Ahead of the curve: Raising the bar on data privacy
Technology is central to how we live our everyday lives in the world today. From the way we shop or monitor our health, to how we keep in touch with loved ones, it has enabled us to be more connected, more productive and more informed than ever before.
Fuelling this is a reliance upon substantial amounts of personal data, which has become such a critical component within modern business that it has itself become a commodity.
This rapid change in technology and its leveraging of personal data has significantly outpaced that of data privacy regulation, meaning that individuals can no longer be sure who has personal information on them, what it is used for or how well it is protected. Companies have inevitably made mistakes with highly publicised data breaches and privacy scandals hitting the headlines this past year. This has contributed to the current ‘techlash’, whereby trust in these technology giants has been substantially eroded, causing both regulators and wider society to question the power they hold.
European regulators have been working to keep up with this rapid pace of change, most significantly with the introduction of the General Data Protection Regulation (GDPR). This aims to give EU citizens more control of their personal data, with companies on the hook for substantial fines up to 4% of global turnover if they do not comply.
Unlike most other data regulations, GDPR has extra-territorial reach. This means that any company that does business with EU citizens must be compliant.
Many other countries including Argentina, Brazil and Canada, as well as the state of California, have recently introduced new legislation or toughened up on implementation, picking up on elements from the GDPR model.
As investors, this increased scrutiny of how companies handle personal data has potentially significant consequences for the risk profile and value of our investments. Sizeable fines, erosion of brand value, tighter limits on data-driven products and increased compliance costs all have a consequence for companies. Similar to regulators, investors are also having to focus on understanding these emerging risks, how they manifest in different sectors and how to judge the efforts made by companies to manage this topic.
As an engaged investor, we have increased our dialogue with companies on data privacy in recent years, particularly in relation to GDPR, to be able to do just that. Throughout these conversations we have seen the GDPR’s introduction acting as a catalyst for companies to review all their interactions with personal data to ensure that they are fit for purpose.
Given the substantial level of scrutiny from regulators and the scale of the fines involved, alongside increasing political and public pressure, it is no surprise that data privacy has become a boardroom issue, with most companies formalising oversight of it within their corporate governance frameworks. As investors we consider this to be an important step in mitigating the risk. At the same time, though, it remains unclear whether directors in the board room are sufficiently qualified to effectively oversee such an emerging and fast-moving issue.
Operationally, we have found the vast majority of companies in data-reliant sectors have followed GDPR’s guidelines to appoint a data protection officer (DPO), who is both independent from the day-to-day business but also reports into the highest level of management. When properly integrated within the organisation we see this role as an effective way to reduce compliance risk, as the DPO not only maintains an on-going relationship with regulators, but also acts as an internal advocate for promoting high privacy standards internally.
“Shifting attitudes can pose a challenge for companies, which need to turn a topic previously seen as an operational issue into something which is ingrained into their cultural DNA”
Outside of the boardroom and the DPO’s remit, an underlying principle of GDPR is that companies should have a culture that prioritises privacy within their organisations. In practice this means that every employee, product and process should be geared towards maintaining high standards of data privacy. Shifting attitudes in this way can pose a challenge for companies, which need to turn a topic that has previously been seen as an operational issue into something which is ingrained into their cultural DNA.
Although it is now common for companies to require all employees to undergo mandatory training on data privacy, given the scale of the task in shaping company culture, it is unclear how they would address this to match the expectations of their clients and regulators. Recent history has shown that poor cultural practices have been the catalyst for a range of value-destroying controversies, such as global banking scandals, bribery among pharmaceutical companies and recent events at Facebook, to name a few.
Given the scale of the task, as well as the relatively short time frame to meet the GDPR requirements, it is not surprising how forthright companies were in stating that they were not ‘fully compliant’ when it came into force in May 2018. The most common areas of work remaining being contracts with third-party suppliers and adapting legacy systems to allow for new features for which they were never designed, such as data deletion. However, given that it is already well into 2019, it is likely the grace period from data regulators will soon come to an end. This means that companies can no longer drag their heels.
Companies seem to be taking data privacy seriously, with the introduction of GDPR being a key factor in significant investments in upgrading their processes and oversight of how they handle personal data. The variety of responses that we received also confirmed that there is no one-size-fits-all model for GDPR compliance, with company responses being crafted to reflect their business model and existing governance structures.
What is consistent across the board is that disclosure on the issue remains limited and inconsistent, making the monitoring of preparedness and ongoing improvements more difficult, for which we will continue to push for improvement over the coming year.
Pressure from regulators on one side, and their customers on the other, means that data privacy is an issue that neither companies nor their investors can afford to ignore. More consistent disclosure will be critical to spread the adoption of best practice, and to allow investors to differentiate between leaders and laggards.
Daniel Jarman and David Sneyd are vice-presidents, responsible investment, at BMO Global Asset Management