There are many practical measures that US businesses can adopt to reduce their data privacy risks.
But they also need to pay attention to the ownership and oversight of data privacy within their organization. This has real consequences for their ability to manage personal data ethically and in compliance with an evolving regulatory environment.
Our recent survey of 100 executives with responsibility for privacy compliance revealed that many US businesses have appointed clearly designated and qualified leaders such as chief privacy officers.
But in many cases, responsibility for privacy is owned by executives, such as the CIO, the CFO, or the general counsel, who are unlikely to have the required expertise (see chart). These leaders also face conflicting priorities in balancing privacy concerns with their core activities.
In many US organizations, privacy management is primarily seen as an issue for the legal function. In the absence of regulation that applies to all organizations, many hope their legal teams can help them keep compliance work to a minimum.
This is problematic. First, it ignores the march of privacy regulation in other jurisdictions worldwide; these regulations will apply to US businesses hoping to operate in those jurisdictions.
Second, it denies the direction of travel in the US, which is moving towards enhanced consumer data protection. Whatever the direction of travel at the federal level, privacy regulation looks set to increase – not least because many consumers are demanding it, as separate Securys research has shown.
Parking privacy management in the legal function risks impeding organizations from addressing the challenge proactively and coherently. Approaching privacy as a narrow matter of compliance threatens to undermine the benefits from better privacy management; it may even stymie US businesses’ efforts to grow in new territories overseas, or in other states moving faster on regulation.
Worse, depending on legal teams to rescue the organization from onerous privacy management responsibilities looks increasingly risky. Nobody wants to test their approach to privacy engagement through litigation, noting that the number of lawsuits relating to privacy is increasing across the US. Effective pre-emptive action is always better than going to court.
Effective privacy governance
A related risk stems from governance structures – in other words, who is responsible for assessing whether privacy practices are compliant and ethical? Nearly six out of ten respondents (58%) say that privacy governance in their organizations is overseen by the executive who is also responsible for its delivery.
This is at odds with generally accepted approaches to governance in other areas, including finance and ESG. It also falls foul of EU legislation on AI and data protection.
The aim should be to build privacy governance frameworks which align with the rest of the organisation’s approach to oversight. Privacy management requires C-suite oversight – the CEO is ultimately responsible for the organization’s most fundamental ethical pillars – and reporting either to the board or to specialist ethics committee.
The structure underpinning this oversight needs to reflect the inherent opportunities as well as the risks; functions such as marketing and business development should work together with privacy and compliance teams to drive innovation with confidence.
Organizations which delegate privacy to particular functions – to legal, for example, or to IT – underplay the importance of data and make it much harder to secure the holistic approach they need to deliver both growth and the accountability that the C-suite and the board should be demanding.
To transform privacy risks into data assets, as the regulatory environment becomes ever more complex, US businesses should build governance structures with senior executive accountability and cross-functional input. Leaving privacy management and compliance to a single function, such as risk management or IT, is a risky error.