Is your firm seeing the big picture? - Elena Belov Allen Meyer Paul Mee Rico Brandenburg Edward Harding - Oliver Wyman
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Is your firm seeing the big picture? Elena Belov Allen Meyer Paul Mee Rico Brandenburg Edward Harding
Privacy First: Is Your Firm Seeing The Big Picture?
THE NEED FOR A HOLISTIC
PRIVACY PROGRAM
In this fast-paced digital age, businesses have the capacity to collect a tremendous
amount of personal information to support their strategies. The protection and use
of customer information is becoming a significant concern for financial institutions.
Seen by customers as the trusted custodian of their data, institutions must make the
safeguarding of this information a cornerstone of their mission.
Neglecting this responsibility poses a significant risk with increasing regulatory, legal
and ultimately reputational impact. The industry needs to be both proactive and
preemptive in understanding how information is being used, storing only as much as
strictly necessary, and keeping data safe from loss and theft. Making sure the firm’s
privacy program is robust needs to be at the top of executives’ agendas as they think
about risk management.
In 2019, Oliver Wyman published the paper “Data Privacy: Growing Expectations (And Risk)
For Financial Institutions,” which included five no-regrets steps that organizations can
take to get ahead on data privacy risk management. Those recommendations focused
on understanding how privacy considerations impact organizations and getting started
in responding to the risk.
The next frontier in this conversation is about operationalizing the privacy risk
management program successfully. Many organizations are struggling to put
holistic programs in place that comprehensively address privacy concerns across
all the key functions of the business. Along with the business lines, teams such as
data governance, information security, cyber risk management and third-party risk
management need to coordinate their actions and responses.
© Oliver Wyman 1Privacy First: Is Your Firm Seeing The Big Picture?
When embedding and operationalizing a comprehensive data privacy program
businesses face four key challenges:
• A large number of employees (and vendors) are interacting with sensitive
information on a daily basis, making central management challenging.
• Many business decisions have privacy ramifications, which need to be
anticipated.
• Devolving responsibility to various teams and departments often results in the
uneven application of standards.
• Regulators have raised the bar in terms of the sophistication of the privacy
program they expect.
Our paper outlines a clear strategy to operationalize the privacy program and shows
ways to address these challenges. We recommend that financial institutions embark
on a journey to:
• Strengthen accountability: Gain a clear view on accountability and responsibility
for privacy activities across the information lifecycle, in order to better understand
and monitor what is being done.
• Focus on key teams: Identify the key functions that have a significant influence on
privacy management and integrate their activities into the privacy program.
• Embed privacy into the business: It is important that the plans laid out and
accountabilities identified on paper can be executed and turned into reality.
In our view, senior executives and privacy leaders need to act now to make their
programs more holistic. We recommend that financial institutions clearly define
Privacy’s role and appropriately empower the team to drive and execute the holistic
program. They also need to ensure that existing privacy controls are effective. Finally,
institutions need to understand that this is not a “one and done” exercise—the
program needs to be regularly reassessed to ensure it remains fit for purpose.
Making sure the firm’s privacy program is robust
should be at the top of executives’ agendas as
they think about risk management.
© Oliver Wyman 2Privacy First: Is Your Firm Seeing The Big Picture?
DATA PRIVACY –
TODAY’S CHALLENGES
Today, approaches to data privacy management are often fragmented with activities
taking place in siloes. This is because firms have reacted tactically and not strategically,
to specific requirements placed upon them. They have set up central privacy teams
as a response to specific legislation or regulatory standards to perform a distinct but
not exhaustive set of tasks related to privacy risk management. For example, the
privacy team will draft and own the privacy policy (most organizations now have, or
are developing a privacy policy). They will also run privacy-related processes (such
as completing data breach incident reports, sending out customer notifications, and
deleting collected data in line with their policies).
However, firms have not systematically examined the implications of evolving privacy
standards for the entire organization. Inevitably, integrating privacy concerns into
business-as-usual requires buy-in and actions to be taken by teams across the
organization—not just a central team. And the extent to which other teams, whether
business lines or other functions, incorporate privacy considerations into their
processes is often limited. Some teams may not even be aware of the organization’s
privacy policies. Approaches to managing privacy risk during business as usual are
therefore often inconsistent and uneven.
© Oliver Wyman 3Privacy First: Is Your Firm Seeing The Big Picture?
FOUR KEY CHALLENGES
Managing privacy as business-as-usual is challenging for several reasons:
A large number of employees (and vendors) are constantly interacting with sensitive
information on a daily basis. Ensuring that it is used safely and conscientiously means
that the employees who are touching the data need to understand the policies and
have privacy concerns embedded in their processes. For example, when an employee
asks another for a customer data set so that they can perform analysis, they both need
to understand their privacy obligations in the decision to share the data (or not), how
to share it, and where or when this needs to be recorded. The burden of privacy risk
management cannot be borne by a compliance team alone.
Many decisions have privacy ramifications. For example, launching a new business
line involves creating new customer data sets that need to be permissioned.
Combining existing data sets to gain additional insights into the customer must be
reviewed through a privacy lens. Without a unified approach it is not clear who needs
a seat at the table in ensuring that privacy considerations are included and that
appropriate actions are taken to manage any risk. Beyond a privacy representative,
stakeholders from teams such as information security, data governance, third-party
risk management, and others may need to be involved. The risk is that those driving
the decisions forward are not incorporating privacy and do not know who to include
even if they were.
Devolving responsibility to various teams and departments often results in an uneven
application of standards. This is inefficient as each team comes up with their own
approaches (or may not). An example might be teams independently interpreting what
a “reasonable” use for data is. It also means that learnings and best practices are not
absorbed and integrated firmwide.
Regulators have raised the bar in terms of the sophistication of the privacy program
they expect. This raising of standards is likely to increase and a piecemeal approach
to privacy management will be regarded as inadequate. In addition to regulatory
scrutiny, there is also potential for private litigation as well relating to violations of
newly-passed laws.
© Oliver Wyman 4Privacy First: Is Your Firm Seeing The Big Picture?
EMBEDDING DATA PRIVACY
INTO THE BUSINESS
These concerns raise the fundamental question of how organizations can more
holistically embed data privacy risk considerations into their activities, including:
• In which situations (processes, decisions) is a privacy concern relevant?
• Who is responsible, who needs to be involved, and what mechanisms should
be in place to help coordinate teams?
• How should privacy be embedded into the business?
EFFECTIVE STRATEGIES FOR SUCCESS
In our experience three strategies have proven successful.
1. STRENGTHEN ACCOUNTABILITY
The first challenge is simply recognizing when privacy is an issue during day-to-day
activities and what needs to be done in those situations.
This is the foundational building block for developing a unified approach to privacy
that ensures both the privacy dimension is recognized and that the relevant parties
are involved.
Oliver Wyman uses the data management life cycle to map relevant activities and
gain an understanding of where privacy is relevant. Precise activities will differ across
organizations, but some examples are included below.
© Oliver Wyman 5Privacy First: Is Your Firm Seeing The Big Picture?
Exhibit 1. Data Management Life Cycle (with illustrative activities)
Creation, collection, Use, sharing,
and consent and disclosure
• Privacy Impact • Data access
Assessments (PIA) requests (internal)
• Consent collection • Privacy notices Customer control
• Data collection
and storage
• Information requests
Retention and deletion Breach and
complaint handling
• Deletion requests • Response coordination
• “End of use” deletions • Breach disclosure
• Complaint handling
Source: Oliver Wyman Analysis
Once activities are identified involved stakeholders need to be defined. These are the
parties that will be responsible and accountable for different aspects of the process, as
well as those that need to be consulted and informed of decisions made and activities
taking place. These responsibilities will be diverse. To illustrate, here are two examples.
Under “Breach and Complaint Handling,” breach response coordination is a key
process. This contains many sub-steps, and each requires significant and different
levels of input from many different stakeholders.
• The Privacy team must coordinate the response playbook and quarterback
the response.
• The Controls team needs to define and set criteria for the scenarios under which
a privacy breach can be identified and alert the Privacy team (and other identified
stakeholders) when such a breach is identified.
• Information Security must prepare plans for how they will quickly investigate and
remediate the source of any breach.
• The Corporate Communications team must prepare a statement for the
press/market on what has occurred.
• The Chief Privacy Officer must coordinate membership for an “executive war room,”
so that senior decision-makers can be apprised of the situation and make decisions
as needed at the time.
To take another example, under “Use, Sharing, and Disclosure,” the organization
needs to issue privacy notices to customers regarding the information deployed.
However, this simple requirement necessitates involvement from numerous groups.
• The Business Unit must articulate how the data is being used, which will be
disclosed in the notice.
• The Chief Information Security Officer (CISO) needs to confirm that the content of
privacy notice is factually accurate.
© Oliver Wyman 6Privacy First: Is Your Firm Seeing The Big Picture?
• Data teams need to ensure that commitments to delete data are actually carried
out, and as needed, modify their procedures to ensure that they are able to carry
out the activities that are being committed to in the privacy notice.
• Marketing needs to ensure that the privacy notice factors are in the correct tone/
voice of the bank.
Across the data lifecycle, substantial thinking needs to go into whose input is needed
for each step of a given process to bring about a desired end result (in this case, that a
privacy notice can be issued and that the information in it be correct).
Once responsibilities are clearly defined different teams can be held accountable for
meeting their privacy related obligations.
2. FOCUS ON KEY TEAMS
Identify key functions that have a significant influence on privacy management and
integrate their activities into the privacy program.
A data lifecycle view is important for understanding how and when teams that are
collecting and using data are impacted by privacy policies, and to ensure they are
responding to requirements in a similar way. However, beyond the standard use cases
that are reflected in the data lifecycle, some teams have more specialized activities
and areas of responsibility that are impacted by privacy considerations. The three key
functions that intersect with privacy are data governance, information security, and
third-party risk management.
• Data Governance is responsible for ensuring the consistency and integrity of
privacy-related data and maintaining the data inventory. They need to ensure
alignment with Data Privacy around key definitions such as data classification,
definition of personal information, data use rights and the structure of a data
inventory.
• Information Security (InfoSec) is responsible for ensuring adequate levels of
protection for privacy-related data, which necessitates an understanding of where
affected data is, and what level of privacy criticality is applicable so that adequacy
of protection can be assessed. InfoSec should ensure that their risk assessment
definitions and scales are aligned with Privacy, ensure that security is adequate for
all privacy-relevant media (including things like biometrics and voice recordings),
ensure they know where Personal information (PI) is being stored and have
processes to scan and identify PI, and report on adequacy of security.
• Third-Party Risk Management needs to ensure that Privacy concerns are
integrated into the vendor selection processes, that the contracts include relevant
language around privacy, that privacy incidents are monitored so that relationships
can be reassessed where necessary, and that data is appropriately anonymized
where necessary before being handed over to vendors.
In these instances, close coordination between Privacy and each of these functions is
required to ensure alignment of different elements of the privacy program.
© Oliver Wyman 7Privacy First: Is Your Firm Seeing The Big Picture?
Exhibit 2. Three key functions that intersect with data privacy
Third Party Risk
Management
Data
Privacy
Information Data
Security Governance
Source: Oliver Wyman Analysis
3. EMBED PRIVACY INTO THE BUSINESS
It is important that the plans laid out and accountabilities identified on paper can be
executed and turned into reality.
Privacy considerations will have an impact on what businesses can do, and how
they do these things. This means that rank-and-file employees need to internalize
responsibilities and adopt a privacy mindset.
Organizations will have different methods for driving such programs successfully, but
some methods that can be employed include:
• Make data privacy a key consideration in the data and product strategy of the
institution. All technology implementations should incorporate privacy impact
assessments, and integrate privacy into product design specifications and the
approval processes for new products, initiatives, and applications. Incorporating
Privacy by Design principles early on in product, process, and technology design
(for example, product systems are designed to rely on data collected and stored
by other product systems to minimize the amount of data stored) can have a
significant risk mitigation impact.
• Define privacy principles. Provide clarity to the business around the organization’s
data privacy philosophy and what practices are acceptable vs. not acceptable. High
level privacy principles need to be fleshed out so that understandings are aligned.
For example, if an institution has “minimization of data retention” as a principle, all
stakeholders need to be clear on what a reasonable and unreasonable situation in
which to retain data is (and the business should know who to contact if they have
any doubts). There should also be a recurring protocol for identifying data that has
been retained in breach of policy, so that it can be erased.
© Oliver Wyman 8Privacy First: Is Your Firm Seeing The Big Picture?
• Integrate privacy into technology review boards. Ensure that assessments of
technology adequacy include privacy considerations as part of the assessment
rubric, in order to see future technology evaluations and decisions through a
privacy lens.
• Make privacy an executive risk topic. Make sure that agendas for executive and
board risk committees consider privacy as a specific agenda item. This will elevate
the topic and ensure that it is front of mind for the organization, as well as ensuring
executive oversight and sponsorship of related initiatives.
• Establish a data protection office or forum that focuses on privacy and
security. This group should be the connective tissue with Information Security
and ensure not only that data is secure from external threats, but also
that procedures and technology are implemented in ways that respect the
organizations’ privacy policies.
• Institute privacy champions within the line of business. These individuals will
be responsible for understanding how the privacy policy impacts different parts
of the business’s practices and ensure correct protocols are followed. They will be
the connective tissue between the business and the Privacy team that can act as
an informal contact point for employees to involve the privacy function in a given
question or issue.
• Develop appropriate forums and committees. Where the privacy concerns within
a process have been identified, the organization also needs to set up appropriate
governance to enable decisions around data use rights and compliance. This can
involve expanding the mandates and memberships of existing committees (such as
new business initiatives) to explicitly consider privacy concerns, or setting up where
warranted new forums in which privacy issues are reviewed and addressed.
Where the privacy concerns within a process have
been identified, the organization also needs to set
up appropriate governance to enable decisions
around data use rights and compliance.
© Oliver Wyman 9Privacy First: Is Your Firm Seeing The Big Picture?
SUCCESS FACTORS FOR
TOUGHENING UP YOUR
DATA PRIVACY PROGRAM
To successfully achieve the kind of model described above certain concrete actions
are needed.
CLEARLY DEFINE PRIVACY’S ROLE
The Privacy team is directly responsible for various aspects of compliance (for example,
sending privacy notices). It also needs to oversee what others are doing and drive
alignment across the business. The key to this is managing expectations between
Privacy and the different teams and ensuring a consistency of practice across teams.
To start on this journey, Privacy needs to engage with other teams. Open conversations
are needed for parties to think through where privacy is an issue and how to manage
privacy in an agreed upon manner. This dialogue can help to ensure the alignment of
understanding and consistency of practices across groups. Several institutions have
succeeded at accomplishing this by holding collaborative workshops between the
Privacy team and functions to align on how different activities will be approached.
From there, a plan of action can be devised to meet policy requirements and ensure
consistency across the organization.
EMPOWER PRIVACY MANAGEMENT AND OVERSIGHT
Today, many Data Privacy Officers do not have sufficient authority to drive significant
initiatives in the organization. To be effective, this needs to change. Senior
stakeholders need to empower Privacy—and provide their own support—to ensure
that business units and other teams can take ownership. This is essential to making
changes, providing resources, and overcoming inertia. An organization’s approach to
data privacy needs to be supported by executives and needs to support (or at least not
contradict) its business strategy, business model and customer proposition.
© Oliver Wyman 10Privacy First: Is Your Firm Seeing The Big Picture?
TEST YOUR PRIVACY SAFEGUARDS
To understand whether the Privacy program is effective the organization needs to test
its existing controls. Their effectiveness should be measurable at a department level to
understand where in the organization privacy obligations are at risk of not being met.
The organization needs to ensure that problems for existing controls are identified,
escalated, and acted upon. See our previous paper, “Data Privacy: Growing Expectations
(And Risk) For Financial Institutions,” for further details.
FUTURE-PROOF THE PROGRAM THROUGH ONGOING TESTING,
REGULAR ASSESSMENT AND CONTINUOUS IMPROVEMENT
Given the evolution of thinking on privacy topics, the way that privacy is considered
and thought about within an organization must also be reappraised. It cannot be a
“one and done” exercise. The central privacy team needs to take responsibility and
ensure that the organization is challenged on its activities, communicated of any
relevant regulation and guidance changes, and has put risk mitigation plans in place
where appropriate.
An organization’s approach to data privacy
needs to be supported by executives and
needs to support (or at least not contradict) its
business strategy, business model and customer
proposition.
© Oliver Wyman 11Privacy First: Is Your Firm Seeing The Big Picture?
CONCLUSION
Customers expect and trust that financial institutions will keep their personal
information safe and use it appropriately.
Reorienting the way an organization considers privacy and embeds privacy-thinking
into the business is a significant challenge. Strengthening a company’s data
privacy program requires the full support from executive leadership, developing
an understanding and accountability across company functions, and successfully
executing the plans laid out.
As a senior executive or privacy leader, you may already be considering change and
it’s a daunting task. Oliver Wyman is a leading consultancy to the financial services
industry and has worked with many financial institutions to strengthen their data
privacy programs. Our experience includes helping institutions set up operating
models for the proprietary framework described—both within privacy teams, and
across the organization.
Together, we will collaborate with your team to operationalize your privacy program
and achieve impactful results for what has been a significant challenge for the
industry—until now.
© Oliver Wyman 12AUTHORS Elena Belov Partner, Financial Services and Organizational Effectiveness elena.belov@oliverwyman.com Allen Meyer Partner, Finance & Risk, Americas Compliance Practice Head allen.meyer@oliverwyman.com Paul Mee Partner, Financial Services and Digital, Cyber Platform Lead paul.mee@oliverwyman.com Rico Brandenburg Partner, Risk & Public Policy and Digital rico.brandenburg@oliverwyman.com Edward Harding Engagement Manager, Financial Services and Digital edward.harding@oliverwyman.com Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organization transformation. For more information please contact the marketing department by email at info-FS@oliverwyman.com or by phone at one of the following locations: Americas EMEA Asia Pacific +1 212 541 8100 +44 20 7333 8333 +65 6510 9700 Copyright © 2020 Oliver Wyman All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect. The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman. Oliver Wyman – A Marsh & McLennan Company www.oliverwyman.com
You can also read
