RSM Australia

Five considerations for boards to improve data privacy

Data privacy awareness and compliance are crucial to handling emerging threats, and are fast becoming a major area of consideration among organisations and individuals.

Protecting the personal information and sensitive data of individuals who have entrusted in your organisation to manage their data, becomes crucial and can potentially equate to defending up to millions of records.Within that framework, RSM suggests five strategic and tactical data privacy considerations for boards and their audit committees.

To gain a competitive advantage over other organisations and win the trust of consumers, an effective plan that minimises regulatory and operational risks should be put in place. Failure to implement an appropriate plan to address data security and privacy will likely result in financial penalties and mistrust from consumers, leading to a loss of reputation.

Your board can make data privacy a strength of the organisation by emphasising two complementary elements: awareness and compliance.

Within that framework, RSM suggests five strategic and tactical considerations for boards and their audit committees.


1. Establish oversight at different levels

Prioritising data privacy begins with a commitment to internal oversight. Establishing a data privacy or information security committee will connect each of your company’s risk functions.

The group should include members of the board and the audit committee, as well as:

  • The Chief Information Officer (CIO)
  • Chief Information Security Officer (CISO)
  • The Data Privacy/Protection Officer (DPO)

Where these titles, or similar are applicable.

It is important to bring together those who have a shared objective of protecting data and maintaining data privacy laws and standards at your organisation.It is important to bring together those who have a shared objective of protecting data and maintaining data privacy laws and standards at your organisation.

However, a commitment to focusing on the importance of data privacy cannot succeed if it is only communicated at the board level.

It is critical that data privacy is engrained throughout the whole organisation. Empowering vigilant employees with frequent and clear lines of communication to the data privacy committee will assist with timely detection and response times when problems arise.

Audit committees can use these frameworks to address specific risks with the internal custodians of the data in focus. They can also ensure that new products, technologies and services are designed with data privacy safeguards from the beginning.


2. Create your data map

The initial, and ongoing, focal point for protecting data privacy is to establish a set of questions that boards, and senior management must continuously ask and assess.

Some of these questions may include:

  • What data must be protected?
  • Why do we collect it?
  • Where do we store it?
  • How do we process it?
  • How long do we keep it?
  • What legislative and industry requirements do we need to consider?

The answers to the above questions create a compass to direct your board through decisions and operations that ensure data privacy is considered.

The questions challenge underlying assumptions about the costs, risks and benefits of the information collected, data safeguards and any third-party access to data.


3. Promote awareness in all forms 

Recognising that the challenges and pitfalls of data privacy are a cornerstone to protecting it. Privacy awareness is crucial throughout the entire organisation, from training to transparency, to knowing potential penalties for noncompliance. Data privacy awareness starts with the set of basic, specific questions that can be asked of anyone at your organisation:

What data must be protected? Why? Where? How?

Understanding what is at stake should motivate your entire company to embrace a comprehensive data privacy strategy. RSM suggests that your organisation should consider the two main types of risks — operational and regulatory — and how these are intertwined.

If your operational safeguards are inadequate, your organisation may face significant regulatory fines for non-compliance. However, there is also an upside to emphasising thorough data privacy processes.

For consumers who are concerned about their privacy and protection of their personal sensitive information, your commitment to data privacy can be the very differentiator from other organisations within the same industry. 

For a consumer to understand your data privacy strategy, you must be transparent and allow the customer to understand your organisation’s privacy practices. A consumer who has clear knowledge of why you are collecting and storing their information and how you seek to protect it, instils a relationship built on trust.For a consumer to understand your data privacy strategy, you must be transparent and allow the customer to understand your organisation’s privacy practices.

The Consumer Data Right (CDR) is a good example of where an organisation has demonstrated that they can protect consumer’s personal data through an independent assurance report and information security accreditation, can become an accredited data recipient (ADR) and use this to differentiate themselves from other organisations.

This provides a competitive advantage over those organisations who cannot provide this same transparency.


4. Structure and test your action plan

As your board or audit committee devises and enacts your organisation’s risk management program, it should also include data breach scenarios.

Should your organisation ever fall victim to a data breach, you should consider the following:

  • What are the playbooks for business continuity and the various responses, whether it be with regulators, shareholders or the media?
  • Are the right people empowered with responsibilities in the proper areas?

In the event of an incident, your organisation’s relationship with regulators can influence whether you face significant fines or lighter penalties designed to encourage compliance.

Once the action plan is in place, regularly perform risk assessments and test that the plan is fit-for-purpose and can be relied upon when it is required.


5. Look outward for help

While there is a magnitude of publicly available information on upcoming threats and data privacy trends, organisations can seek out industry-specific information to assist with their risk management program.

There are several resources which can be referenced to help shape better practices for your organisation regarding data privacy, such as:There are several resources which can be referenced to help shape better practices for your organisation regarding data privacy.

  • Office of the Australian Information Commissioner (OAIC) Australian Privacy Principles (APPs), Privacy related publications and advice
  • Consumer Data Right (CDR) Rules
  • General Data Protection Regulation (GDPR) Principles
  • ISO/IEC 27701:2019: Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
  • Information Systems Audit and Control Association (ISACA) Publications, Events and Webinars on Privacy and Data Protection
  • Australian Information Security Association (AISA) Publications, Events and Webinars on Privacy and Data Protection

This article was adapted from an article published on the RSM US website on 7 May 2020.

Need assistance about information and data privacy?

Get in touch with rsm today

CONTACT

Darren

Darren Booth
National Head of Security and Privacy Risk Services

asset_3.png

Subscribe to Risk Insider to stay up to date with the latest in Technology, Fraud and Security.