There can no longer be any doubt that the European Union’s General Data Protection Regulation, which will go into effect in May 2018, is fundamentally changing the way privacy is managed within organizations around the world. As the recently released IAPP-EY Annual Privacy Governance Report 2017 points out, privacy governance is outpacing data breach reporting as a board-level concern.
As observed by Omer Tene, VP of Research & Education at the IAPP, “With the GDPR coming into focus, ahead of its implementation date in 2018, boards and senior managements are recognizing the growing importance of privacy and data protection as a compliance and business risk. For the first time in this field, the GDPR sets forth formidable fines and penalties, which could amount to tens of millions – and for the largest companies even billions – of dollars. This, no doubt, gets the attention of the board. Privacy is about much more than data breaches. It’s about meeting consumer expectations, managing data collection and use, and avoiding behavior that could be considered ‘creepy’.”
Key findings of the IAPP report
The new IAPP report, which surveyed in-house privacy professionals about their privacy budgets, initiatives and departmental structures, shows that the way organizations now think about privacy issues is changing. Privacy initiatives are now the #1 reported board issue (at 72 percent), beating out data breaches, which were last year’s top board topic.
Not only are privacy issues growing in visibility with top executives, they are now increasingly seen as important for both risk management and new business opportunities. As a result, privacy concerns that once might have remained a departmental-level issue are being pushed up the executive ladder and moved into the boardroom.
As privacy issues escalate in importance, they are becoming part of a broader organizational approach to privacy issues known as “privacy by design.” In short, in-house privacy professionals are being brought in much sooner – in the planning stage – rather than just in the implementation stage. There is much greater awareness that the planning of just about any business initiative in 2018 will require a finely-grained analysis of privacy issues that goes well beyond just data breach reporting.
Why are boards paying so much attention to privacy governance?
Obviously, concerns about compliance with GDPR were behind the initial focus on privacy governance in 2016. But in 2017, there is now a new wrinkle: privacy governance is seen as a source of competitive differentiation. For example, amongst technology firms concerned with compliance, 39 percent now see it mostly as a competitive differentiator, while another 35 percent view it as a way to increase data value. In a crowded marketplace, the company that shows it is taking data privacy and data security seriously has a chance to win over new customers and new partners.
Moreover, it’s increasingly a fact that, in the uncertain regulatory environment surrounding the GDPR, companies would prefer to do business with other companies that are adhering to all the key privacy guidelines and protecting personal information. According to the IAPP survey results, 84% of tech firms concerned about compliance are doing so to meet client expectations about online privacy. As a result, they are much more likely to hire privacy personnel for core business reasons. In short, privacy is no longer a “nice-to-have” – it is now a “must-have.”
“Companies now understand that far from being a mere compliance issue, privacy underlies consumer trust and enables strategic uses of data.”
Omer Tene, VP of Research & Education at the IAPP
The threat of a data breach vs. the threat of non-compliance
No wonder boards are taking privacy governance so much more seriously. When privacy issues equated in the minds of many executives to data breaches involving compromised personal data, there was a sense that privacy governance was simply an IT issue. Fix a few problems, install some new software, update breach notification procedures, and everything would be OK. From that perspective, data breaches were fundamentally about flawed technology, rather than flawed ways of doing business.
That’s why the IAPP report is so timely – it shows that the way privacy is managed is fundamentally changing. As the report makes clear, compliance issues are outpacing “safeguarding against data breaches” by nearly 12 percent. And, the closer that we get to the May 2018 deadline for GDPR compliance, the wider that gap is likely to grow. Security breaches still matter, of course, but they are seen as part of a larger challenge. As the survey makes clear, the leading reason to create a privacy function is now to meet compliance obligations (91 percent), not to reduce the risk of data breaches (76 percent).