Board oversight of privacy

April 2019

Companies enjoy a wealth of opportunities to capitalize on the data they obtain from customers, employees, and business partners. They are using data analysis techniques to improve risk management, operating efficiency, customer relations, and product innovation. But in trying to capitalize on the data they are collecting, companies also face mounting public concerns over privacy, as reflected in new regulations and in heated debates on the use of personal data.

Privacy and data governance are becoming critical issues for a growing number of companies. Security is an important element, because data privacy requires data security. But the issue extends well beyond the need to protect data from unauthorized disclosure. New regulations and shifting consumer expectations are also altering the terms for the collection, storage, and use of personal data. In response, companies are reviewing their practices, and boards are ramping up their oversight.

On March 27, 2019, members of the Audit Committee Leadership Network (ACLN) discussed practices for enhancing data privacy oversight. They were joined for this discussion by Phil Nemmers, an EY partner specializing in data protection and privacy issues, and by several executives responsible for privacy at their companies: Eduardo Andrade, global compliance and ethics officer at Booking Holdings; Harvey Jang, senior director, global data protection & privacy counsel at Cisco; and Tom Moore, chief privacy officer at AT&T. 

ACLN members and their guests touched on several topics during their discussions before and during the meeting:

  • Emerging constraints on data use
    Companies face increasing tensions between the opportunities to utilize data and the pressures to protect personal privacy. There has been considerable debate about this issue in recent years. New legal requirements have emerged, making privacy protection an important compliance imperative. At the same time, the issue goes beyond compliance to include the less explicit, but still significant, considerations associated with safeguarding a company’s reputation and trustworthiness in the eyes of customers, employees, and the public.
  • The response from companies
    Achieving the right balance between providing adequate privacy protection and making productive use of personal data presents major challenges for companies. ACLN members and guests touched on the need for both centralized leadership and broad involvement of many functions—including business units—in the effort. They also discussed the specific challenges of obtaining informed consent for the use of personal data and deciding on appropriate disclosures in the event of a privacy violation.
  • Board oversight
    While the full board is ultimately responsible for oversight of privacy, ACLN members reported that several committees may be involved or take the lead, including the audit, compliance, and risk committees. Frequency and intensity of discussions about privacy still vary among boards; some boards raise the issue at every meeting, while others approach it on an ad-hoc basis. The guests suggested that internal audit can help inform the board about the privacy control framework, and they advised ACLN members to ensure that their privacy function has sufficient resources and expertise.