Data privacy doesn’t have to be an issue that keeps executives awake at night.
Instead, companies that approach data privacy the right way can use it to differentiate themselves, said Carolyn Holcomb, CPA, the leader of PwC’s data protection and privacy practice in the United States.
“We see companies that are saying, ‘I can use this as a competitive advantage. Because if you can trust me more than you can trust a competitor, perhaps you’ll come to me more often,’ ” Holcomb said.
Building and keeping customers’ trust is the cornerstone of this potential competitive advantage, according to Holcomb, co-author of a recent PwC report on data privacy. In consumer-focused organizations such as retail, technology, and insurance companies, Holcomb said transparency with regard to customer data collection practices is one key to building trust.
Consumers crave information about how their data are being used, according to Microsoft research conducted in 2013. In a survey of 1,000 consumers who identified themselves as being technologically savvy:
- 90% of U.S. respondents and 85% of European respondents said they want more information on with whom their data are being shared.
- 88% of U.S. respondents and 80% of European respondents said they want more information on the type of data being collected from them.
- 84% of U.S. respondents and 82% of European respondents said they want more information on how their data are being used.
Companies can build trust if they give consumers this information on how their data are being used, Holcomb said. Some companies even give customers the opportunity to decide which information about them can be shared.
Once the company and customer understand which data will be used and how it will be used, it’s essential for companies to remain true to that agreement, Holcomb said.
“Consumers do watch and see companies that don’t keep that promise,” Holcomb said. “Some of it may be because they have a breach, and that’s certainly not intentional. But some of it is also where the privacy notice maybe isn’t, in fact, what is happening.”
To preserve their trust with consumers, companies should build controls around their data that are every bit as strong as the tight Sarbanes-Oxley controls public companies in the United States use to govern their financial reporting, Holcomb said.
Treating data as an asset—with the same protections a company uses for its physical or financial assets—can help organizations maintain their trust with customers, Holcomb said. She said organizations need to follow these steps:
Take inventory of their data. To protect data, companies need a complete understanding of the data they possess, where it is located, and how it is classified, Holcomb said. She said companies need to understand which data are the most sensitive (such as Social Security numbers) and less sensitive (such as customers’ phone numbers). And the inventory needs to be updated constantly as the company collects more data. Establishing and maintaining this inventory may not be easy. “You certainly find in the big organizations that haven’t done this in the past, it’s a big undertaking to go find out where all that data is, and what I’ve collected, and keeping it up over time,” Holcomb said.
Understand the life cycle of their data. Companies need to understand which third parties have access to this valuable asset and what they are doing with it, Holcomb said. She said companies should perform a risk assessment on these third-party vendors and understand their controls and processes. Protecting data shared internally also is essential, Holcomb said, and communication is the key. This means all business units must understand the privacy commitments made by the business unit that collected the data. “If I’m Business Unit A, and I collect some data, and I give it to Business Unit B to maybe cross-sell you something else, if I haven’t told [the customer] that I’m going to give it to Business Unit B, then I haven’t honored my commitment,” Holcomb said.
Choose a framework. Businesses that can wade through the alphabet soup of available frameworks can find a mechanism to adopt to protect the privacy of their data. Holcomb said companies can use the ISO, NIST, or COBIT frameworks to structure their data privacy efforts. “Pick one that fits your business,” Holcomb said. “And build controls and processes that are based upon the framework, just so you … can build it on something that’s tried and true and reputable.”
Monitor and reassess. Some companies put strong data privacy policies and controls into place, but they fail to monitor them and reassess them over time, Holcomb said. “When they don’t go back and monitor … things often fade away, and things aren’t happening, and controls and processes aren’t going the way that senior management expects,” Holcomb said. “So that monitoring is absolutely critical to make sure that the controls work, all the time.”
Get the board involved. PwC research in 2013 showed that 85% of investors said boards should be involved in overseeing the risk of compromising customer data, but only 61% of directors are engaged in overseeing or understanding privacy issues. Holcomb said that gap shows that it’s critical for boards to become more involved in protecting data privacy. “This is an area that boards have not traditionally touched on as much as others,” she said. “And it’s a new, evolving, and risky area, so their oversight is important.”
—Ken Tysiac (firstname.lastname@example.org) is a JofA senior editor.