7 questions legal teams should ask to understand their privacy risk exposure and safeguard customer trust.
If you ask any executive at a healthcare company, investment firm, mortgage lender or almost any other company these days the No. 1 way to earn and keep customer trust, the answer would most likely be “We need to protect our customer data.”
“High-profile data failures are saturating the news cycle, leading many executives to ask themselves whether their organizations could be at risk of similar failures,” says Stephanie Quaranta, research director for the data privacy practice at Gartner. “Though the immediate consequences vary by company and the severity of the failure, what’s relevant to every company is the damage a data failure does to customer trust.”
Leaders often underestimate the extent to which business strategy drives privacy risk exposure
New data privacy laws are increasing the imperatives to protect personal information but real-life examples of the perils also abound. Facebook and Equifax have felt the wrath of customers and regulators since it was revealed they failed to protect personal information. Their plight has brought home to every boardroom what the fallout looks like.
To facilitate a discussion with senior leadership about your organization’s level of exposure to a similar incident, Quaranta recommends legal and privacy executives focus on these seven questions.
How heavily does our business model depend on the use of high-risk data?
Corporate initiatives from marketing campaigns to new product development are being powered by more types of data, making data the organization’s most valuable asset. Along with these valuable insights, this data brings with it an increased exposure to privacy risk. Leaders should discuss what initiatives their companies are currently executing that are potentially over-reliant on high-risk data.
Does our business strategy document and subsequently manage potential privacy risks created by that strategy?
Leaders often underestimate the extent to which business strategy drives privacy risk exposure. To properly manage privacy risk in day-to-day business operations, company leaders need to establish processes and incentives that ensure risks are explicitly considered or accounted for in the strategy-setting phases of company initiatives.
Are we being as transparent as possible with our customers in communicating how we use their data?
Strong customer relationships are based on the transparency you provide around what you collect, how you plan to use it, who you will share it with and how you will protect it. Most importantly, transparency means customers must be able to easily find and understand the policies. Encourage senior leaders to review existing policies and discuss whether your organization’s communications meet this bar.
How effective are the controls we’ve put in place to manage our privacy risks, especially those in our highest-risk areas?
For existing controls to be effective, they must be able to withstand a complex privacy risk environment. To get there, the controls your company has in place should be regularly tested and audited, with a particular focus on catching employee mistakes and finding potential gaps in processes involving high-risk data.
Are we using all possible information sources to understand risk at our organization?
Most organizations do not take full advantage of the channels through which they can better understand their company’s risk exposure. To grasp whether senior leaders have a full picture of potential risk exposure, discuss which information sources your organization uses to identify when privacy practices may be at odds with the company’s privacy commitments and brainstorm opportunities to expand leaders’ perspectives (e.g., customer complaints).
How effectively are we monitoring ongoing third-party compliance with our standards?
Third-party policies, standards and requirements are only as effective as the amount of oversight organizations dedicate to them. To gauge the actual impact of third-party policies and standards, discuss whether your organization has created clear ownership and accountability for monitoring third-party compliance on an ongoing basis.
What’s our third-party strategy?
Recent missteps in monitoring third-party activity may reflect a failure in third-party strategy overall, with organizations lacking a systematic approach to managing third-party relationships. Instead, engagement strategies are created informally at the local level and vary widely across the organization. To ensure third-party strategy is aligned with your organization’s overall risk appetite, senior leaders must understand how third parties are being used across the entire business and set necessary guardrails.
Gartner for Legal & Compliance Leaders clients can discover more next steps in response to privacy failures.