Companies face challenges posed by a fast-changing patchwork of data privacy regulations, while data quality also looms as a related issue.
Companies are increasingly reliant on data and leading-edge technologies, such as artificial intelligence (AI), robotic process automation (RPA) and cloud infrastructure, to gain business insights, achieve operational efficiency and seek new growth opportunities. But within those opportunities lurk possible risks.
Technology is ultimately programmed and controlled by humans who are susceptible to making intentional or unintentional errors and omissions. The ways that technology is implemented can be an opaque subject to business owners lacking the requisite technical know-how, and this gap in understanding can present a range of risks that could cause significant reputational and financial harm to the business.
Adding to these risks is the increase in data protection and privacy regulations around the world, such as the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the New York State Department of Financial Services Cybersecurity Regulations. All of these carry stringent requirements as to how data should be secured, accessed, stored and used. And their noncompliance creates the risk of hefty fines, reputational damage and potential disruption to the business.
With this as a backdrop, EY teams and the Financial Times hosted an executive gathering in New York City in 2019 as a part of a global six-event series called “Enhancing corporate integrity.” Our group met during a period when corporate integrity, or the lack of it, was dominating the headlines.
As more and more companies suffer data breaches, fall victim to fraud or are found to have abused customers’ expectations for data privacy, the public’s trust that businesses can effectively police themselves becomes low. Adding to this situation is the growing temptation for politicians around the world to impose their own oversights.
Safeguarding the integrity of data
In the gathering, we began with two questions:
- Who felt confident that they knew what data was in their organization?
- Who felt on top of the risks associated with it?
Not a single hand went up in response to either of the questions.
Conducting an inventory of the data a company has, even in its own systems, can seem like an almost impossible task. And the broad spectrum of risks associated with that data is constantly shifting as cyber attackers become more sophisticated, regulators set new expectations and technologies, such as AI and the cloud, change the scope of how digital information can be used and abused.
Much of our time was spent discussing the challenges posed by a fast-changing patchwork of data privacy regulations. In the US, CCPA has set the pace domestically, and Washington state is expected to soon follow. But many representatives of US-based companies said they were already following the GDPR, which came into force in 2018 — at home and in other jurisdictions.
One guest noted that even a nation-state, as small as Singapore, can set ground rules on AI for multinationals’ operations on the other side of the world. There was a strong desire to see more global coordination on data regulation – and an expectation that we will move in that direction.
Another concern was data quality. How much of the information inside a business is helpful? Who should have access to it, and how much should be cleaned out?
Some digital information must be kept for regulatory or litigation purposes, but companies need clear policies and procedures to help them keep only the right data. A decentralized approach that actively engages business owners, while integrating them with centralized technologies and compliance functions, may be part of the answer.