Reporting to the Board on Privacy: Practical Advice from a Chief Privacy Officer
Corporate directors and senior leaders take on a broad range of responsibilities when they join a company’s board. Privacy is increasingly becoming one of the issues board members are focusing on as part of their compliance and oversight obligations. We recently conducted a survey of over 100 privacy professionals where 80% of respondents indicated the are reporting on privacy matters and compliance status to their boards at regular intervals with over 40% reporting on a quarterly basis.1
Shareholders are holding their boards accountable. Just last year, a class action suit was launched against a U.S. public company and some of its officers and directors for allegedly making false and misleading statements to investors about the impact of privacy regulations and the third-party business partners’ privacy policies on the company’s revenue and earnings.2
According to the recent IAPP/EY Annual Privacy Governance Report3,the privacy topic that was most frequently reported on was status of GDPR compliance. Despite perceptions that enforcement has not been happening quickly, regulators have indicated that investigations take time and careful consideration. With an increased number of sanctions being levied throughout the summer we expect to see GDPR compliance remain high on the radar of corporate boards and extend out as organizations turn their attention to the United States with the passing of state-level privacy legislation in both California and Nevada, and numerous other states with legislation in flight.
An Accountability Approach to Reporting to the Board
A structured, accountability-based approach to privacy management enables organizations to identify and address areas of corporate liability relating to privacy compliance. We break down accountability into three distinct categories:
- Responsibility: The organization maintains a defective privacy management program consisting of ongoing privacy management activities
- Ownership: An individual is answerable for the management and monitoring of privacy management activities
- Evidence:The privacy office can support with documentation, the completion of privacy management activities.
Having one accountable privacy framework that supports principles in the law allows organizations to be agile in providing information to boards and senior leadership, quickly and in a meaningful fashion.
Getting Started: Education, Awareness, Engagement
Andy Bloom, Chief Privacy Officer at McGraw-Hill has been reporting on privacy compliance to his company’s board on a quarterly basis for the past four years. In a recent webinar, Ericka Watson, the Lead Counsel, Global Data Privacy asked him about his approach to reporting to the board.
“When I joined McGraw-Hill six years ago, the first relationship I worked on building was with the senior leadership team and getting them more in touch with privacy…It started as an issues-based approach,” explained Bloom. “At the time, privacy bills around student data were getting everyone’s attention. Reporting on those student data issues specifically, along with working on the legislative requirements, were the first things that got visibility on to the board.” Education around student data rights, quickly became regular updates to senior management and the board on privacy issues and program status.
What to report: Key Metrics
There are four key elements privacy officers can focus on when reporting to the board:
- Compliance progress with specific laws
- Progress on the privacy program over time
- Progress on specific privacy initiatives through the business units
- Specific privacy program metrics
Because it aligns so well to laws around the world, McGraw-Hill bases their privacy program and metrics on the Nymity Privacy Management Accountability Framework. The Framework also enables them to deliver clear and consistent reports on key metrics to senior management and the board.
Bloom focuses his reporting on where progress has been made, potential risks to overall compliance, things that could impact the business (for example, impacts of the CCPA or possible federal privacy legislation), and any important changes to the privacy program.
“We meet with the Audit Committee on a quarterly basis. Our risk and compliance team have twenty minutes to discuss progress and potential issues. We don’t always talk specifically about privacy issues for the whole time, but they get a concise update. We communicate on a very consistent basis – structure, what each of those pieces mean, our status – it gives them something to connect from update to update. The Framework creates consistency.”
With privacy updates typically allotted only a few short minutes at board meetings, Bloom prepares McGraw-Hill’s update in a high – level, visual manner so board members, at a minimum, can easily identify where the strengths and potential weaknesses are in the overall privacy program and be very clear on areas where gaps exist. The Framework also enables the privacy office to be nimble in responding to specific ad-hoc enquiries from senior management or board members that may fall outside the standard reporting format and period.
Building the case for budget and resources
When conducting planning, risk assessment, strategy and budgeting for a given year, the Framework allows McGraw Hill to easily identify priority areas. “We take the privacy management category, assess where we stand, allocate time for any required annual reviews, propose new things we may want to tackle to improve the program, and estimate the hours it will take. In a company of 4,500 people, our privacy office is two people. So, it’s very important to partner internally.”
McGraw Hill conducts an annual privacy risk assessment across the organization to identify where the real risk likes – what is the privacy impact based on what the business is doing and what is the privacy risk in a particular group. Keeping on top of regulator developments and understanding how your business is reacting also surfaces what is at risk and where the needle isn’t moving.
Because management and the board are familiar with the Framework and how the privacy management categories are laid out, they can easily see how to link back to resources required to accomplish planned and proposed activities.
Building a culture of privacy
As Ericka Watson pointed out “leveraging information that is presented to the board can drive awareness and ensure the people in the businesses, who are executing on those compliance activities are engaged and understand the importance of privacy and their role in that.”
Bloom agreed, “We share the metrics as much as we can because it does drive awareness through the organization. We have some groups that have very little interaction with personal information so you don’t get as much attention versus the ones where personal information is really core to what they do. You have to create a more intimate relationship on an ongoing basis.”
For McGraw-Hill, creating and maintaining this awareness takes the form of a constant stream of communication in a variety of forms ranging from monthly internal blog posts, sharing metrics, and sharing trends in privacy. While the company has a small centralized privacy group that does the coordination, monitors law, and works with the governance team, the company also has point people across the business to engage in and implement compliance activities that are directly relevant to their business unit or function.
Along with using a Framework to keep everything organized, Bloom also leverages additional tools such as Nymity Attestor to enable the business to provide the evidence of compliance.
“Tools can help move things forward and provide extra assistance instead of needing to add a third person on the team,” said Bloom. “Take a methodical approach when you have a small team. You don’t need an army to do this.”
Nymity has several resources to help you build and manage your privacy program and enable you to efficiently and effectively report on compliance to your senior leadership and board.