When you add up business disruptions, productivity and revenue losses, settlements, fines, and penalties, the average cost to a company not compliant with data protection, state, federal, international, or industry regulations is around $15 million. With a skyrocketing number of new data protection laws (e.g., the CCPA, the GDPR, Japan’s APPI, and China’s National Data Protection Standard), your board of directors can no longer afford to ignore data privacy.
While board members have a duty to protect their organization, their longstanding view of compliance as an expense to be minimized (with the average compliance program costing $5 million) has led many boards to de-prioritize investments in data protection. This short-sighted strategy can create a number of serious risks for your organization.
As a Chief Privacy Officer (CPO) or security, legal, or compliance leader, you are now responsible for educating your board on your organization’s approach to data privacy, the impact of privacy risk on the business, and the potential negative outcomes of not investing in privacy. To help facilitate better board-level conversations around data privacy, we’ll address the common misconceptions board members have about data privacy, tips you can leverage when addressing the board, and ways to improve conversations around data privacy in the boardroom.
Common Data Privacy Misconceptions
Board members can sometimes misunderstand privacy risks to their business and how their organization is responding to them. Privacy and compliance leaders must actively work to clarify and quantify privacy risks through effective boardroom conversations.
Misconception #1: Compliance Equals Data Protection
Many executives believe that alignment with industry frameworks and regulations, such as the NIST, GDPR, CCPA, HIPAA, or PCI DSS, is an indicator of a strong privacy and security program. These frameworks are useful tools, but they do not guarantee that the data protections in place are adequate for each individual organization.
Simply put, compliance is a snapshot of how your organization’s privacy measures meet the provisions set forth by a specific regulation. These regulations are used to hold your organization accountable for protecting the sensitive data it stores. While meeting these regulatory checklists may protect your organization from oversights and fines, they are not always enough to govern the complete data lifecycles of today’s complex businesses or guard against the advancing strategies and tactics applied by attackers today.
In fact, many breaches in recent years have occurred at compliant businesses. For instance, HIPAA states that Covered Entities (CE) and their business associates should implement a mechanism to encrypt PHI whenever deemed appropriate. In addition, HIPAA defines encryption requirements for PHI as “addressable,” leaving encryption requirements vague and open to interpretation. Without proper documentation, PHI data and their technical safeguards can be justification for not deploying encryption, and an organization could be exposed to devastating results and fines in the event of a breach (e.g., ransomware, phishing, and/or laptop loss/theft), even though they weren't necessarily non-compliant.
Misconception #2: Only a Sophisticated Hacker Could Breach Us
Although many executives believe that high-profile breaches are caused by sophisticated, well-planned attacks, most are due to attackers taking advantage of basic security vulnerabilities. These can be anything from weak passwords and phishing campaigns to unpatched security software and default tool settings. Human error also has a well-documented history of causing data breaches, with 90% of security issues originating from garden-variety human error, like a misplaced laptop.
Even in the most unsophisticated breaches, regulators have shown they are not afraid to deliver substantial fines for mishandling or compromising personal data. Penalties in the EU can reach up to 4% of a company’s annual revenue, while those in Brazil can exceed $1 million per violation. Even organizations with robust privacy programs need to ensure they have the proper security measures in place to protect against these types of basic human errors.
Misconception #3: Someone Else is in Charge of Privacy Risk
Too many organizations compartmentalize privacy risk as purely a compliance issue. And while compliance and privacy leaders are key stakeholders in managing privacy risk, they are not the owners of all enterprise data. In fact, one of the biggest challenges many companies face is identifying all of the sensitive data being collected, processed, and stored, as much of it lives within specific business functions, like your finance, marketing, or HR teams.
To clear this hurdle, it is vital your organization adopts a privacy-aware culture, where everyone in the organization, including executive leadership, is held accountable for the protection of sensitive data. Time and resources must be spent educating your employees on data protection best practices, company privacy policies and procedures, and security awareness as new technologies and processes are rapidly deploying.
By making privacy part of the enterprise risk focus, your organization gains a greater level of risk visibility and increases coordination between departments, ensuring that privacy processes are implemented and used across the organization – not just within compliance and security functions. Privacy impacts nearly every part of an organization, and every employee needs to play their part, including your board.
Driving Dialogue and Value in the Boardroom
Privacy leaders should meet with their boards regularly to discuss their privacy strategies and push for investments in data protection. But keeping the board informed about the importance of data protection and compliance can be a challenge, especially at the current pace of regulatory change. When privacy makes it onto the agenda, you must take advantage, effectively communicating the needs of the organization in order to drive investment in a comprehensive, sustainable privacy program.
Step 1: Educate the Board on Privacy Using Their Language
In the wake of large-scale breaches and growing regulatory fines, board members are under extreme pressure to demonstrate effective oversight of their organization’s data security. While data privacy and security are becoming more common topics of conversation at board meetings, many boards still have a limited understanding of current privacy concepts and regulations.
You must translate your regulatory expertise into topics your board cares about: business impacts, non-compliance penalties, and the financial, organizational, and reputational risks that could affect your organization.
The average board has too many competing considerations to take an in-depth look at specific privacy regulations and the controls required by each. Instead, they want to understand the potential impact of the risk, they want evidence that the risk is under control, and they want to see how the organization is improving over time.
Instead of presenting technical concepts or detailed overviews of each new law, speak in plain, clear language, and focus on what the board knows best: risk. To frame the conversation, begin by answering the following four questions:
- What are the material privacy risks to the business?
- What strategies should be pursued to mitigate or transfer that risk?
- What will it cost in dollars and cents?
- What value does the business get from it?
Answering these four questions gives your board the strategic insight they need to make decisions about investment priorities and risk oversight.
Step 2: Map Privacy KRIs and KPIs to Provide Quantifiable Results
As a privacy leader, you are responsible for developing a reporting strategy that improves decision making and enhances visibility into the privacy program. Well-defined privacy key risk indicators (KRIs) and key performance indicators (KPIs) can help you report clear, measurable metrics to senior management and the board.
KRIs are used to determine the level of risk an organization is facing, such as the potential compliance issues that could lead to a data breach. KPIs provide strategic insights into the progress of an initiative, assist in decision making, and can help improve overall organizational health. By applying these two metrics to privacy programs, patterns and trends can be detected, progress towards goals can be measured, and a privacy program’s value can be demonstrated.
Using these types of metrics for reporting, you can present objective, quantitative evidence that empowers your board members to make intelligent decisions for the business and select the privacy investments that will create the most impact.
Common privacy KRIs include:
- Number of compliance issues remediated within a time period
- Percentage of vendors identified as “high risk” that have access to sensitive data
- Percentage of high-risk compliance issues
- Number of customers impacted by a privacy incident or breach
- Total number of privacy incidents or breaches
- Average time to resolve an incident or breach
- Number of customer complaints related to their personal data
With these metrics, you can provide visibility into the value a data protection program is bringing to a company and validate that it is effectively managing privacy risk.
Step 3: Leverage Personal Experience
Although board members need to be informed on some of the more technical details of data protection regulations and their associated risks, what they really need to understand is the importance of protecting confidential information. You must tell the board a story – giving examples of what happens when a company doesn’t make privacy a priority or what a customer would experience if their private information was exposed. Making privacy a reality rather than an abstract concept can help drive home the importance of investing in a privacy program and educating the organization on data privacy.
Insider Tips for Improving Board Conversations
Privacy is rising to the top of the agenda for many boards, but a poor presentation can hinder and even kill a valuable privacy initiative. Leveraging these tips can make for more productive meetings and earn the support of the board.
- Do your prep work: Go into each board meeting armed with data. Your board presentation should be simple and data-driven, demonstrating the risks and the KRIs and KPIs being used to measure and address them.
- Provide pointed evidence: Share metrics that make a point. Talk in dollars if possible. Don’t drown the board in a sea of unnecessary details (but be ready to provide them if asked).
- Know your audience: It is critical to understand the interests and motivations of your board members to help clearly present your message. Pay attention to how the board reacts to make sure your message is being received and to make improvements for the next one.
- Keep it simple and interesting: Tell a story that is easy to follow. Less is more; focus on a few topics at a time and use analogies to connect with them.
- Anticipate the hard questions: Work with your team to anticipate and prepare for tough questions in order to offer articulate, insightful responses. Avoid jargon and legalese, which nobody likes, especially the board.
- Be honest and realistic about your answers: Do not omit or downplay problem areas. The board should be aware of all significant risks, incidents, and missteps occurring at the organization to allocate the appropriate resources.
- Don’t scare the board: The board understands there is a growing volume of data breaches and privacy regulations. They want the facts and statistics in order to make an informed decision, not fear tactics to be pressured into one.
- Capitalize on your opportunity: Use your time in front of the board to build their trust and make sure they understand the strengths and potential benefits of a strong privacy program.
- Listen, learn, and adapt: As you speak, teach, and prepare, don’t forget to listen to the board, learn their needs, and adapt your presentation approach.
- Interact regularly and directly: Communicate outside the boardroom. Set up one-to-one sessions if possible. Try to deal directly with the board to ensure the message isn’t lost or altered in the middle.
Boards are ultimately accountable for an organization’s health and direction and may be held partially responsible in the event of a breach or penalty. As regulations change, and privacy becomes a greater focus in the U.S., CPOs and privacy leaders must educate their boards on their privacy needs, objectives, and strategies to help them make smart investments in data privacy and better protect their customers and their business.
Get more privacy insights in your inbox.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.