Boards ought to foster a culture of data privacy in organizations
They should go beyond law compliance to integrate privacy objectives with their business strategy
The digital age has ushered in a new era of responsibility—to safeguard the core of our online existence: our data. The surge in cyber threats has made regulators formulate new laws or strengthen existing ones to safeguard the data privacy of individuals.
While compliance is essential, it is no longer sufficient. Data privacy, protection and its responsible use by enterprises demand a proactive and strategic approach, which needs board-level oversight. The recent enactment of India’s Digital Personal Data Protection Act 2023 marks a significant step in this direction.
In the contemporary landscape, data privacy is a pervasive concern across all facets of operations. This must prompt enterprises to redefine their strategies and align themselves with the evolving dynamics of privacy. The shift requires cross-functional accountability, acknowledging the vital role that every individual and department plays in managing sensitive information. Recognizing that third parties are also involved in the custodianship of data, enterprises need to foster a culture where all stakeholders in the value chain understand and actively engage in good data practices. This also helps effectively confront emerging threats, ensuring a holistic commitment to data privacy. It is everyone’s business responsibility, which necessitates a commitment right from the top.
The EU’s General Data Protection Regulation has set off a global chain reaction, serving as a model adopted by numerous countries for crafting regulations for managing personal data. A study by the United Nations Conference on Trade and Development revealed that 70% of the world’s countries now have data protection and privacy legislation in place. The US Securities and Exchange Commission has proposed rule amendments under its Privacy Act with the aim of clarifying and streamlining regulation. In India, regulatory bodies such as the Reserve Bank of India and Securities and Exchange Board of India advocate increased board involvement in cybersecurity discussions, emphasising collaboration between technical experts and those less familiar with cybersecurity. It is crucial for boards to familiarize themselves with terms like ‘security posture and compliance,’ ‘risk assessment and management,’ ‘incident response plans’ and ‘privacy impact assessment’ and for their agendas to incorporate these.
A cyberattack can harm an enterprise’s reputation, causing loss of customer trust and lasting damage to its brand. In acknowledging the role of data privacy being integral to corporate governance and risk management, the board has a crucial role in not only ensuring that the enterprise meets legal obligations, but also establishing a bedrock of trust under its overall strategy and guiding managers to establish a work culture that makes all functions privacy-compliant.
At a time when artificial intelligence (AI) is being leveraged for social engineering attacks and spreading misinformation at scale, enterprises also share a social responsibility to protect users from exposure due to data breaches. Hence, boards must play a proactive role in the establishment and monitoring of data privacy programmes, going beyond compliance requirements and seeding changes right at the cultural level.
Fast-changing business, technology, threat and regulatory environments call for a rigour that boards must ensure as part of their corporate governance and trust-building responsibility.
First, boards must familiarize themselves with regulatory obligations and industry standards. Second, they need to recognize the significance of investment in privacy capacity-building and prompt enterprises to establish strong data protection practices. Third, with management support, boards can steer the creation of an executive committee for a robust, business-aligned and crossfunctional data privacy programme. Fourth, boards can foster a culture of ‘privacy first’ by being vocal about responsible management of data, encouraging training and awareness programmes for employees and stakeholders. Fifth, it would add value if boards sensitize themselves with reallife scenarios and simulations to understand incident-response and databreach handling measures. Finally, boards must ask for periodic audit reports that can help improve oversight and the effectiveness of data protection and privacy programmes over time.
In summary, boards have a crucial role in the top-down assimilation of a culture that holds ‘data privacy’ high in its order of priorities. The board can play a pivotal role in instilling privacy by design, where privacy is not an afterthought, but becomes a part of an enterprise’s operational DNA. Building such an enterprise without compromising data-driven innovation requires a clear understanding of various possibilities, such as the use of privacy-enhancing technologies, fully-visible data flows, centralized controls and streamlined consent management.
Globally, corporate boards should go beyond regulatory compliance to integrate data privacy with their business strategy, helping everyone imbibe the principles and ethos of privacy in day-to-day operations.