Oversight of privacy

Board risk oversight, Corporate and board regulatory matters, Cybersecurity

European Audit Committee Leadership Network, October 2019

Privacy and data governance are critical issues for companies and their boards as they navigate challenges around data use. On one hand, companies enjoy a wealth of opportunities to capitalize on the data they obtain from customers, employees, and business partners, and they are using new data collection and analysis techniques to improve risk management,operating efficiency, customer relations, and product innovation. On the other hand, companies also face mounting public concerns over security and privacy.

The General Data Protection Regulation (GDPR) became effective last year and brought with it sweeping changes to the rules governing data use and breach notification. GDPR enforcement efforts have already led to substantial fines for companies across a range of industries. However, the issue extends well beyond the challenges of GDPR compliance. Companies must also grapple with the reputational risks associated with certain practices as shifting consumer expectations alter the terms for the collection, storage, and use of data.

On 13 September 2019, members of the European Audit Committee Leadership Network (EACLN) met in Munich to discuss these issues. They were joined by three experts on privacy: Eva Gardyan-Eisenlohr, group data privacy officer at Bayer; Peter Katko, global digital law leader at EY; and Claus-Dieter Ulmer, global data privacy officer at Deutsche Telekom. 

In the meeting and in calls before the meeting, EACLN members and their guests touched on four broad topics:

  • Stepped-up enforcement of privacy legislation
    The GDPR establishes comprehensive new consumer rights and organizational responsibilities regarding how personal data is handled. National regulators in Europe are now ramping up enforcement efforts, imposing significant fines for alleged violations.Meanwhile, the United States is starting to catch up. Congress is considering legislation, and states such as California have already enacted new laws.
     
  • Reputational risks 
    Companies are also concerned about the reputational risks associated with their use of personal data. Consumers and the public could see certain activities as intrusive even if they are legal. Emerging technologies, such as artificial intelligence and the internet of things, could exacerbate the issue, as the collection, analysis, and use of data continually evolve.
     
  • Company responses
    Companies are stepping up efforts to comply with regulations and safeguard their reputations, working hard to create effective processes and organizations. EACLN members and guests underscored the importance of a robust cross-functional privacy team that brings an integrated, collaborative approach to the problem. To help business units implement privacy policies, a “data privacy cockpit” can provide documentation, resources, and services such as a privacy-statement generator accommodating multiple languages.
  • Board oversight of privacy
    Boards are assessing and improving their own approaches to overseeing privacy risks. While the full board is ultimately responsible for providing oversight, the audit committee often takes the lead, especially on the control framework. It is becoming more common for privacy to occupy a regular slot on the agenda. Some audit committees now discuss privacy at every meeting, and they are likely to receive reports from a range of functions, such as the legal function, the information security function, internal audit, and marketing.