Other parts of this series:
Firms are increasing their use of consumer data to drive consumer behavioral insights, market share gains and operational efficiencies. As part of this strategy, firms collect large personal data and need to manage substantive and complex privacy obligations that come with them. These obligations, and risks attendant to them, become increasingly difficult to meet with a firm’s existing Privacy Risk Monitoring capabilities. In fact, Accenture’s 2021 Global Risk Management Study found that 63% of data privacy executives say Privacy Risk Monitoring would require considerable effort to remediate over the next 12 months.
The EU General Data Protection Regulation (GDPR) and the U.S. California Consumer Privacy Act (CCPA) introduced stringent requirements on the processing of personal information. New regulations such as the California Privacy Rights Act, China’s Personal Information Protection, Virginia’s Consumer Data Protection Act, Colorado Privacy Act, and China’s Personal Information Protection Law, and upcoming US State regulation such as the Utah Consumer Privacy Act have added to the complexity and compliance efforts given their disparate requirements. These evolving regulations coupled with the rise of high-profile data breach incidents have strengthened the mandate on ethical and compliant data processing, hence the need for Privacy Risk Monitoring.
Privacy regulatory requirements are constantly evolving, putting the onus on firms to monitor for regulatory changes, assess their applicability and impact to business operation and control environment. Understanding the full extent of the legal and regulatory impacts becomes even more difficult for larger firms with diversified business and product lines and those with a multinational footprint.
As a result, firms continue to invest on capabilities to meet regulatory requirements and manage privacy risks. Accenture’s 2021 Global Risk Management Study noted that 80% of data privacy executives expect their organization’s investment in privacy will increase by less than 20% over the next 12 months. The illustration below shows how firms are embarking on a journey beyond baseline compliance towards a more sustainable program that responds not only to evolving privacy regulations but also more importantly to consumer privacy expectations. Typically, firms go through a three-staged journey, from establishing a baseline compliance posture that is focused on meeting “Day 1” requirements, setting up capabilities for efficient and sustainable program, and up to a stage where the privacy function is optimized leveraging organizational synergy in support of competitive differentiation.
In summary, as regulators broaden their privacy enforcement reach and increasing privacy demands from customers, it is imperative that firms improve their approach to Privacy Risk Monitoring as part of their privacy compliance journey.
In our next blog, we will dive into the key components of Privacy Risk Monitoring and share insights how to operationalize the components, including consideration for enabling processes and technologies.