Eight Future Privacy Governance Imperatives That Boards Have a Duty to Perform

Surveys show that most people still feel they should have more control over their data and are uncomfortable with the sale of their data to third parties, implying that some privacy regulations are failing to effectively protect the privacy of their citizens. Furthermore, most of the data we deal with, whether transactional in nature or otherwise, is a reflection of some human being’s life – not just data, and as such, it deserves to be treated with respect.

Even with some of the new global data privacy regulations that have emerged in the GDPR era, the privacy compliance bar remains low, and in some cases can be circumvented by organizations paying penalties rather than actually incrementally investing in becoming compliant, Guy Pearce noted in his recent presentation at ISACA’s Privacy In Practice virtual conference.

Yet, board directors have a fiduciary responsibility to act in the best interests of the organization. And fulfilling only the bare minimum requirement, being compliant with privacy legislation, is not in the best interests of the organization, Pearce contends. Here are eight ways Pearce identified that board directors should think about privacy by design beyond compliance:

1. Privacy culture. One size fits all in the case of multinationals is not in the organization’s best interests.
2. Risk for reward. Having members of the public feel uneasy about the personal data they have released to receive a benefit is not in the organization’s best interests.
3. Security by design and privacy by default. Security and privacy must specifically be considered at all stages of an initiative. Considering them just as overarching concepts or as bolt-on solutions is not in the organization’s best interests.
4. Hobson’s Choice. Having no choice is not a choice; when coercing a customer to choose between receiving a benefit and forgoing privacy where no alternatives exist is not in the best interests of the organization.
5. AI, machine learning and analytics. Being unaware, ignorant even, of the significant issues of bias in AI and similar technologies using personal data is not in the best interests of the organization.
6. Personal data as a person’s life. Data is not merely an asset to be exploited. It is in the organization’s best interests to recognize data as a reflection of a human being’s life, and that it should therefore be treated with respect, not just as a thing to be processed.
7. Post-privacy. With privacy as we once knew it becoming an illusion due to the amount of personal data already out there and the extraordinary volume of data breaches involving this data occurring almost daily around the world, it is in the organization’s best interests to determine what it can do to play its part in a post-privacy world.
8. Surveillance and tracking. It is an organization’s best interests to ensure that its surveillance and tracking activities are transparent in an age of surveillance capitalism. This applies to governments, too.

To win buy-in from leadership for investment in privacy programs, Pearce suggests that privacy professionals keep communicating with leadership and peers alike, realizing that this may be in the face of resistance to change. Take an educational mindset, and utilize every opportunity to raise the profile of why sound data governance and privacy procedures are important. It can be effective to bring privacy and data governance to the board’s attention by piggybacking on the more established enterprise risk management practices. Often, Pearce said, it takes teaching and being patient – guiding people through the negative implications of not doing the right things – both for the business and for people’s lives.

Pearce left session attendees with a challenge for privacy practitioners: to what extent will they go to raise important privacy issues at their organization? For example, in spite of the existence of whistleblower programs, research found that employees wishing to raise issues like privacy concerns could face challenges at odds with the objectives of whistleblowing. As examples, what happens if personal safety is put at risk, or if peers or management encourage them not to report a perceived privacy issue? Ultimately, Pearce said, it comes back to their personal ethics and values systems – and standing up for what they believe in.

Editor’s note: Those seeking to become CDPSE-certified can now register for a new beta exam. To register for the CDPSE beta exam in January, visit https://www.isaca.org/credentialing/certified-data-privacy-solutions-engineer. For more information on CDPSE early adoption, visit https://www.isaca.org/credentialing/certified-data-privacy-solutions-engineer.