Making a little beer money by participating in a clinical trial is a part-time job for a large portion of college kids around the world; a Google search for “clinical trials for college students” returns 262 million results. Now, under Europe’s new General Data Protection Regulation (GDPR), those kids can request that the data from their side hustle as a human guinea pig be deleted.
Prevailing wisdom in legal and healthcare circles is that this part of GDPR, known as the “right to be forgotten,” doesn’t apply to them, however. To be sure, as written, it sets out a few exemptions that would apply to clinical trial research, such as if the data erasure request severely impairs the results of a trial or the data is needed for legal or public health purposes. As it currently stands, researchers are required to retain clinical trial data for a specified period of time, sometimes 10 years or more. But, whether determined by an actual court or a court of public opinion, do organizations really want to test the limits of this provision? Is it worth the risk, for instance, to challenge a privacy request?
It’s a question that leaders of organizations around the world are asking. Employees, consumers, politicians, investors, and other stakeholders are as well. With data breaches,identity theft, and other ways of illegally harvesting personal data an omnipresent part of digital life, privacy is transforming from a cybersecurity issue to a business one.
“People are increasingly looking at organizations through a privacy lens,” says Jamey Cummings, a senior client partner at Korn Ferry and co-leader of the firm’s Cybersecurity practice.
Organizations are taking notice. Part of the reason Apple CEO Tim Cook has been so vocal about the tech industry’s need to take privacy more seriously is to position Apple as a company people can trust. American Express’s ubiquitous commercials starring Tina Fey close by reminding consumers it is the go-to financial company for security. If security is about how organizations protect personal data, then privacy is about how it is used. Put another way, privacy is no longer a question about what is legal to do. Rather, it is about what is ethical to do—and what is ethical is being defined more and more by consumers and users.
Aileen Alexander, senior client partner and co-leader of Korn Ferry’s Cybersecurity practice, says the need for a C-suite executive that owns data privacy will become more important as organizations seek to collect and use more data in ways that haven’t been done before.
“The responsibility for privacy cannot and should not simply be added to those of the chief security officer or general counsel,” says Alexander. “It can report in to one of those functions, but privacy is becoming so complex and so intertwined with business operations that it needs to be elevated.”
A decade ago, cybersecurity was still largely considered a component of information technology. It wasn’t until around 2014 that organizations began to fully grasp the devastating effects a data breach can have on shareholder value, market share, reputation, and even long-term survival, and elevated cybersecurity to its own C-suite position.
Since then, the responsibilities of the chief security officer (CSO) or chief information security officer (CISO) have grown in proportion to the number of threats. And there are a lot of threats. In addition to overseeing network security, computer security, and in some cases physical security, the growth in connected devices has put product security under the CSO’s remit. Many cybersecurity breaches still go undetected, in part because there is more data for hackers to hack. Consider that by some estimates more than 20 billion connected devices will be on the market by 2020. Put another way, that’s 20 billion ways for hackers to get passwords, credit card numbers, consumer data, proprietary data, financial data, and more to leak, hold for ransom, or sell on dark markets.
Eighty-two percent of leaders surveyed for the World Economic Forum’s latest Global Risks Report believe cyberattacks leading to financial theft or data fraud will increase this year, citing the “deepening integration of digital technologies into every aspect of life.”
Not unlike the flu, data breaches and other cyberattacks affect everyone. Per the chart below, from the United States government's Council of Economic Advisers 2018 report, no sector—and by extension no company—is immune.
With CSOs already stretched thin from their ever-growing responsibilities, privacy is a frontier that’s too vast and evolving for them to take on in isolation. Moreover, security and privacy aren’t always aligned from a business perspective. “Organizations have a bias for collecting data, but they also have to meet user expectations about how it is being used,” says Katherine Fithen, a managing principal consultant at Secureworks who worked on information security on the Internet when it was still a private network within the US government. Majority-owned by Dell, Secureworks, based in Atlanta, provides technology that detects and fights security breaches.
In the past, there had been waves of discontent over how organizations use personal data from users, but it was nothing like the tsunami of anger that occurred after it was revealed that Cambridge Analytica used Facebook data to create psychological profiles for political gain without users’ consent. The aftermath included hundreds of millions of dollars in lost shareholder value, a #deletefacebook campaign, testimony by CEO Mark Zuckerberg and COO Sheryl Sandberg in Congress, and the implementation of Europe’s GDPR standard across all of Facebook, not just in Europe. To many, the incident crystallized the importance of trust between organization and user in the digital age.
“There’s a lot more about privacy in the media; it has captured people’s attention because there are laws behind it,” says Fithen. “And it is prominent in the minds of executives and boards, because it is in the media and there is actual accountability for meeting those laws.”
Business and political leaders around the world are currently debating whether to adopt universal regulations that govern data privacy similar to Europe’s GDPR. Some believe there is a need for a harmonized privacy law; others do not. The US tech industry, for instance, historically has been resistant to government regulation. Some business leaders argue that universal regulations would increase costs to run, manage, and secure the right technology, as well as stifle innovation. Moreover, universal regulations would negate the value proposition between organization and user as to what data they are willing to give up in return for a service or product they need.
* * *
Many forward-thinking companies already have chief privacy officer positions, or something akin to one. Over the last year or so, in the lead-up to the passing of GDPR, business leaders and boards increasingly have been pursuing ways to define a framework and reporting relationship to create a C-suite position for privacy. Some organizations have the position report to the CSO, others to the general counsel. In other organizations, the role reports to the chief technology officer, and in at least one case this leader reports to the chief financial officer. The variety of reporting structures is a testament to both how privacy touches all areas of a business and how confused organizations are about where it belongs.
Wells Fargo’s Rich Baich draws a parallel to the early days of CSOs. Hired as Wells Fargo’s first-ever CISO in 2012—the bank realized earlier than most the importance of security—Baich initially reported to tech. After a restructuring, he then reported to risk management. Late last year, however, his position was moved back under tech. To understand how large the CISO function has grown, consider that over those six years, Baich has deployed more than 30 different security technologies, and his team has filed for more than 50 patents. He also grew his department to 3,000 employees from 550.
Baich says that security and privacy have been working much more closely in recent years. “New regulations require more collaboration with privacy,” he says.
Korn Ferry’s Cummings says the fact that organizations are recognizing that privacy needs to be a separate function within the C-suite or reporting directly to a member of the C-suite is more important than where exactly it sits on the org chart. Indeed, the constantly evolving expectation of privacy means the skills and character profiles of the talent needed is also evolving. As with CSOs, privacy is no longer just a tech role.
Privacy officers have to be increasingly fluent in customer experience and product development, for instance. They need to have a global perspective and be able to distill complex tech and legal issues into business terms leaders can understand, among other traits.
In fact, given the increasingly public-facing nature of privacy both with employees and consumers, Cummings argues that privacy could also be considered a business services function.
“Privacy can enhance your market reputation and be leveraged by sales and marketing to influence revenue,” he says.