When you add up business disruptions, productivity and revenue losses, settlements, fines, and penalties, the average cost to a company not compliant with data protection, state, federal, international, or industry regulations is around $15 million. With a skyrocketing number of new data protection laws (e.g., the CCPA, the GDPR, Japan’s APPI, and China’s National Data Protection Standard), your board of directors can no longer afford to ignore data privacy.
While board members have a duty to protect their organization, their longstanding view of compliance as an expense to be minimized (with the average compliance program costing $5 million) has led many boards to de-prioritize investments in data protection. This short-sighted strategy can create a number of serious risks for your organization.
As a Chief Privacy Officer (CPO) or security, legal, or compliance leader, you are now responsible for educating your board on your organization’s approach to data privacy, the impact of privacy risk on the business, and the potential negative outcomes of not investing in privacy. To help facilitate better board-level conversations around data privacy, we’ll address the common misconceptions board members have about data privacy, tips you can leverage when addressing the board, and ways to improve conversations around data privacy in the boardroom.
Board members can sometimes misunderstand privacy risks to their business and how their organization is responding to them. Privacy and compliance leaders must actively work to clarify and quantify privacy risks through effective boardroom conversations.
Many executives believe that alignment with industry frameworks and regulations, such as the NIST, GDPR, CCPA, HIPAA, or PCI DSS, is an indicator of a strong privacy and security program. These frameworks are useful tools, but they do not guarantee that the data protections in place are adequate for each individual organization.
Simply put, compliance is a snapshot of how your organization’s privacy measures meet the provisions set forth by a specific regulation. These regulations are used to hold your organization accountable for protecting the sensitive data it stores. While meeting these regulatory checklists may protect your organization from oversights and fines, they are not always enough to govern the complete data lifecycles of today’s complex businesses or guard against the advancing strategies and tactics applied by attackers today.
In fact, many breaches in recent years have occurred at compliant businesses. For instance, HIPAA states that Covered Entities (CE) and their business associates should implement a mechanism to encrypt PHI whenever deemed appropriate. In addition, HIPAA defines encryption requirements for PHI as “addressable,” leaving encryption requirements vague and open to interpretation. Without proper documentation, PHI data and their technical safeguards can be justification for not deploying encryption, and an organization could be exposed to devastating results and fines in the event of a breach (e.g., ransomware, phishing, and/or laptop loss/theft), even though they weren't necessarily non-compliant.
Although many executives believe that high-profile breaches are caused by sophisticated, well-planned attacks, most are due to attackers taking advantage of basic security vulnerabilities. These can be anything from weak passwords and phishing campaigns to unpatched security software and default tool settings. Human error also has a well-documented history of causing data breaches, with 90% of security issues originating from garden-variety human error, like a misplaced laptop.
Even in the most unsophisticated breaches, regulators have shown they are not afraid to deliver substantial fines for mishandling or compromising personal data. Penalties in the EU can reach up to 4% of a company’s annual revenue, while those in Brazil can exceed $1 million per violation. Even organizations with robust privacy programs need to ensure they have the proper security measures in place to protect against these types of basic human errors.
Too many organizations compartmentalize privacy risk as purely a compliance issue. And while compliance and privacy leaders are key stakeholders in managing privacy risk, they are not the owners of all enterprise data. In fact, one of the biggest challenges many companies face is identifying all of the sensitive data being collected, processed, and stored, as much of it lives within specific business functions, like your finance, marketing, or HR teams.
To clear this hurdle, it is vital your organization adopts a privacy-aware culture, where everyone in the organization, including executive leadership, is held accountable for the protection of sensitive data. Time and resources must be spent educating your employees on data protection best practices, company privacy policies and procedures, and security awareness as new technologies and processes are rapidly deploying.
By making privacy part of the enterprise risk focus, your organization gains a greater level of risk visibility and increases coordination between departments, ensuring that privacy processes are implemented and used across the organization – not just within compliance and security functions. Privacy impacts nearly every part of an organization, and every employee needs to play their part, including your board.
Privacy leaders should meet with their boards regularly to discuss their privacy strategies and push for investments in data protection. But keeping the board informed about the importance of data protection and compliance can be a challenge, especially at the current pace of regulatory change. When privacy makes it onto the agenda, you must take advantage, effectively communicating the needs of the organization in order to drive investment in a comprehensive, sustainable privacy program.
In the wake of large-scale breaches and growing regulatory fines, board members are under extreme pressure to demonstrate effective oversight of their organization’s data security. While data privacy and security are becoming more common topics of conversation at board meetings, many boards still have a limited understanding of current privacy concepts and regulations.
You must translate your regulatory expertise into topics your board cares about: business impacts, non-compliance penalties, and the financial, organizational, and reputational risks that could affect your organization.
The average board has too many competing considerations to take an in-depth look at specific privacy regulations and the controls required by each. Instead, they want to understand the potential impact of the risk, they want evidence that the risk is under control, and they want to see how the organization is improving over time.
Instead of presenting technical concepts or detailed overviews of each new law, speak in plain, clear language, and focus on what the board knows best: risk. To frame the conversation, begin by answering the following four questions:
Answering these four questions gives your board the strategic insight they need to make decisions about investment priorities and risk oversight.
As a privacy leader, you are responsible for developing a reporting strategy that improves decision making and enhances visibility into the privacy program. Well-defined privacy key risk indicators (KRIs) and key performance indicators (KPIs) can help you report clear, measurable metrics to senior management and the board.
KRIs are used to determine the level of risk an organization is facing, such as the potential compliance issues that could lead to a data breach. KPIs provide strategic insights into the progress of an initiative, assist in decision making, and can help improve overall organizational health. By applying these two metrics to privacy programs, patterns and trends can be detected, progress towards goals can be measured, and a privacy program’s value can be demonstrated.
Using these types of metrics for reporting, you can present objective, quantitative evidence that empowers your board members to make intelligent decisions for the business and select the privacy investments that will create the most impact.
Common privacy KRIs include:
With these metrics, you can provide visibility into the value a data protection program is bringing to a company and validate that it is effectively managing privacy risk.
Although board members need to be informed on some of the more technical details of data protection regulations and their associated risks, what they really need to understand is the importance of protecting confidential information. You must tell the board a story – giving examples of what happens when a company doesn’t make privacy a priority or what a customer would experience if their private information was exposed. Making privacy a reality rather than an abstract concept can help drive home the importance of investing in a privacy program and educating the organization on data privacy.
Privacy is rising to the top of the agenda for many boards, but a poor presentation can hinder and even kill a valuable privacy initiative. Leveraging these tips can make for more productive meetings and earn the support of the board.
Boards are ultimately accountable for an organization’s health and direction and may be held partially responsible in the event of a breach or penalty. As regulations change, and privacy becomes a greater focus in the U.S., CPOs and privacy leaders must educate their boards on their privacy needs, objectives, and strategies to help them make smart investments in data privacy and better protect their customers and their business.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.