The data privacy landscape is changing. Lawmakers across the world are mobilizing to toughen laws on the data privacy of individuals. In the last year, regulatory and public scrutiny of data privacy has increased globally due to highly-publicized data breaches and concern around the commercial use of personal data.
We believe financial institutions should treat data privacy as a top risk, like cyber risk, and adopt a proactive approach to managing it today. Lessons should be learned from cyber risk management's journey where a growing threat and several high-profile incidents led to significant attention and much stricter regulation over a short period of time. Data privacy could be the next discipline affected in this way.
Our paper, Data Privacy: Growing Expectations (And Risk) For Financial Institutions, helps firms to increase awareness, implement best industry practices, and become both proactive and preemptive in managing data privacy risk.
Financial institutions should treat data privacy as a top risk, like cyber risk, and elevate the conversation with senior executives and the board
In North America, legislators are scrambling to catch up to regions that are further ahead on data privacy (e.g., GDPR in the EU), with an ever-increasing bevy of legislation being introduced at both the state and federal levels.
We believe there are five no-regret steps that financial institutions should take today to get ahead.
1Elevate the conversation to the senior executive and board levels
Institutions should ensure that the board and senior management are educated and informed about the changing data privacy landscape and how it affects the organization.
2Understand how the organization uses personal information (today and in the future)
Build a foundation of knowledge to understand what types of personal data is collected, where that data is stored, who can access it, and how it is used. Developing a centralized repository of information and view of consumer transactions can transform the customer experience and translate into an effective product offering.
3Conduct data privacy risk identification exercises
Take a proactive approach to data privacy risk management to identify the institution's biggest exposures such as customer transparency/consent, and the sharing of sensitive information with third parties and aggregators. Invest in protective measures rather than operational resources after the fact.
4Determine the firm's stance on data privacy
With the evolving nature of data privacy laws and regulations, financial institutions need to determine what they consider to be personal information; how the information is used and shared; how to inform consumers about data use; and the access and control that is given to consumers.
5Increase transparency and disclosures for consumers
Make disclosures to consumers more accessible, interactive, and informative. Also incorporate resources into the insitution's website to help educate individuals on key privacy concepts.
These 5 no-regret steps elevate data privacy to a true strategic risk management discipline that considers a firm's reputation, good industry practices, and consumer expectations, rather than waiting for legislation to dictate the approach.