©Golden Sikorka/iStock/Getty Images Plus
With that opportunity, however, comes risk and the duty to protect data privacy. Data privacy regulations, which are growing quickly, dictate some of this. But the individuals whose data is being collected are also keen to know what data companies are holding, why and how it is being used.
In a world where trust is hard to gain, even harder to maintain and increasingly risky to lose, boards cannot afford to turn a blind eye to data privacy and protection. Simply adhering to regulation isn’t enough. Converting data into value, securely and ethically, is the business imperative for the next decade.
The increased risks with handling—or mishandling—consumer data
While customer data brings valuable insights, it needs to be handled responsibly. As companies continue to use data to meet customers’ expectations, they must also efficiently process and manage data and algorithms and comply with regulations that protect the public. The board needs to make sure that data is being collected, secured and used responsibly.
Failing to protect customer data exposes companies to loss of consumer and employee trust. It can lead to brand damage, financial losses and penalties and audits from regulators. A company’s future growth and ability to innovate depend on how well it uses and protects that data.
And yet—an alarming number of companies reported mishandling customer data, whether by using it without express consent, failing to vet all third parties and partners with whom they share customer data and even launching new products and services without a data security and privacy evaluation. All of this culminates in a trust deficit between some organizations and their customers.
An opportunity to build trust
That dissonance is reflected in business leaders’ belief that customers trust their companies, when in reality, only a small portion do. Leaders overestimate how much these stakeholder groups trust them and what actually drives trust. That misunderstanding can lead to lower employee retention rates and negative impact on a company’s bottom line.
As companies navigate and build their data and privacy strategy, it’s the board’s role to make sure that this strategy is holistic, creates trust with stakeholders and manages related risks.
While it’s management's job to protect data, the board should practice good data governance by engaging in robust discussions with management about the adequacy of the protection and privacy program, including information on the effectiveness of controls and whether resources are sufficient.
At the same time, directors need to look at continuing to increase transparency and accountability across stakeholder groups. They must be intentional about understanding the needs of multiple stakeholder groups and take action to develop trust with each.
According to our 2022 Annual Corporate Directors Survey, 71% of directors say that engaging directly with shareholders would enhance stakeholder trust. Second to engagement, directors point to enhanced shareholder communications, with 70% saying that enhancing disclosure or reporting can have a positive impact on stakeholder trust.
As companies consider a broader group of constituencies in a different way than they may have in the past, a data protection strategy should create and foster trust with all stakeholders, accounting for each of their unique needs. It should involve continually training employees and improving transparency through effective disclosure so that customers and shareholders know how the company is protecting their information. The combination of laser-focused transparency coupled with proper data privacy and protection oversight will only benefit boards and their stakeholders in the long run.
Viewing trust as simply another item to add to the board’s already crowded agenda would be a mistake. Rather, trust is a thematic and strategic imperative that should shape all the board’s deliberations and serve as a beacon to guide management – especially when it comes to data.
Moving forward with a board-integrated approach
Working through the data “lifecycle”—discovery, protection, minimization and governance—the board can dig deeper into the overall data strategy. During the discovery and protection phases, boards should develop an understanding of what types of data are being collected, what data is required to be protected and whether their company’s data usage and protection processes are ethical and secure. Boards will also want to make sure they are aware of key applicable cybersecurity and data privacy laws, and any major violations. Board reporting would include information about any reportable cybersecurity events, instances of noncompliance with privacy requirements and how management is responding.
During the minimization and governance phases, boards oversee management’s control of the data and ensure the people, processes and technology in place are effective. That might mean exploring how management is seeking opportunities to modernize, standardize and automate processes, including the potential to minimize data collected while still achieving the company’s goals for the data.
As executives align their data and privacy strategy to the overall business strategy, the full board will want to get periodic updates on it and discuss their approach. The companies that most effectively take charge of their data throughout its lifecycle will have the greatest opportunities for success. Given the opportunity and risk involved, it’s essential that boards play a key role in the process.
The bottom line: Data can be incredibly valuable, and with proper governance and usage, it can help give organizations a competitive edge in the marketplace. Crafting an ethical approach to data collection, protection and usage gives boards the opportunity to strengthen their stakeholder relationships. Forward-thinking boards should seize the opportunity to double down on a holistic data and privacy strategy as a way of deepening trust with all their stakeholders and delivering sustained outcomes.
Maria Moats is PwC Governance Insights Center Leader and Jay Cline, US Privacy Leader, Principal, PwC US.