There can no longer be any doubt that the European Union’s General Data Protection Regulation, which will go into effect in May 2018, is fundamentally changing the way privacy is managed within organizations around the world. As the recently released IAPP-EY Annual Privacy Governance Report 2017 points out, privacy governance is outpacing data breach reporting as a board-level concern.
As observed by Omer Tene, VP of Research & Education at the IAPP, “With the GDPR coming into focus, ahead of its implementation date in 2018, boards and senior managements are recognizing the growing importance of privacy and data protection as a compliance and business risk. For the first time in this field, the GDPR sets forth formidable fines and penalties, which could amount to tens of millions – and for the largest companies even billions – of dollars. This, no doubt, gets the attention of the board. Privacy is about much more than data breaches. It’s about meeting consumer expectations, managing data collection and use, and avoiding behavior that could be considered ‘creepy’.”
Key findings of the IAPP report
The new IAPP report, which surveyed in-house privacy professionals about their privacy budgets, initiatives and departmental structures, shows that the way organizations now think about privacy issues is changing. Privacy initiatives are now the #1 reported board issue (at 72 percent), beating out data breaches, which were last year’s top board topic.
Not only are privacy issues growing in visibility with top executives, they are now increasingly seen as important for both risk management and new business opportunities. As a result, privacy concerns that once might have remained a departmental-level issue are being pushed up the executive ladder and moved into the boardroom.
As privacy issues escalate in importance, they are becoming part of a broader organizational approach to privacy issues known as “privacy by design.” In short, in-house privacy professionals are being brought in much sooner – in the planning stage – rather than just in the implementation stage. There is much greater awareness that the planning of just about any business initiative in 2018 will require a finely-grained analysis of privacy issues that goes well beyond just data breach reporting.
Why are boards paying so much attention to privacy governance?
Obviously, concerns about compliance with GDPR were behind the initial focus on privacy governance in 2016. But in 2017, there is now a new wrinkle: privacy governance is seen as a source of competitive differentiation. For example, amongst technology firms concerned with compliance, 39 percent now see it mostly as a competitive differentiator, while another 35 percent view it as a way to increase data value. In a crowded marketplace, the company that shows it is taking data privacy and data security seriously has a chance to win over new customers and new partners. Moreover, it’s increasingly a fact that, in the uncertain regulatory environment surrounding the GDPR, companies would prefer to do business with other companies that are adhering to all the key privacy guidelines and protecting personal information. According to the IAPP survey results, 84% of tech firms concerned about compliance are doing so to meet client expectations about online privacy. As a result, they are much more likely to hire privacy personnel for core business reasons. In short, privacy is no longer a “nice-to-have” – it is now a “must-have.”
“Companies now understand that far from being a mere compliance issue, privacy underlies consumer trust and enables strategic uses of data.”
Omer Tene, VP of Research & Education at the IAPP
The threat of a data breach vs. the threat of non-compliance
No wonder boards are taking privacy governance so much more seriously. When privacy issues equated in the minds of many executives to data breaches involving compromised personal data, there was a sense that privacy governance was simply an IT issue. Fix a few problems, install some new software, update breach notification procedures, and everything would be OK. From that perspective, data breaches were fundamentally about flawed technology, rather than flawed ways of doing business.
That’s why the IAPP report is so timely – it shows that the way privacy is managed is fundamentally changing. As the report makes clear, compliance issues are outpacing “safeguarding against data breaches” by nearly 12 percent. And, the closer that we get to the May 2018 deadline for GDPR compliance, the wider that gap is likely to grow. Security breaches still matter, of course, but they are seen as part of a larger challenge. As the survey makes clear, the leading reason to create a privacy function is now to meet compliance obligations (91 percent), not to reduce the risk of data breaches (76 percent).
For now, financial risks of non-compliance seem much greater than that of data breaches. Tene said, “So far, most companies suffering data breaches have not been subject to significant penalties or litigation. To be sure, a massive breach, such as the one recently endured by Equifax, has implications for a company’s brand reputation and customer trust. But with the GDPR coming into effect, companies will be subjected to punishing sanctions that could reach tens of millions – and for the largest companies even billions – of dollars.”
This has led to an overall increase in privacy spending, from US$1.7M last year to US$2.1M in 2017. Organizations also expect to spend an estimated US$5M in adapting products and services and other GDPR compliance activities.
“Far from being European law for European companies, the GDPR has global application and a profound impact on any company dealing with data. An average spend of US$5M on compliance means large companies are set to spend dozens, indeed in some cases hundreds of millions of dollars on data governance tools and services,” said Tene.
One key reason why the threat of non-compliance now looms so large in the distance, of course, is because of the potential monetary penalties involved. But the bigger factor to keep in mind is that privacy risks have the potential to completely re-shape the competitive landscape. In other words, companies that are currently market leaders might no longer find themselves market leaders in the post-GDPR world.
That’s a sobering thought for any board-level executive, and surely the subject of much concern at any board meeting. The GDPR is simply not going away, and that’s forcing the 60% of companies that have not made any effort whatsoever to comply with the GDPR stand up and take notice. So what, realistically, can boards do to make privacy governance and data governance a central focus of their organizations?
Privacy governance is now all about “privacy by design”
One important issue raised by the IAPP report is that privacy professionals must be increasingly involved in every facet of the business, not just when a breach is involved. For that reason, it’s no surprise that the IAPP has seen a ramping up of privacy budgets and privacy employee headcount. But it’s not just a matter of getting “bigger” – it’s also a matter of getting “better” about privacy and security.
Thus, in boardrooms around the world, it’s easy to imagine a scenario in which Chief Privacy Officers (CPOs) have a seat at the table that now includes the CEO, CIO, CMO and other C-level executives. That’s because privacy is no longer purely a compliance issue, it is also a business and strategic issue.
Looking ahead to 2018
With only six months remaining until the GDPR goes into effect in May 2018, it’s easy to see how privacy governance and related issues of information security will take on an even more influential role in boardrooms around the world. As the new IAPP survey makes clear, organizations are now more concerned about compliance than safeguarding against data breaches.
Organizations are looking for ways to build competitive advantage from the adoption of forward-looking privacy compliance policies. And they are starting to fold privacy initiatives into larger risk management initiatives. It’s all part of a fundamental change in the way privacy is managed in organizations around the world.