‘Actions speak louder than words’ sums up what organisations need to be seen to be doing to protect privacy and to ensure the security of information.
Abraham Lincoln’s maxim in 1856 that ‘actions speak louder than words’ may be the best summation of what organisations will need to be seen to be doing to protect privacy and to ensure the security of information.
The New Zealand Institute of Directors’ Governance Leadership Centre recently identified data and privacy as the top two issues for directors in 2020, with reputation and trust the number three and four issues. It noted:
- The impacts of data privacy scandals and cyber-attacks
- How artificial intelligence, the internet of things, big data, data analytics, data privacy, ethics and security all fall under a board’s role in data governance
- Increased public scrutiny of organisations and individuals means trust must be earned
- Organisational culture and conduct should be, if not already, high on the board agenda.
This comes at a time when most Americans believe that at least some of their online and offline activities are being tracked and monitored by companies and the government. The Pew Research Center found in 2019 that just over 60% of US adults don’t think it is possible to go through daily life without having information about them collected by companies (62%) and by the government (63%).
Being seen to be investing in data and privacy protection, and delivering on heightened expectations of what is now considered ‘acceptable responsibility’ have been driven by the number of cyber-attacks and privacy-related incidents.
They have also been driven by new regulation, such as the United Kingdom’s Data Protection Act 2018, which controls how personal information is used by organisations, businesses and the government. This complements the European Union's General Data Protection Regulation (GDPR) and updates the UK’s Data Protection Act 1998.
As Matt Burgess said in WIRED, “Companies covered by the GDPR are accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and relevant documents on how data is processed.”
In recent years there has been a score of massive data breaches, including leaks of millions of Yahoo, LinkedIn and Myspace account details. Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator if it could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches and damage to reputation. The UK Information Commissioner’s Office has to be told about a breach within 72 hours after an organisation finding out about it and the people it affects also need to be told.
This means there are now legal and ethical drivers, reporting deadlines and a greatly heightened level of transparency for customers, consumers and stakeholders.
As the Institute of Directors noted, reputation and trust will be critical governance issues for directors. This requires organisations to acknowledge risk, invest in preparing crisis management plans for data, cyber and privacy issues, and prepare to rehearse crucial roles and test draft content.
Being seen to do the right thing depends on knowing what your organisation should do, who should do it and how best to do it.