The views and opinions expressed in this article are those of the thought leader and not those of CeFPro.
By Joshua Kotok, Chief Risk & Compliance Officer, First Savings
What advice would you give when developing an evolving privacy program?
I would give similar advice for the establishment of any major program, whether it is risk, compliance or privacy. When starting out with any endeavour, the first key step is to ensure that there is buy in at all levels of the organization. Fortunately, many of us in financial services organizations are highly regulated. This regulation will help the cause, but the establishment of a privacy program cannot be a “check the box” exercise. According to a 2019 study by Pew Research, 81% of US adults feel that they have little control over the data collected about them by the companies that they do business with. In addition, approximately 8 in 10 Americans agree to a privacy policy at least once a month, with some saying almost daily. I would challenge any executive to think about the impact to consumers, based on these two metrics alone. Framing the impact of privacy to a company’s customers, vendors and business partners can help quantify the importance of an effective program. Lastly, I would challenge companies to define how their privacy goals align to the achievement of long term business goals and strategies.
The second step would be to establish a fungible privacy framework that could be achieved in phases. The framework should determine how information is collected, transferred, stored and used in the context of the company’s business processes. The goal should be to bake the efforts into current business as usual activities. As an example, a company could decide to inventory key data collection as part of their risk and control self-assessment process. This extra activity will ensure first line employees are thinking about data, the privacy of said data and where in the organization the data is being utilized. Another key step in the establishment of a privacy framework is to involve your regulators early and often. As a former regulator, I can tell you from experience that a company that seeks input early fares better in the long run over those that do not seek feedback.
How can working across multiple jurisdictions cause challenges?
Companies working in multiple states or countries can cause challenges proportional to the regulations established in those areas. The challenges increase the complexity, because a single business process in two countries will require more controls, oversight and reporting over single jurisdiction operation. In addition, it could be possible that specific products or business activities are permitted in one jurisdiction, but prohibited in another. Any company should expect significant oversight and reporting requirements when working across multiple jurisdictions. For example, US companies working in Europe may be subject to different discovery requirements when providing disclosure of documentation generated between borders. Data breach notification thresholds vary from jurisdiction and acceptable risk limits may differ widely from one state or country to another, from as little as 72 hours through 90 days in some countries and/or states.
How can risk managers stay ahead of a rapidly changing environment?
I do not believe there is any single answer or source that a risk manager can utilize to stay ahead of a rapidly changing environment. A risk manager should plan to map the activities they oversee to the jurisdictions and their regulators that oversee those activities. They should engage frequently with subject matter experts and industry associations covering those areas. For their own development, they should obtain industry certifications in that area. Those certifications will force them to stay current due to the CPE requirements of each designation. In the context of privacy, there are multiple industry associations, professional certifications that a risk manager can associate themselves with. I have also found that engaging and participating with organizations such as Cefpro helps me to stay current because it allows me to interact with my peers and share knowledge in areas where I may be deficient. Building networks at Cefpro events provides invaluable contacts that risk managers can access when faced with a new challenge.
Why is it important to review the relationship between data portability and privacy?
Data portability and privacy are symbiotic; one cannot exist without the other. When a user desires to cease a business relationship with a company, they have limited control over their personal information in many jurisdictions. With the advent of California’s consumer privacy act and GDPR, this has improved, but has not been enacted on a wide enough scale in the US. A company implementing a privacy program should ensure that the data that is being created, stored and utilized in its business operations has a documented path towards removing and porting that data. Not all data can be removed as there are retention requirements in many jurisdictions that must be met. This retention requirement can be a source of contention for some users and companies must make the effort to clearly and plainly communicate this issue to their users.
In 2018, the major technology players (Apple, Facebook, Google, Microsoft and Twitter) established the Data Transfer Project, designed to enhance user control of their private information to facilitate the movement of data between service providers. While this project on its face sounds promising, I personally do not believe it will have an impact without meaningful nationwide legislation and regulation. Just last year, the FTC’s proposed rule in the Federal Register to bolster GLBA privacy regulations (Safeguarding Consumer Information), went quiet after industry pushback. In the meantime, risk managers can make a difference and use portability and privacy as a strategic advantage to their customers. According to the recently released survey from Transcend, 93% of US customers said they would switch to a company that prioritizes data privacy. An astonishing 91% said they would prefer to buy from companies that always guarantee them access to their information.
How do you foresee data privacy procedures developing over the coming twelve months?
I do not see data privacy procedures developing significantly over the next twelve months. As stated earlier, I do not see movement in this area without significant legislation. With a global pandemic and a US presidential election looming, this will get pushed to the back burner for some time.