This article was first published on August 6, 2020.
Editor's note: Oliver Wyman is monitoring the COVID-19 events in real time, and we have compiled resources to help our clients and the industries they serve. Please continue to monitor the Responding To Coronavirus Hub for updates.
In this fast paced digital age, businesses have the capacity to collect a tremendous amount of personal information to support their strategies. Customers expect and trust that financial institutions will keep their personal information safe and use it appropriately. However, reorienting the way an organization considers privacy and embeds privacy-thinking into the business is a significant challenge.
In 2019, Oliver Wyman published the paper “Data Privacy: Growing Expectations (And Risk) For Financial Institutions,” which included five no-regrets steps that organizations can take to get ahead on data privacy risk management.
The next frontier in this conversation is about operationalizing the privacy risk management program successfully across multiple functions and teams. There are many enablers to a successful program. Some are technical, such as putting in place an adequate systems and data architecture to meet the program’s needs. Others have to do with governance, organization and responsibilities—and this is the focus of this paper, "Privacy First." Our team outlines a clear strategy to operationalize a firm's privacy program and meet today's challenges.
Many companies are struggling to put holistic programs in place that comprehensively address privacy concerns across all the key functions of the business. Along with the business lines, teams such as data governance, information security, cyber risk management and third-party risk management need to coordinate their actions and responses with Privacy.
Making sure the firm’s privacy program is robust needs to be at the top of executives’ agendas as they think about risk management.
Neglecting this responsibility poses a significant risk with increasing regulatory, legal and ultimately reputational impact. The industry needs to be both proactive and preemptive in understanding how information is being used, storing only as much as strictly necessary, and keeping data safe from loss and theft.
In our view, senior executives and privacy leaders need to act now to make their programs more holistic. This is not a “one and done” exercise—the program needs to be regularly reassessed to ensure it remains fit for purpose.
1 CLEARLY DEFINE PRIVACY'S ROLE
The Privacy team is directly responsible for various aspects of compliance (for example, sending privacy notices). It also needs to oversee what others are doing and drive alignment across the business.
2EMPOWER PRIVACY MANAGEMENT AND OVERSIGHT
Today, many Data Privacy Officers do not have sufficient authority to drive significant initiatives in the organization. To be effective, this needs to change. Senior stakeholders need to empower Privacy—and provide their own support—to ensure that business units and other teams can take ownership. This is essential to making changes, providing resources, and overcoming inertia.
3TEST YOUR PRIVACY SAFEGUARDS
The Privacy program effectiveness should be measurable at a department level to understand where in the organization privacy obligations are at risk of not being met.
4FUTURE-PROOF THE PROGRAM THROUGH ONGOING TESTING, REGULAR ASSESSMENT AND CONTINUOUS IMPROVEMENT
Given the evolution of thinking on privacy topics, the way that privacy is considered and thought about within an organization must also be reappraised. It cannot be a “one and done” exercise. The central privacy team needs to take responsibility and ensure that the organization is challenged on its activities, communicated of any relevant regulation and guidance changes, and has put risk mitigation plans in place where appropriate.
Strengthening a company’s data privacy program requires the full support from executive leadership, developing an understanding and accountability across company functions, and successfully executing the plans laid out.
As a leading consultancy to the financial services industry, we have worked with many financial institutions to strengthen their data privacy programs. Our experience includes helping institutions set up operating models for the proprietary framework described—both within privacy teams, and across the organization.
Together, we will collaborate with your team to operationalize your privacy program
and achieve impactful results for what has been a significant challenge for the industry.