7 minute read 4 Jun 2019
Ey touch table meeting

How boards are overseeing privacy compliance obligations

By

US Americas

Multidisciplinary professional services organization

7 minute read 4 Jun 2019

Boards look to oversee issues of data privacy and compliance in innovative and transformative ways.

Many opportunities come along with obtaining data. Organizations can use it to enhance risk management and improve operating efficiencies and customer relationships. However, concerns over privacy, new regulations and consumer expectations are prompting many companies to review existing practices and many boards to focus on oversight issues. Meanwhile, multinational companies, especially those in highly regulated sectors, are facing challenges as they respond to new regulations and compliance requirements.

Members of the Audit Committee Leadership Network (ACLN) met in the spring of 2019 to discuss these issues in depth.

Oversight of privacy

As companies seek to capitalize on the wealth of data they obtain, they must consider the ongoing debate over privacy and the new legal requirements that impose conditions on how companies store, use, and share data. While the US does not have an encompassing federal law like Europe’s General Data Protection Regulation (GDPR), California will enact a law in 2020 containing similar provisions. There has also been a push to do more at the federal level to create guidelines that would pre-empt state law.

At the same time, the public is increasingly asking questions and the potential reputational risks cannot be ignored. Even compliant data use may spark a backlash from sceptical consumers. As one member said, “Customers have high expectations in this area. The onus is on every company to provide transparency, process data fairly, and be accountable.”

Finding a balance between providing adequate privacy protection and making use of personal data is not a small challenge. ACLN members and guests talked about the importance of addressing privacy issues at all levels of the organization and recognized that strong leadership is necessary to implement effective policies and practices. Companies may create data privacy leadership in many ways – from appointing a chief privacy officer (CPO) to granting that oversight to an existing company executive, like the chief financial officer (CFO). Regardless of how the leadership is structured, the effort must be supported by coordinated activity throughout the organization, the members said. Members urged boards and companies to consider the issue of privacy early in the product development process. They also discussed the specific challenges of obtaining informed consent for the use of personal data and deciding on appropriate disclosures in the event of a privacy violation.

Finally, members had a conversation about the board’s oversight role in this area. They discussed how their boards are approaching privacy through various committees of the board. The frequency of discussions about privacy vary widely, and some have found that internal audit can provide important insight into the control framework around privacy.

Click here to read a full report from the meeting.

Meeting compliance obligations

Between 2009 and 2017, regulations around the world have more than doubled. Noncompliance can raise the attention of the press and social media and lead to reputational risk for many organizations. ACLN members discussed strategies to effectively oversee compliance.

A strong corporate culture is considered essential in successful compliance programs. The impact of compliance breaches can be minimized when employees do the right thing even when no one is looking. A culture in which people feel comfortable speaking out is a culture in which people are willing to alert management to problems. And it is imperative that leaders send signals that these issues are important from the top down.

Members also noted that integrating compliance activities across departments—including human resources, internal audit, and legal—helps keep information flowing to the people who need it. But because such integration can create complexity, roles and processes must be clearly laid out and well defined. A centralized compliance team may help work across organizational boundaries though it might meet resistance from business unit leaders. For boards to have strong oversight of they must engage and work closely with other corporate functions, especially other gatekeepers.

Members said that traditional tools such as hotlines and surveys should not be the only source for identifying compliance issues. To improve employee engagement and decision making, companies should consider finding new and innovative ways to train and recognize employee compliance.

Click here to read a full report from the meeting.
 

Summary

Boards must make sure companies are nurturing public trust and complying with regulations as they take advantage data they collected from customers.

About this article

By

US Americas

Multidisciplinary professional services organization