The role of the privacy committee
The European Union was the first political and economic union out of the gate with a data privacy law and as a result, many boards are now considering how the role of the privacy committee fits within their board structure. The General Data Protection Regulation (GDPR) was designed to enforce the privacy and protection of the country's data. While there is no such law in the United States yet, public and private companies should strive to set up policies, procedures and systems to protect data before the government follows the precedent of the European Union.
Companies will need to have a solid understanding of risk and the law before they take on this task. Boards will need lots of information and support from senior management, as well as the proper tools with which to monitor and enforce their policies. The two main areas that companies will need to focus on are security and privacy.
Considerations on the Role of the Privacy Committee
In developing a privacy committee, board members should take care when choosing who should serve on the committee. A member of the leadership team should assign a capable committee chair or co-chair. While the committee needs several security professionals on it, the group needs to consist of more than just security professionals. It should include representatives from various other departments and sectors of the business, such as legal, compliance, M&A teams and other departments, because they'll have valuable insights about data privacy within their area of expertise.
Boards should ensure that committee members have the authority and expertise to make decisions about data privacy and their area of responsibility. Committee members should be selected based on their ability to bring the proper knowledge of how to protect data within their area. Boards should emphasize that great thought went into selecting members for this committee and that it's important for each of them to attend every meeting and not send a replacement.
Each committee member's involvement is necessary for their work to be useful. Besides bringing knowledge of their area of expertise and their thoughts about how to protect data, committee members should be chosen for their motivation and dedication to protecting the security and privacy of the organization's data.
Setting the Tone for a Privacy Committee Meeting
The committee should be aware of their role and set goals accordingly. The main role of the privacy committee should be to make strategic recommendations about data security across the company. This is not an operational group that implements plans.
The chair or co-chairs should stimulate discussion within each business group. All members should be involved in discussions about how each area of the business should handle data protection. Discussions will need to include the committee's understanding of the current threat landscape and what actions the company has already taken to protect data, if any. Committee members should also consider that there may be gaps in the vision for the plans they anticipate putting into place for their data privacy planning.
Once the committee is on the same page with respect to how they plan to approach data privacy protection planning, they can spend the rest of their meetings finalizing standards and deliverables. This work will be important to the full board's work, as it will have a grand impact on how the company functions and operates in the future. Budgeting will come into the discussion at some point. There are many changes that companies can make right away that will impact the budget very little or not at all.
It's vital that privacy committees prepare an agenda before their meeting. Setting up deliverables for each meeting is a good way to track the committee's progress. Committee members should bring metrics of the deliverables to each meeting to demonstrate their accountability and should be prepared to discuss them intelligently and to answer questions from the other members of the committee.
Where Does the United States Stand in Relation to Data Privacy?
Now that we've reached the one-year anniversary of GDPR and the California Consumer Privacy Act is slated to take effect in 2020, Congress is stepping up talks about how to craft a fair and responsible federal data privacy law. With California stepping out with their own law, the federal government is talking about how such a law would be implemented under state and federal laws.
In past years, industry lobbyists have fought against any kind of federal law. Now, they're in favor of Congress passing some kind of legislation. Congress had back-to-back privacy hearings on the data privacy issues late in February 2019. The Senate is making more progress on the issue of preempting state laws than the House. There continues to be much debate going with Democrats in both chambers pressing to move the issue forward.
Congress has a long way to go in wrestling with questions about what should be included in a comprehensive federal privacy law. They have many opinions on how those inclusions should be written into law even before tackling the preemption issue.
Currently, the US already has numerous federal privacy laws like the Electronic Communications Privacy Act and the Cable Communications Privacy Act that don't preempt state laws. Congressional debates include issues like whether certain technology industries, advertising industries and telecommunications industries should preempt state data privacy laws.
Another point of discussion pertains to requirements for adequate consumer notice and choice at the point where companies are collecting data. Congress is also concerned about giving consumers control over their data and still exposing them to data misuse that would harm their reputations or fail to protect marginalized communities.
To date, a few top issues are being discussed, such as:
- Deletion rights
- Giving the Federal Trade Commission (FTC) more staffing and resources
- Rulemaking authority
- Authority to issue civil penalties on first-time privacy offenders
While Congress is in a crunch to draft legislation before the California Consumer Privacy Act goes into effect, the goal is to compose a thoughtfully crafted, comprehensive federal bill that has evaluated all sides of the issue in a meaningful way.
Now is also the time for boards to begin discussing how they can best respond to the issue and how the role of a privacy committee is part of the answer to any new state or federal laws that may be forthcoming. Diligent Boards is the modern solution for board management software where boards can discuss these issues in complete confidence.