What the Board Should Know about Information Privacy

What the Board Should Know about Information Privacy

Today, corporate and non-profit boards of directors are faced with a wide range of responsibilities and have a fiduciary duty to act in the best interests of the organization. In Canada, the statutory standard for directors is codified at section 122(1) of the Canadian Business Corporations Act and similar provincial laws. Directors must “exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances.”

In light of cybersecurity and other privacy risks, Boards need to consider whether the organizations they represent have strong privacy practices in place. Privacy must be considered not only as a legal compliance issue but also as a business best practice issue. Privacy oversight is an integral and necessary component of effective board service.

A lack of attention to privacy can have a number of adverse consequences for which directors may be held accountable. The degree of risk will vary from one organization to the next, depending on the nature of the business and the amount of personal information that is collected, used and disclosed. The potential business consequences include:

  • Damage to the organization’s reputation and brand;
  • Financial losses associated with recovering from a privacy breach, including potential lawsuits;
  • Loss of market share or a drop in stock prices following a breach that results in negative publicity; and
  • Failure or delay in the implementation of a new product or service due to privacy concerns.

Careful attention to privacy issues may not only help directors and their organizations to avoid these risks, but may also have a number of positive effects.

The Privacy Advantage

The potential benefits of implementing sound privacy policies and practices include:

  • Enhanced consumer confidence and trust;
  • A more positive organizational image and a significant edge over the competition;
  • Business development through expansion into jurisdictions requiring clear privacy standards;
  • Enhanced data quality and integrity, fostering better customer service and more strategic business decision-making; and
  • Saving time and money with a proactive approach to privacy (e.g. avoiding complaints; avoiding a privacy commissioner investigation; inefficiencies resulting from poor information management practices; or having to retrofit a product or service to address privacy concerns after it has been designed and implemented).

Increasingly, developing a culture of privacy is one of the key issues on which directors must focus, in order to execute their compliance and managerial oversight as well as mitigate risk.  Such a culture moves beyond legislation, regulation and policy into a strong privacy management program.

Telling your executive team to “Make us privacy compliant” is not enough. Directors must be more engaged, approve their company’s privacy plan, and require regular report backs.

Four Key Privacy To-Do Items for Boards

  1. Education is key – directors should ensure that they receive appropriate training in privacy and that there is some privacy expertise on their board.
    In addition, where it is feasible, boards should establish a committee whose terms of reference include privacy. The membership of this committee should develop a degree of expertise in privacy and should be familiar with the nature and scope of the personal information collected by the organization.
  2. Directors should ensure that at least one senior manager has been designated to be accountable for the organization’s privacy compliance.
    The Privacy Officer is the organization’s resident privacy expert. He or she must be given the authority to oversee the design, implementation, monitoring and reporting on the organization’s privacy program.
    Directors should ensure that the person appointed to carry out the functions of the Privacy Officer maintains a certain degree of separation from other senior managers of the organization. Independence will facilitate oversight of the organization’s privacy policies and practices.
  3. Directors should ensure that privacy compliance is a part of senior management performance evaluation and compensation.
    The designation of one or more individuals to oversee privacy compliance is not sufficient to ensure that privacy is being appropriately addressed throughout the organization. Before privacy policies and procedure can be effective, all senior managers have to make a commitment to privacy protection.
  4. Directors should ask senior managers to undertake periodic privacy self-assessments and privacy audits and to report to the board on these activities on a regular basis.
    A good way to ensure ongoing privacy compliance is through regular self-assessments and privacy audits.  It is preferable for the audit to be conducted by someone who is independent from the organization to address risks that may have been overlooked internally.

For a sample annual report to the Board on privacy, CLICK HERE. For other useful templates, visit our Privacy Documentation Suite.

PrivaTech has conducted numerous successful privacy training sessions for Boards of Directors. Contact us to find out more!