Is your firm seeing the big picture? - Elena Belov Allen Meyer Paul Mee Rico Brandenburg Edward Harding - Oliver Wyman

Page created by Marcus Williams
 
CONTINUE READING
Is your firm seeing the big picture? - Elena Belov Allen Meyer Paul Mee Rico Brandenburg Edward Harding - Oliver Wyman
Is your firm seeing the big picture?

Elena Belov
Allen Meyer
Paul Mee
Rico Brandenburg
Edward Harding
Privacy First: Is Your Firm Seeing The Big Picture?

                                        THE NEED FOR A HOLISTIC
                                        PRIVACY PROGRAM

                                        In this fast-paced digital age, businesses have the capacity to collect a tremendous
                                        amount of personal information to support their strategies. The protection and use
                                        of customer information is becoming a significant concern for financial institutions.
                                        Seen by customers as the trusted custodian of their data, institutions must make the
                                        safeguarding of this information a cornerstone of their mission.

                                        Neglecting this responsibility poses a significant risk with increasing regulatory, legal
                                        and ultimately reputational impact. The industry needs to be both proactive and
                                        preemptive in understanding how information is being used, storing only as much as
                                        strictly necessary, and keeping data safe from loss and theft. Making sure the firm’s
                                        privacy program is robust needs to be at the top of executives’ agendas as they think
                                        about risk management.

                                        In 2019, Oliver Wyman published the paper “Data Privacy: Growing Expectations (And Risk)
                                        For Financial Institutions,” which included five no-regrets steps that organizations can
                                        take to get ahead on data privacy risk management. Those recommendations focused
                                        on understanding how privacy considerations impact organizations and getting started
                                        in responding to the risk.

                                        The next frontier in this conversation is about operationalizing the privacy risk
                                        management program successfully. Many organizations are struggling to put
                                        holistic programs in place that comprehensively address privacy concerns across
                                        all the key functions of the business. Along with the business lines, teams such as
                                        data governance, information security, cyber risk management and third-party risk
                                        management need to coordinate their actions and responses.

© Oliver Wyman                                                                                                                      1
Privacy First: Is Your Firm Seeing The Big Picture?

                                        When embedding and operationalizing a comprehensive data privacy program
                                        businesses face four key challenges:

                                        • A large number of employees (and vendors) are interacting with sensitive
                                            information on a daily basis, making central management challenging.
                                        • Many business decisions have privacy ramifications, which need to be
                                            anticipated.
                                        • Devolving responsibility to various teams and departments often results in the
                                            uneven application of standards.
                                        • Regulators have raised the bar in terms of the sophistication of the privacy
                                            program they expect.

                                        Our paper outlines a clear strategy to operationalize the privacy program and shows
                                        ways to address these challenges. We recommend that financial institutions embark
                                        on a journey to:

                                        • Strengthen accountability: Gain a clear view on accountability and responsibility
                                            for privacy activities across the information lifecycle, in order to better understand
                                            and monitor what is being done.
                                        • Focus on key teams: Identify the key functions that have a significant influence on
                                            privacy management and integrate their activities into the privacy program.
                                        • Embed privacy into the business: It is important that the plans laid out and
                                            accountabilities identified on paper can be executed and turned into reality.

                                        In our view, senior executives and privacy leaders need to act now to make their
                                        programs more holistic. We recommend that financial institutions clearly define
                                        Privacy’s role and appropriately empower the team to drive and execute the holistic
                                        program. They also need to ensure that existing privacy controls are effective. Finally,
                                        institutions need to understand that this is not a “one and done” exercise—the
                                        program needs to be regularly reassessed to ensure it remains fit for purpose.

                                        Making sure the firm’s privacy program is robust
                                        should be at the top of executives’ agendas as
                                        they think about risk management.

© Oliver Wyman                                                                                                                       2
Privacy First: Is Your Firm Seeing The Big Picture?

                                        DATA PRIVACY –
                                        TODAY’S CHALLENGES

                                        Today, approaches to data privacy management are often fragmented with activities
                                        taking place in siloes. This is because firms have reacted tactically and not strategically,
                                        to specific requirements placed upon them. They have set up central privacy teams
                                        as a response to specific legislation or regulatory standards to perform a distinct but
                                        not exhaustive set of tasks related to privacy risk management. For example, the
                                        privacy team will draft and own the privacy policy (most organizations now have, or
                                        are developing a privacy policy). They will also run privacy-related processes (such
                                        as completing data breach incident reports, sending out customer notifications, and
                                        deleting collected data in line with their policies).

                                        However, firms have not systematically examined the implications of evolving privacy
                                        standards for the entire organization. Inevitably, integrating privacy concerns into
                                        business-as-usual requires buy-in and actions to be taken by teams across the
                                        organization—not just a central team. And the extent to which other teams, whether
                                        business lines or other functions, incorporate privacy considerations into their
                                        processes is often limited. Some teams may not even be aware of the organization’s
                                        privacy policies. Approaches to managing privacy risk during business as usual are
                                        therefore often inconsistent and uneven.

© Oliver Wyman                                                                                                                     3
Privacy First: Is Your Firm Seeing The Big Picture?

                          FOUR KEY CHALLENGES
                          Managing privacy as business-as-usual is challenging for several reasons:

                                        A large number of employees (and vendors) are constantly interacting with sensitive
                                        information on a daily basis. Ensuring that it is used safely and conscientiously means
                                        that the employees who are touching the data need to understand the policies and
                                        have privacy concerns embedded in their processes. For example, when an employee
                                        asks another for a customer data set so that they can perform analysis, they both need
                                        to understand their privacy obligations in the decision to share the data (or not), how
                                        to share it, and where or when this needs to be recorded. The burden of privacy risk
                                        management cannot be borne by a compliance team alone.

                                        Many decisions have privacy ramifications. For example, launching a new business
                                        line involves creating new customer data sets that need to be permissioned.
                                        Combining existing data sets to gain additional insights into the customer must be
                                        reviewed through a privacy lens. Without a unified approach it is not clear who needs
                                        a seat at the table in ensuring that privacy considerations are included and that
                                        appropriate actions are taken to manage any risk. Beyond a privacy representative,
                                        stakeholders from teams such as information security, data governance, third-party
                                        risk management, and others may need to be involved. The risk is that those driving
                                        the decisions forward are not incorporating privacy and do not know who to include
                                        even if they were.

                                        Devolving responsibility to various teams and departments often results in an uneven
                                        application of standards. This is inefficient as each team comes up with their own
                                        approaches (or may not). An example might be teams independently interpreting what
                                        a “reasonable” use for data is. It also means that learnings and best practices are not
                                        absorbed and integrated firmwide.

                                        Regulators have raised the bar in terms of the sophistication of the privacy program
                                        they expect. This raising of standards is likely to increase and a piecemeal approach
                                        to privacy management will be regarded as inadequate. In addition to regulatory
                                        scrutiny, there is also potential for private litigation as well relating to violations of
                                        newly-passed laws.

© Oliver Wyman                                                                                                                       4
Privacy First: Is Your Firm Seeing The Big Picture?

                                        EMBEDDING DATA PRIVACY
                                        INTO THE BUSINESS

                                        These concerns raise the fundamental question of how organizations can more
                                        holistically embed data privacy risk considerations into their activities, including:

                                        • In which situations (processes, decisions) is a privacy concern relevant?
                                        • Who is responsible, who needs to be involved, and what mechanisms should
                                            be in place to help coordinate teams?
                                        • How should privacy be embedded into the business?

                                        EFFECTIVE STRATEGIES FOR SUCCESS
                                        In our experience three strategies have proven successful.

                                        1. STRENGTHEN ACCOUNTABILITY
                                        The first challenge is simply recognizing when privacy is an issue during day-to-day
                                        activities and what needs to be done in those situations.

                                        This is the foundational building block for developing a unified approach to privacy
                                        that ensures both the privacy dimension is recognized and that the relevant parties
                                        are involved.

                                        Oliver Wyman uses the data management life cycle to map relevant activities and
                                        gain an understanding of where privacy is relevant. Precise activities will differ across
                                        organizations, but some examples are included below.

© Oliver Wyman                                                                                                                      5
Privacy First: Is Your Firm Seeing The Big Picture?

                                        Exhibit 1. Data Management Life Cycle (with illustrative activities)

                                          Creation, collection,                 Use, sharing,
                                          and consent                           and disclosure

                                          • Privacy Impact                      • Data access
                                            Assessments (PIA)                     requests (internal)
                                          • Consent collection                  • Privacy notices          Customer control
                                          • Data collection
                                            and storage
                                                                                                           • Information requests

                                          Retention and deletion                Breach and
                                                                                complaint handling

                                          • Deletion requests                   • Response coordination
                                          • “End of use” deletions              • Breach disclosure
                                                                                • Complaint handling

                                        Source: Oliver Wyman Analysis

                                        Once activities are identified involved stakeholders need to be defined. These are the
                                        parties that will be responsible and accountable for different aspects of the process, as
                                        well as those that need to be consulted and informed of decisions made and activities
                                        taking place. These responsibilities will be diverse. To illustrate, here are two examples.

                                        Under “Breach and Complaint Handling,” breach response coordination is a key
                                        process. This contains many sub-steps, and each requires significant and different
                                        levels of input from many different stakeholders.

                                        • The Privacy team must coordinate the response playbook and quarterback
                                            the response.
                                        • The Controls team needs to define and set criteria for the scenarios under which
                                            a privacy breach can be identified and alert the Privacy team (and other identified
                                            stakeholders) when such a breach is identified.
                                        • Information Security must prepare plans for how they will quickly investigate and
                                            remediate the source of any breach.
                                        • The Corporate Communications team must prepare a statement for the
                                            press/market on what has occurred.
                                        • The Chief Privacy Officer must coordinate membership for an “executive war room,”
                                            so that senior decision-makers can be apprised of the situation and make decisions
                                            as needed at the time.

                                        To take another example, under “Use, Sharing, and Disclosure,” the organization
                                        needs to issue privacy notices to customers regarding the information deployed.
                                        However, this simple requirement necessitates involvement from numerous groups.

                                        • The Business Unit must articulate how the data is being used, which will be
                                            disclosed in the notice.
                                        • The Chief Information Security Officer (CISO) needs to confirm that the content of
                                            privacy notice is factually accurate.

© Oliver Wyman                                                                                                                      6
Privacy First: Is Your Firm Seeing The Big Picture?

                                        • Data teams need to ensure that commitments to delete data are actually carried
                                            out, and as needed, modify their procedures to ensure that they are able to carry
                                            out the activities that are being committed to in the privacy notice.
                                        • Marketing needs to ensure that the privacy notice factors are in the correct tone/
                                            voice of the bank.

                                        Across the data lifecycle, substantial thinking needs to go into whose input is needed
                                        for each step of a given process to bring about a desired end result (in this case, that a
                                        privacy notice can be issued and that the information in it be correct).

                                        Once responsibilities are clearly defined different teams can be held accountable for
                                        meeting their privacy related obligations.

                                        2. FOCUS ON KEY TEAMS
                                        Identify key functions that have a significant influence on privacy management and
                                        integrate their activities into the privacy program.

                                        A data lifecycle view is important for understanding how and when teams that are
                                        collecting and using data are impacted by privacy policies, and to ensure they are
                                        responding to requirements in a similar way. However, beyond the standard use cases
                                        that are reflected in the data lifecycle, some teams have more specialized activities
                                        and areas of responsibility that are impacted by privacy considerations. The three key
                                        functions that intersect with privacy are data governance, information security, and
                                        third-party risk management.

                                        • Data Governance is responsible for ensuring the consistency and integrity of
                                            privacy-related data and maintaining the data inventory. They need to ensure
                                            alignment with Data Privacy around key definitions such as data classification,
                                            definition of personal information, data use rights and the structure of a data
                                            inventory.
                                        • Information Security (InfoSec) is responsible for ensuring adequate levels of
                                            protection for privacy-related data, which necessitates an understanding of where
                                            affected data is, and what level of privacy criticality is applicable so that adequacy
                                            of protection can be assessed. InfoSec should ensure that their risk assessment
                                            definitions and scales are aligned with Privacy, ensure that security is adequate for
                                            all privacy-relevant media (including things like biometrics and voice recordings),
                                            ensure they know where Personal information (PI) is being stored and have
                                            processes to scan and identify PI, and report on adequacy of security.
                                        • Third-Party Risk Management needs to ensure that Privacy concerns are
                                            integrated into the vendor selection processes, that the contracts include relevant
                                            language around privacy, that privacy incidents are monitored so that relationships
                                            can be reassessed where necessary, and that data is appropriately anonymized
                                            where necessary before being handed over to vendors.

                                        In these instances, close coordination between Privacy and each of these functions is
                                        required to ensure alignment of different elements of the privacy program.

© Oliver Wyman                                                                                                                       7
Privacy First: Is Your Firm Seeing The Big Picture?

                                        Exhibit 2. Three key functions that intersect with data privacy

                                                                                      Third Party Risk
                                                                                       Management

                                                                                          Data
                                                                                         Privacy

                                                                        Information                         Data
                                                                          Security                       Governance

                                        Source: Oliver Wyman Analysis

                                        3. EMBED PRIVACY INTO THE BUSINESS
                                        It is important that the plans laid out and accountabilities identified on paper can be
                                        executed and turned into reality.

                                        Privacy considerations will have an impact on what businesses can do, and how
                                        they do these things. This means that rank-and-file employees need to internalize
                                        responsibilities and adopt a privacy mindset.

                                        Organizations will have different methods for driving such programs successfully, but
                                        some methods that can be employed include:

                                        • Make data privacy a key consideration in the data and product strategy of the
                                            institution. All technology implementations should incorporate privacy impact
                                            assessments, and integrate privacy into product design specifications and the
                                            approval processes for new products, initiatives, and applications. Incorporating
                                            Privacy by Design principles early on in product, process, and technology design
                                            (for example, product systems are designed to rely on data collected and stored
                                            by other product systems to minimize the amount of data stored) can have a
                                            significant risk mitigation impact.
                                        • Define privacy principles. Provide clarity to the business around the organization’s
                                            data privacy philosophy and what practices are acceptable vs. not acceptable. High
                                            level privacy principles need to be fleshed out so that understandings are aligned.
                                            For example, if an institution has “minimization of data retention” as a principle, all
                                            stakeholders need to be clear on what a reasonable and unreasonable situation in
                                            which to retain data is (and the business should know who to contact if they have
                                            any doubts). There should also be a recurring protocol for identifying data that has
                                            been retained in breach of policy, so that it can be erased.

© Oliver Wyman                                                                                                                        8
Privacy First: Is Your Firm Seeing The Big Picture?

                                        • Integrate privacy into technology review boards. Ensure that assessments of
                                            technology adequacy include privacy considerations as part of the assessment
                                            rubric, in order to see future technology evaluations and decisions through a
                                            privacy lens.
                                        • Make privacy an executive risk topic. Make sure that agendas for executive and
                                            board risk committees consider privacy as a specific agenda item. This will elevate
                                            the topic and ensure that it is front of mind for the organization, as well as ensuring
                                            executive oversight and sponsorship of related initiatives.
                                        • Establish a data protection office or forum that focuses on privacy and
                                            security. This group should be the connective tissue with Information Security
                                            and ensure not only that data is secure from external threats, but also
                                            that procedures and technology are implemented in ways that respect the
                                            organizations’ privacy policies.
                                        • Institute privacy champions within the line of business. These individuals will
                                            be responsible for understanding how the privacy policy impacts different parts
                                            of the business’s practices and ensure correct protocols are followed. They will be
                                            the connective tissue between the business and the Privacy team that can act as
                                            an informal contact point for employees to involve the privacy function in a given
                                            question or issue.
                                        • Develop appropriate forums and committees. Where the privacy concerns within
                                            a process have been identified, the organization also needs to set up appropriate
                                            governance to enable decisions around data use rights and compliance. This can
                                            involve expanding the mandates and memberships of existing committees (such as
                                            new business initiatives) to explicitly consider privacy concerns, or setting up where
                                            warranted new forums in which privacy issues are reviewed and addressed.

                                        Where the privacy concerns within a process have
                                        been identified, the organization also needs to set
                                        up appropriate governance to enable decisions
                                        around data use rights and compliance.

© Oliver Wyman                                                                                                                    9
Privacy First: Is Your Firm Seeing The Big Picture?

                                        SUCCESS FACTORS FOR
                                        TOUGHENING UP YOUR
                                        DATA PRIVACY PROGRAM

                                        To successfully achieve the kind of model described above certain concrete actions
                                        are needed.

                                        CLEARLY DEFINE PRIVACY’S ROLE
                                        The Privacy team is directly responsible for various aspects of compliance (for example,
                                        sending privacy notices). It also needs to oversee what others are doing and drive
                                        alignment across the business. The key to this is managing expectations between
                                        Privacy and the different teams and ensuring a consistency of practice across teams.
                                        To start on this journey, Privacy needs to engage with other teams. Open conversations
                                        are needed for parties to think through where privacy is an issue and how to manage
                                        privacy in an agreed upon manner. This dialogue can help to ensure the alignment of
                                        understanding and consistency of practices across groups. Several institutions have
                                        succeeded at accomplishing this by holding collaborative workshops between the
                                        Privacy team and functions to align on how different activities will be approached.
                                        From there, a plan of action can be devised to meet policy requirements and ensure
                                        consistency across the organization.

                                        EMPOWER PRIVACY MANAGEMENT AND OVERSIGHT
                                        Today, many Data Privacy Officers do not have sufficient authority to drive significant
                                        initiatives in the organization. To be effective, this needs to change. Senior
                                        stakeholders need to empower Privacy—and provide their own support—to ensure
                                        that business units and other teams can take ownership. This is essential to making
                                        changes, providing resources, and overcoming inertia. An organization’s approach to
                                        data privacy needs to be supported by executives and needs to support (or at least not
                                        contradict) its business strategy, business model and customer proposition.

© Oliver Wyman                                                                                                                    10
Privacy First: Is Your Firm Seeing The Big Picture?

                                        TEST YOUR PRIVACY SAFEGUARDS
                                        To understand whether the Privacy program is effective the organization needs to test
                                        its existing controls. Their effectiveness should be measurable at a department level to
                                        understand where in the organization privacy obligations are at risk of not being met.
                                        The organization needs to ensure that problems for existing controls are identified,
                                        escalated, and acted upon. See our previous paper, “Data Privacy: Growing Expectations
                                        (And Risk) For Financial Institutions,” for further details.

                                        FUTURE-PROOF THE PROGRAM THROUGH ONGOING TESTING,
                                        REGULAR ASSESSMENT AND CONTINUOUS IMPROVEMENT
                                        Given the evolution of thinking on privacy topics, the way that privacy is considered
                                        and thought about within an organization must also be reappraised. It cannot be a
                                        “one and done” exercise. The central privacy team needs to take responsibility and
                                        ensure that the organization is challenged on its activities, communicated of any
                                        relevant regulation and guidance changes, and has put risk mitigation plans in place
                                        where appropriate.

                                        An organization’s approach to data privacy
                                        needs to be supported by executives and
                                        needs to support (or at least not contradict) its
                                        business strategy, business model and customer
                                        proposition.

© Oliver Wyman                                                                                                                  11
Privacy First: Is Your Firm Seeing The Big Picture?

                                        CONCLUSION

                                        Customers expect and trust that financial institutions will keep their personal
                                        information safe and use it appropriately.

                                        Reorienting the way an organization considers privacy and embeds privacy-thinking
                                        into the business is a significant challenge. Strengthening a company’s data
                                        privacy program requires the full support from executive leadership, developing
                                        an understanding and accountability across company functions, and successfully
                                        executing the plans laid out.

                                        As a senior executive or privacy leader, you may already be considering change and
                                        it’s a daunting task. Oliver Wyman is a leading consultancy to the financial services
                                        industry and has worked with many financial institutions to strengthen their data
                                        privacy programs. Our experience includes helping institutions set up operating
                                        models for the proprietary framework described—both within privacy teams, and
                                        across the organization.

                                        Together, we will collaborate with your team to operationalize your privacy program
                                        and achieve impactful results for what has been a significant challenge for the
                                        industry—until now.

© Oliver Wyman                                                                                                                  12
AUTHORS

Elena Belov
Partner, Financial Services and Organizational Effectiveness
elena.belov@oliverwyman.com

Allen Meyer
Partner, Finance & Risk, Americas Compliance Practice Head
allen.meyer@oliverwyman.com

Paul Mee
Partner, Financial Services and Digital, Cyber Platform Lead
paul.mee@oliverwyman.com

Rico Brandenburg
Partner, Risk & Public Policy and Digital
rico.brandenburg@oliverwyman.com

Edward Harding
Engagement Manager, Financial Services and Digital
edward.harding@oliverwyman.com

Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized
expertise in strategy, operations, risk management, and organization transformation.

For more information please contact the marketing department by email at info-FS@oliverwyman.com or
by phone at one of the following locations:

Americas                               EMEA                                   Asia Pacific
+1 212 541 8100                        +44 20 7333 8333                       +65 6510 9700

Copyright © 2020 Oliver Wyman
All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman
and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect.
The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on
for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every
effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind,
express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no
liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources
of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The
report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written
consent of Oliver Wyman.

Oliver Wyman – A Marsh & McLennan Company                                                                                www.oliverwyman.com
You can also read