Consumer data is a valuable asset for most organizations looking to extend their customer reach and competitive advantage. While consumers are willing to “share” detailed information about themselves, recent headlines demonstrate that they do not look kindly on breaches in data privacy or misuse of personal data by organizations they trust.
Indeed, the potential backlash from customers, regulators, and the public for inappropriate use of data is prompting many businesses and boards to discuss data governance with a cautionary principle in mind: “Just because we can, doesn’t mean we should.”
Regulatory and public scrutiny of data management continues to grow, most recently with the European Union’s General Data Protection Regulation taking effect in May, impacting all organizations that touch the data of EU residents. In the United States, the U.S. Federal Trade Commission has committed to make enforcement of the EU-U.S. Privacy Shield Framework a high priority, and a number of states are adopting their own data security laws.
Given the regulatory, legal, and enterprise risks that can arise from a failure related to data privacy or security, boards will want to understand the data program and the related policies, controls, and monitoring processes the company has in place to manage and protect data maintained across the enterprise and held by third parties.
To better understand how their companies are managing privacy and security risks around consumer personal data and protecting their brand from reputational risks, including consideration of unintended exposure of user data, identity theft, and other legal restrictions, boards should consider the following questions:
For more on data privacy and security, see KPMG LLP’s Data rich and regulation wary: Improving risk compliance in today’s data rich environment.