Share with your friends
Cheetah Sketch Graphic

Taking the lead on data privacy

Taking the lead on data privacy

​Timely access to relevant and accurate data has fast become one of the greatest organizational advantages. Yet, there are game-ending repercussions for those who fail to protect sensitive information, or use it irresponsibly and unethically. With many data-driven tools and systems linking back to the finance function, digital privacy and effective data governance are topics that alongside cyber security must be on every Audit Committee's agenda.

Truly, as organizations enhance their capabilities around data collection and information management, privacy and data protection are taking priority. Whether implicit or explicit, there are rules of engagement around data management that must be upheld to foster public trust in emerging technologies that collect copious amounts of personal data. This includes compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Europe's General Data Protection Regulation (GDPR), and regulatory expectations that are constantly evolving to a changing threat and data risk landscape.

Rising stakes

Data security is far from a new consideration. However, several triggers in the Canadian market are bringing the issue closer to the fore. For one, massive data breaches continue to rise in magnitude and scope, as do the legal and reputational damages associated with them. In turn, regulators are holding organizations more accountable for having the right controls and compliance measures to prevent, manage, or recover from a privacy violations.

Technology is also a trigger. The proliferation of high-speed telecommunications, digital devices, artificial intelligence, and advanced data analytics has given organizations more capabilities with their data; but at the same time, these technologies have raised their exposure to cyber attacks, data corruption, and internal errors. And without end-user confidence in an organization's ability to protect sensitive data, even the most promising technological initiatives stand to fail.

There are many reasons why Audit Committees need to be more mindful about data management, as well as champion digital privacy and security initiatives. In addition to helping their organizations identify and safeguard their "digital crown jewels," Audit Committees can join other departments in ensuring sufficient digital privacy controls are installed and that the roles, processes, and responsibilities around the organization's data management are clearly defined. Moreover, they can encourage internal audit functions to prepare for data privacy testing plans, promoting data privacy training, and raise awareness about digital privacy threats and best practices among their C-suite colleagues. After all, taking management action on data privacy and security not only protects the integrity of an organization's finance function but its long-term health and reputation.

The Audit Committee should not bear the responsibility of data privacy and protection by itself. Nevertheless, Audit Committee members must be diligent in ensuring new technologies and digital processes are implemented with full consideration for data privacy rules, that data management controls are continually monitored and tested, and that the organization's most precious "digital jewels" are under virtual lock and key. This approach enables every organization to be smarter with its data assets and drive valuable insights about its customers while respecting their privacy.

What should Audit Committees be asking?

  • What type of data does our organization collect? Who has access to that data, how are they using it and who is responsible for protecting it?
  • Are we transparent about our information handling practices? Is our privacy policy available and easy to understand?
  • Do we have a risk-based approach to understanding where our privacy risks live across the entire enterprise?
  • Do we have an effective data privacy program in place and a code of ethics that supports the responsible use of data?
  • Is our executive team and/or Board aligned on a commitment to privacy that is grounded in the organizations business strategy and led by a dedicated Chief Privacy Officer?
  • Are we prepared to demonstrate sound due diligence with a defensible position on our privacy risk posture and how privacy is managed throughout our enterprise?

"Several triggers in the Canadian marketplace have made data privacy and security a C-suite priority. With the risks of data thefts and breaches spreading to the finance function, Audit Committees need to make privacy, alongside cyber security, an organizational commitment."

Sylvia Kingsmill, Partner, National Leader, Digital Privacy and Information Management, KPMG in Canada

Looking for more insight? Read the next article in our Accelerate series:

Connect with us


Want to do business with KPMG?


loading image Request for proposal