Companies need management tools capable of handling consumer requests in a timely manner, including specific authentication and permissions for cross-affiliate marketing.
  • Oversight and monitoring: Companies must implement programs that are comprehensive and strong, yet flexible enough to adapt to continued changes and ongoing regulatory/business implementations. Such programs can benefit from an increased focus on training and change management procedures to ensure they’re properly implemented through the three lines of defense, which can help avoid regulatory enforcement, fines, and penalties.

future icons

Data privacy risk and reputation risk

The increased number of laws and regulations is the vanguard of a paradigm shift in which the general population is growing more concerned about their private data. Recent headlines have shone a spotlight on the potential misuse of consumer data, and the reality is that any organization collecting data about consumers—especially if they share the data with vendors or third parties—may be at risk of having their data misused.

Significant reputation damage can result from misused data and/or data breaches. Organizations should understand and prepare for the reputational risks that extend beyond noncompliance with the myriad of data privacy laws and regulations.


The three lines of defense

In designing and implementing their approaches to IG, companies should assign accountability using the three lines of defense model.

To advance the effectiveness of this model, some organizations are placing the privacy function and its resources squarely within the compliance organization. After all, data privacy represents one of the most critical compliance risks for these organizations. Tying the privacy and compliance functions together promotes oversight, clarity of roles and responsibilities, effective management of regulatory matters and relationships, and timely reporting to senior leaders and the board.


Practical lessons learned

Implementing a comprehensive and coordinated approach to IG can be challenging and time-consuming. Here are some leading practices to keep in mind:

Getting started

Although the task of organizing and implementing IG can seem daunting, the end results are worth the attention and effort. In addition to enabling compliance with data privacy regulations, IG can pay significant business dividends—particularly when accomplished through careful planning and execution, collaboration with all key stakeholders, and strong executive sponsorship. Here are some considerations for getting started:

  • Assess the current state of IG capabilities across the enterprise
  • Develop a vision for IG tailored to the organization's data privacy risks and requirements, as well as its business strategy and goals
  • Craft a multiyear roadmap, with priority on high-impact initiatives
  • Develop, fund, staff, and roll out the IG program organization
  • Select and begin to implement IG tools
  • Consider an experiment or pilot to understand value and opportunity

Ultimately, the path to the effective management of data privacy risk through IG starts by making it a high priority within your organization. Are you ready to take that critical first step?

icons swirling

Let's talk

Jay Cohen
Managing director

Risk & Financial Advisory
Deloitte & Touche LLP

Tim Cercelle
Managing director

Risk & Financial Advisory
Deloitte & Touche LLP

Niels Aafjes
Senior manager

Risk & Financial Advisory
Deloitte & Touche LLP

contact us

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?