Data rich and regulation wary

Consumer data is a valuable asset for most organizations looking to extend their customer reach and competitive advantage

Consumer data is a valuable asset for most organizations looking to extend their customer reach and competitive advantage. While consumers are willing to “share” detailed information about themselves, recent headlines demonstrate that they do not look kindly on breaches in data privacy or misuse of personal data by organizations they trust.

Indeed, the potential backlash from customers, regulators, and the public for inappropriate use of data is prompting many businesses and boards to discuss data governance with a cautionary principle in mind: “Just because we can, doesn’t mean we should.”

Regulatory and public scrutiny of data management continues to grow, most recently with the European Union’s General Data Protection Regulation taking effect in May, impacting all organizations that touch the data of EU residents. In the United States, the U.S. Federal Trade Commission has committed to make enforcement of the EU-U.S. Privacy Shield Framework a high priority, and a number of states are adopting their own data security laws.

Given the regulatory, legal, and enterprise risks that can arise from a failure related to data privacy or security, boards will want to understand the data program and the related policies, controls, and monitoring processes the company has in place to manage and protect data maintained across the enterprise and held by third parties.

To better understand how their companies are managing privacy and security risks around consumer personal data and protecting their brand from reputational risks, including consideration of unintended exposure of user data, identity theft, and other legal restrictions, boards should consider the following questions:

  • What is our risk tolerance level for privacy, consumer protection, and reputational risks?
  • Do we have the appropriate governance structure in place to manage these risk?
  • Are the appropriate resources being allocated to data privacy and security?
  • Is the data privacy and security program aligned with the company’s business strategy?
  • Do the company’s customers know what data is collected and how it is used? Are the associated policies and processes clearly articulated and understood, both internally and externally?
  • Are user agreements clear, concise, and understandable to the average consumer, and are they readily accessible and sufficiently updated and reviewed?
  • Does the board receive regular reports on the company’s risk mitigation activities related to data privacy, compliance, and security controls?
  • What is the escalation process for incidents related to data privacy and security?
  • Is the company’s incident response plan up to date and has it been tested recently?
  • Does the company assess and provide ongoing monitoring of partner and third parties with respect to privacy, contractual obligations, potential misconduct, and reputational risks?

For more on data privacy and security, see KPMG LLP’s Data rich and regulation wary: Improving risk compliance in today’s data rich environment.

Download PDF