Business people sitting around meeting table and assembling wooden jigsaw puzzle fitting privacy in risk and compliance

How Privacy Fits Into the Ever More Quickly Evolving Risk and Compliance Arena

The changes in the risk and compliance arena are accelerating in the recent years. There are new developments reflecting growing awareness and global problems, such as in the area of environmental risk for example, but also there is a lot of natural and organic evolution of various interconnected disciplines. The times when risk was perceived solely in terms of financial risk are long gone just as well the times when the privacy team, together with the infosec and legal departments, were the only teams dealing with regulatory requirements around new technologies and data. With these developments it is urgently needed to redefine the place of privacy and the privacy team in this evolving landscape just the same as establishing links with overlapping, adjacent and related areas of risk and compliance, of which there is more and more every year.

What are these main areas of collaboration and interconnection? While almost all, if not all, areas of risk and compliance can potentially be linked with privacy (for example privacy risk most certainly can impact the financial risk by way of potential fines and penalties, due to litigation or when customers and business opportunities are lost because of privacy concerns), there are some topics much more closely related than the others.

First, and the most obvious one, as it seems, is technological risk. The very rationale behind the rapid development of the privacy legislation and privacy as a discipline lies in the technological development, most notably in terms of computing and, later, internet. The privacy laws focused initially, to a large extent, on automated systems, at least until it was more than clear that all information has a potential to be computed, recorded and processed automatically one way or the other. Today there are more and more technological risks, with one of the areas highly gaining in prominence being obviously the AI. All and all, nobody needs to be convinced that privacy and technological risk teams should work in close collaboration and at a minimum exchange information as to the identified risks and mitigation measures.

On the opposite side of the picture, from a traditional point of view, to technology, would be the areas of ethics, human rights and antidiscrimination. In reality, however, it is more than clear that these topics still exist and even become some of the leading concerns when developing and implementing technology. Even to a larger extent, they are linked and overlap with privacy. Protecting personal data, and, more broadly, the privacy of a person, are very much about following an ethical conduct, and the same is true for how personal data can be used and to what purpose. The principles behind data privacy, and most obviously fairness, have a clear ethical and moral aspect. No need to remind that privacy is also a human right, since the United Nations declared privacy an inalienable and universal human right already back in 1948. It is also very important that an individual’s personal data might not be used to harm or discriminate and that there very privacy team role is to make sure no such use of personal data is accepted. Thence, there are very distinct and overlapping areas of collaboration with the growing discipline of preventing discrimination and protecting diversity in a workplace.

Privacy is strongly backed by a regulatory landscape and privacy laws and regulations form a backbone of this discipline. Such laws impose sometimes very strict requirements and, if not followed, repercussions can be extremely severe and damaging to companies, in terms of penalties but also other corrective measures. From this, it is easy to conclude that the growing area of regulatory risk has much in common with privacy and data protection. Experts in both areas need to monitor the evolving regulatory landscape and how to navigate between different, and sometimes even contradicting requirements from different countries, while allowing for companies to grow, conduct business and promote its good name.

With good name and reputation more important than ever, brand risk is perceived by many to be the most significant risk area for global companies in the years to come. While it is often well recognized that an insufficient level of privacy protection or breaches of personal data may lead to loss of consumer trust and damage to businesses’ reputation, it is much less obvious that privacy team and the team or teams dealing with risks to brand and reputation should collaborate, discuss strategies and align in how to respond not only to breaches but even to consumer or the general public dissatisfaction with how company deals with privacy and private data.

More traditionally, as many would say, IT compliance, information security and cybersecurity, are all closely related to privacy. First, of course, personal data needs to be secured, secondly the measures to protect data and information and technical assets should take into consideration the impact to privacy, be proportional and use the minimum amount of personal data necessary for the given purpose.

One other area, partly related, but very much emerging as a discipline of its own in the recent years, would be the third party risk management. It is considered to deal with risks associated with outsourcing to third-party vendors or providers. While it is good to keep in mind that processors under the GDPR or service providers under the CCPA, for example, are not third parties, they would be third parties when seen through the lens of third party management and when using this terms colloquially. Third party risk management usually covers security, privacy and other legal or ethical requirements third parties are expected to follow. For this, it is a must, such requirements are drafted, audited and implemented in consultation and collaboration with the privacy team.

Last but not least, it is important to mention the enterprise risk management as a whole. While this might seem like an academic discussion and exploring this topic in more details would be lengthy and quite complicated, at a minimum each privacy professional preferably should understand what is enterprise risk management as such, what are the main frameworks and standards, and why privacy is and shall continue to be important for risk management in the perceivable future.

While all the above forms a valid point for having a strong collaboration between privacy and the related areas or risk and compliance, the more general question, whether the privacy as such sits completely within the domain of risk and compliance, as one of the disciplines, or goes beyond this area, at least in some of its aspects, remains unanswered.

 

All views are my own and do not necessarily represent the opinions of any company or organization.

Senior Counsel Data Privacy at ABB