Although privacy and data security are often considered distinct issues, they have enough in common that a breach or improper practices in one area could lead to significant repetitional or compliance challenges in the other.
"Boards are aware of the risks and talking about this issue," said Jim Cates, senior group vice president, risk management, at specialty retailer Aaron's, during a PwC webcast last week. "There is a direct connection [between privacy and data breaches], and a breach can damage a company's brand, market value and investor perceptions."
According to a PwC survey of privacy professionals, 39 percent of respondents said organizations discuss privacy at the board level annually, and 23 percent include privacy on quarterly board agendas.
In contrast, a company that can develop effective privacy policies and foster a reputation for protecting customer information can transform a potential risk into competitive advantage.
Carolyn Holcomb, data protection and privacy assurance leader at PwC, said as more companies deploy analytics technology to gain valuable insights about customer behavior, explaining to those customers how their data is collected, stored and used is critical to promoting their willingness to provide data about themselves and their interests.
"Consumers are more willing to sure information if they believe it will be protected," Holcomb said. "Companies have to balance privacy with using information to promote business growth."
Carol DiBattiste, chief legal, privacy, security and administrative officer for Education Management Corp., said many organizations have to balance competing interests about the use of customer data. While business units are understandably eager to collect and data-mine as much information as possible, compliance officials often urge caution to reduce potential risks.
As this debate continues, senior management needs to make a strong business case not only for using customer information, for also for the competitive advantages of protecting it.
"A lot of companies have consumer data, but if you follow best practices in maintaining privacy and data protection, you can say 'this makes us different,'" DiBattiste said.
Walking the Privacy Walk
To help make sure a company's statements about strong privacy and data protection practices are followed, DiBattiste said companies need to develop a cross-functional security framework that includes controls and testing, as well as cooperation between the organization's compliance functions, business unit leaders, senior management and board members.
"Compliance can't do this alone," she said.
The International Organization for Standardization (ISO), the National Institute of Standards and Technology, and other organizations offer cybersecurity and privacy frameworks that provide good starting points for reviewing or enhancing existing policies and controls, DiBattiste said.
Cates recommended including business, legal, HR, compliance and financial leaders in discussions about privacy and data security.
DiBattiste said in many cases organizations can benefit from external security testing to identify potential weaknesses and improvement opportunities.
Cates also recommended companies develop incident response plans to identify communications and remediate strategies if a breach does occur. Because cyberthreats evolve consistency, it's impossible to lock down data completely, but having an effective response plan can help mitigate some of the reputation and compliance implications following a breach.