In this edited extract from the AICD publishing imprint’s latest title, ‘The New Governance of Data and Privacy: Moving Beyond Compliance to Performance’, authors Malcolm Crompton AM FAICD and Michael S Trovato GAICD provide a guide to help directors and boards understand the new privacy governance landscape so they can ask the right questions of their executives.
We live in the age of the data deluge, where technology enables the supercharged collection and processing of data. Directors and boards are responsible for directing their entity to leverage data-driven opportunities while ensuring that privacy is built into its governance, control and management. To do less risks both loss of business opportunity and non-compliance with the law.
With the digitisation of everything, rising surveillance capitalism, intensive national security monitoring and large intelligence gathering activities, directors and boards worldwide have moved beyond seeing privacy as a compliance line item. As organisations endeavour to prosper, leading directors are asking themselves much more dynamic questions:
- How would we react to a serious data breach as a customer or other key stakeholder?
- Do we treat our data with the same respect we would any other major class of financial asset? How do we value it, invest in it and protect it?
- Have we discharged our privacy governance obligations as directors?
This guide is a valuable tool for directors and boards to help them think about and answer these questions. It provides a valuable resource for directors to better understand interactions between technology, business and regulation and how data should be thought of as both an asset and a liability.
It provides an overview of the technological, business and regulatory developments that contribute to today’s privacy landscape, including the extent to which they make data both an asset and a liability. Secondly, it covers key national, regional, and international privacy regimes, with a special emphasis on the European Union’s General Data Protection Regulation (GDPR) and what it means for Australian organisations. Thirdly, it moves from compliance to performance, providing practical advice for directors and boards on establishing and overseeing privacy culture, frameworks and future-oriented practice.
Managing data by focusing on the balance between performance and risk is critical and will result in achieving compliance as a by-product rather than via a tick-box activity. This is an exciting time for directors. They may not become privacy or cybersecurity ‘experts’ but they must develop data and privacy literacy to be able to understand how to discharge their responsibilities and when to ask for expert advice. It is important for directors and boards to:
- Foster a culture that values data and privacy
- Future-proof the board
- Appoint key personnel and hold them accountable
- Enhance privacy and security resilience
- Focus on your stakeholders
Since the expansion of the Privacy Act to cover the private sector, successive Australian Privacy Commissioners have repeated the message that ‘good privacy is good business’. Ten key questions for directors and boards on the governance of data and privacy are as follows:
- Given the technological, business and regulatory environment, in what ways is the data the entity holds an asset? In what ways can the data be a liability for the entity?
- Given the entity’s data holdings and business aspirations, what knowledge and expertise does the board require to help it make decisions about deriving value from, and protecting, the data?
- What is the entity’s current privacy stance (that is, the attitude and approach to handling personal information)? What is the entity’s desired privacy stance and how will directors, with the help of the executive team, implement and communicate the desired stance and the strategy for change?
- Do directors understand the implications of the Privacy Act 1988 (Cth) (including the OAIC’s Privacy Management Framework under APP 1.2 and the Notifiable Data Breaches scheme) and the EU’s General Data Protection Regulation? Are there additional steps the entity needs to take?
- Are there clear roles, groups and lines of responsibility for data management that are appropriate to the size and value of the entity’s data holdings? Does the board hold them to account?
- To what extent do the key control areas (for example, risk, compliance, internal audit) have a data and privacy ambit, and do directors ensure that those areas are properly managed, resourced, represented and emphasised at the board level?
- How well are privacy processes and controls being executed? Does the entity have a systematic way of finding out and is this regularly communicated to the board?
- Are there metrics about privacy performance, and does the board ensure that they play a role in determining incentives within the entity?
- Do directors discuss stakeholder needs, expectations and interests around data at board meetings? Do directors take them into account when making decisions?
- Do directors know the ways that the entity is (or isn’t) earning stakeholder trust and building social licence? How can the entity improve in this regard?
Already a member?
Login to view this content