Elena BelovAllen MeyerPaul MeeRico BrandenburgEdward Harding

Is your firm seeing the big picture?

© Oliver Wyman 1

Privacy First: Is Your Firm Seeing The Big Picture?

THE NEED FOR A HOLISTIC PRIVACY PROGRAM

In this fast-paced digital age, businesses have the capacity to collect a tremendous amount of personal information to support their strategies. The protection and use of customer information is becoming a significant concern for financial institutions. Seen by customers as the trusted custodian of their data, institutions must make the safeguarding of this information a cornerstone of their mission.

Neglecting this responsibility poses a significant risk with increasing regulatory, legal and ultimately reputational impact. The industry needs to be both proactive and preemptive in understanding how information is being used, storing only as much as strictly necessary, and keeping data safe from loss and theft. Making sure the firm’s privacy program is robust needs to be at the top of executives’ agendas as they think about risk management.

In 2019, Oliver Wyman published the paper “Data Privacy: Growing Expectations (And Risk) For Financial Institutions,” which included five no-regrets steps that organizations can take to get ahead on data privacy risk management. Those recommendations focused on understanding how privacy considerations impact organizations and getting started in responding to the risk.

The next frontier in this conversation is about operationalizing the privacy risk management program successfully. There are many enablers to a successful program. Some are technical, such as putting in place an adequate systems and data architecture to meet the program’s needs. Others are organizational—and this is the focus of this paper.

Many companies are struggling to put holistic programs in place that comprehensively address privacy concerns across all the key functions of the business. Along with the business lines, teams such as data governance, information security, cyber risk management and third-party risk management need to coordinate their actions and responses with Privacy.

Privacy First: Is Your Firm Seeing The Big Picture?

© Oliver Wyman 2

When embedding and operationalizing a comprehensive data privacy program businesses face four key challenges:

• A large number of employees (and vendors) are interacting with sensitive information on a daily basis, making central management challenging.

• Many business decisions have privacy ramifications, which need to be anticipated.

• Devolving responsibility to various teams and departments often results in the uneven application of standards.

• Regulators have raised the bar in terms of the sophistication of the privacy program they expect.

Our paper outlines a clear strategy to operationalize the privacy program and shows ways to address these challenges. We recommend that financial institutions embark on a journey to:

• Strengthen accountability: Gain a clear view on accountability and responsibility for privacy activities across the information lifecycle, in order to better understand and monitor what is being done.

• Focus on key teams: Identify the key functions that have a significant influence on privacy management and integrate their activities into the privacy program.

• Embed privacy into the business: It is important that the plans laid out and accountabilities identified on paper can be executed and turned into reality.

The degree of effort needed to implement these recommendations and achieve greater collaboration will depend on a company’s corporate structure, and the reporting lines of the various teams involved.

In our view, senior executives and privacy leaders need to act now to make their programs more holistic. We recommend that financial institutions clearly define Privacy’s role and appropriately empower the team to drive and execute the holistic program. They also need to ensure that existing privacy controls are effective. Finally, institutions need to understand that this is not a “one and done” exercise— the program needs to be regularly reassessed to ensure it remains fit for purpose.

Making sure the firm’s privacy program is robust should be at the top of executives’ agendas as they think about risk management.

© Oliver Wyman 3

Privacy First: Is Your Firm Seeing The Big Picture?

DATA PRIVACY – TODAY’S CHALLENGES

Today, approaches to data privacy management are often fragmented with activities taking place in silos. This is because firms have reacted tactically and not strategically, to specific requirements placed upon them. They have set up central privacy teams as a response to specific legislation or regulatory standards. These teams will draft and own the privacy policy (most organizations now have, or are developing a privacy policy), and will have the responsibility of providing oversight and challenge for all privacy-related activities. They will run privacy-related processes (such as completing data breach incident reports, sending out customer notifications, and deleting collected data in line with their policies).

However, firms have not systematically examined the implications of evolving privacy standards for the entire organization. Inevitably, integrating privacy concerns into business-as-usual requires buy-in and actions to be taken by teams across the organization. The extent to which other teams, whether business lines or other functions, incorporate privacy considerations into their processes is often limited, meaning the Privacy team faces a battle to improve practices. Some teams may not even be aware of the organization’s privacy policies. Approaches to managing privacy risk during business as usual are therefore often inconsistent and uneven.

Privacy First: Is Your Firm Seeing The Big Picture?

© Oliver Wyman 4

A large number of employees (and vendors) are constantly interacting with sensitive information on a daily basis. Ensuring that it is used safely and conscientiously means that the employees who are touching the data need to understand the policies and have privacy concerns embedded in their processes. For example, when an employee asks another for a customer data set so that they can perform analysis, they both need to understand their privacy obligations in the decision to share the data (or not), how to share it, and where or when this needs to be recorded. The burden of privacy risk management cannot be borne by a compliance team alone.

Many decisions have privacy ramifications. For example, launching a new business line involves creating new customer data sets that need to be permissioned. Combining existing data sets to gain additional insights into the customer must be reviewed through a privacy lens. Without a unified approach it is not clear who needs a seat at the table in ensuring that privacy considerations are included and that appropriate actions are taken to manage any risk. Beyond a privacy representative, stakeholders from teams such as information security, data governance, third-party risk management, and others may need to be involved. The risk is that those driving the decisions forward are not incorporating privacy and do not know who to include even if they were.

Devolving responsibility to various teams and departments often results in an uneven application of standards. This is inefficient as each team comes up with their own approaches (or may not). An example might be teams independently interpreting what a “reasonable” use for data is. It also means that learnings and best practices are not absorbed and integrated firmwide. The lack of capabilities such as master data management (MDM) in many firms exacerbate these issues, as teams may not even be looking at the same data sets, let alone treating them in the same way.

Regulators have raised the bar in terms of the sophistication of the privacy program they expect. This raising of standards is likely to increase and a piecemeal approach to privacy management will be regarded as inadequate. In addition to regulatory scrutiny, there is also potential for private litigation as well relating to violations of newly-passed laws.

FOUR KEY CHALLENGESManaging privacy as business-as-usual is challenging for several reasons:

© Oliver Wyman 5

Privacy First: Is Your Firm Seeing The Big Picture?

EMBEDDING DATA PRIVACY INTO THE BUSINESS

These concerns raise the fundamental question of how organizations can more holistically embed data privacy risk considerations into their activities, including:

• In which situations (processes, decisions) is a privacy concern relevant?

• Who is responsible, who needs to be involved, and what mechanisms should be in place to help coordinate teams?

• How should privacy be embedded into the business?

EFFECTIVE STRATEGIES FOR SUCCESSIn our experience three strategies have proven successful.

1. STRENGTHEN ACCOUNTABILITYThe first challenge is simply recognizing when privacy is an issue during day-to-day activities and what needs to be done in those situations.

This is the foundational building block for developing a unified approach to privacy that ensures both the privacy dimension is recognized and that the relevant parties are involved.

Oliver Wyman uses the data management life cycle to map relevant activities and gain an understanding of where privacy is relevant. Precise activities will differ across organizations, but some examples are included below.

Privacy First: Is Your Firm Seeing The Big Picture?

© Oliver Wyman 6

Exhibit 1. Data Management Life Cycle (with illustrative activities)

Creation, collection, and consent

•

• •

Privacy Impact Assessments (PIA)Consent collectionData collection and storage

Use, sharing, and disclosure

•

•

Data access requests (internal)Privacy notices

Retention and deletion

• •

Deletion requests“End of use” deletions

Breach and complaint handling

• • •

Response coordinationBreach disclosureComplaint handling

Customer control

• Information requests

Once activities are identified involved stakeholders need to be defined. These are the parties that will be responsible and accountable for different aspects of the process, as well as those that need to be consulted and informed of decisions made and activities taking place. These responsibilities will be diverse. To illustrate, here are two examples.

Under “Breach and Complaint Handling,” breach response coordination is a key process. This contains many sub-steps, and each requires significant and different levels of input from many different stakeholders.

• The Privacy team must coordinate the response playbook and quarterback the response.

• The Controls team needs to define and set criteria for the scenarios under which a privacy breach can be identified and alert the Privacy team (and other identified stakeholders) when such a breach is identified.

• Information Security must prepare plans for how they will quickly investigate and remediate the source of any breach.

• The Corporate Communications team must prepare a statement for the press/market on what has occurred.

• The Chief Privacy Officer must coordinate membership for an “executive war room,” so that senior decision-makers can be apprised of the situation and make decisions as needed at the time.

To take another example, under “Use, Sharing, and Disclosure,” the organization needs to issue privacy notices to customers regarding the information deployed. However, this simple requirement necessitates involvement from numerous groups.

• The Business Unit must articulate how the data is being used, which will be disclosed in the notice.

• The Chief Information Security Officer (CISO) needs to confirm that the content of privacy notice is factually accurate.

© Oliver Wyman 7

Privacy First: Is Your Firm Seeing The Big Picture?

• Data teams need to ensure that commitments to delete data are actually carried out, and as needed, modify their procedures to ensure that they are able to carry out the activities that are being committed to in the privacy notice.

• Marketing needs to ensure that the privacy notice factors are in the correct tone/voice of the bank.

Ultimately, the front line must be responsible for understanding and owning the risk they are taking on and bringing in the Privacy team and other stakeholder groups as needed. In these situations, the Privacy team should play a second-line role in challenging teams’ activities, and validating that teams’ obligations are being met— but the roles need to be clearly defined first, so that Privacy can have visibility into the processes and can provide effective oversight.

Across the data lifecycle, substantial thinking needs to go into whose input is needed for each step of a given process to bring about a desired end result (in this case, that a privacy notice can be issued and that the information in it be correct).

Once responsibilities are clearly defined different teams can be held accountable for meeting their privacy related obligations.

2. FOCUS ON KEY TEAMSIdentify key functions that have a significant influence on privacy management and integrate their activities into the privacy program.

A data lifecycle view is important for understanding how and when teams that are collecting and using data are impacted by privacy policies, and to ensure they are responding to requirements in a similar way. However, beyond the standard use cases that are reflected in the data lifecycle, some teams have more specialized activities and areas of responsibility that are impacted by privacy considerations. The three key functions that intersect with privacy are data governance, information security, and third-party risk management.

• Data Governance is responsible for ensuring the consistency and integrity of privacy-related data and maintaining the data inventory. They need to ensure alignment with Data Privacy around key definitions such as data classification, definition of personal information, data use rights and the structure of a data inventory.

• Information Security (InfoSec) is responsible for ensuring adequate levels of protection for privacy-related data, which necessitates an understanding of where affected data is, and what level of privacy criticality is applicable so that adequacy of protection can be assessed. InfoSec should ensure that their risk assessment definitions and scales are aligned with Privacy, ensure that security is adequate for all privacy-relevant media (including things like biometrics and voice recordings), ensure they know where personal information is being stored and have processes to scan and identify PI, and report on adequacy of security.

Privacy First: Is Your Firm Seeing The Big Picture?

© Oliver Wyman 8

• Third-Party Risk Management needs to ensure that Privacy concerns are integrated into the vendor selection processes, that the contracts include relevant language around privacy, that privacy incidents are monitored so that relationships can be reassessed where necessary, and that data is appropriately anonymized where necessary before being handed over to vendors.

In these instances, close coordination between Privacy and each of these functions is required to ensure alignment of different elements of the privacy program.

Exhibit 2. Three key functions that intersect with data privacy

Data Privacy

Data Governance

Third Party Risk Management

Information Security

3. EMBED PRIVACY INTO THE BUSINESSIt is important that the plans laid out and accountabilities identified on paper can be executed and turned into reality.

Privacy considerations will have an impact on what businesses can do, and how they do these things. This means that rank-and-file employees need to internalize responsibilities and adopt a privacy mindset.

Organizations will have different methods for driving such programs successfully, but some methods that can be employed include:

• Make data privacy a key consideration in the data and product strategy of the institution. All technology implementations should incorporate privacy impact assessments, and integrate privacy into product design specifications and the approval processes for new products, initiatives, and applications. Incorporating Privacy by Design principles early on in product, process, and technology design (for example, product systems are designed to rely on data collected and stored by other product systems to minimize the amount of data stored) can have a significant risk mitigation impact.

© Oliver Wyman 9

Privacy First: Is Your Firm Seeing The Big Picture?

• Define privacy principles. Provide clarity to the business around the organization’s data privacy philosophy and what practices are acceptable vs. not acceptable. High level privacy principles need to be fleshed out so that understandings are aligned. For example, if an institution has “minimization of data retention” as a principle, all stakeholders need to be clear on what a reasonable and unreasonable situation in which to retain data is (and the business should know who to contact if they have any doubts). There should also be a recurring protocol for identifying data that has been retained in breach of policy, so that it can be erased.

• Integrate privacy into technology review boards. Ensure that assessments of technology adequacy include privacy considerations as part of the assessment rubric, in order to see future technology evaluations and decisions through a privacy lens.

• Make privacy an executive risk topic. Make sure that agendas for executive and board risk committees consider privacy as a specific agenda item. This will elevate the topic and ensure that it is front of mind for the organization, as well as ensuring executive oversight and sponsorship of related initiatives.

• Establish a data protection office or forum that focuses on privacy and security. This group should be the connective tissue with Information Security and ensure not only that data is secure from external threats, but also that procedures and technology are implemented in ways that respect the organizations’ privacy policies.

• Institute privacy champions within the line of business. These individuals will be responsible for understanding how the privacy policy impacts different parts of the business’s practices and ensure correct protocols are followed. Depending on how teams are set up, it may make sense to combine the roles of privacy champions and data stewards. They will be the connective tissue between the business and the Privacy team that can act as an informal contact point for employees to involve the privacy function in a given question or issue.

• Develop appropriate forums and committees. Where the privacy concerns within a process have been identified, the organization also needs to set up appropriate governance to enable decisions around data use rights and compliance. This can involve expanding the mandates and memberships of existing committees (such as new business initiatives) to explicitly consider privacy concerns, or setting up where warranted new forums in which privacy issues are reviewed and addressed.

Where the privacy concerns within a process have been identified, the organization also needs to set up appropriate governance to enable decisions around data use rights and compliance.

Privacy First: Is Your Firm Seeing The Big Picture?

© Oliver Wyman 10

SUCCESS FACTORS FOR TOUGHENING UP YOUR DATA PRIVACY PROGRAM

To successfully achieve the kind of model described above certain concrete actions are needed.

CLEARLY DEFINE PRIVACY’S ROLEThe Privacy team is directly responsible for various aspects of compliance (for example, sending privacy notices). It also needs to oversee what others are doing and drive alignment across the business. The key to this is managing expectations between Privacy and the different teams and ensuring a consistency of practice across teams. To start on this journey, Privacy needs to engage with other teams. Open conversations are needed for parties to think through where privacy is an issue and how to manage privacy in an agreed upon manner. This dialogue can help to ensure the alignment of understanding and consistency of practices across groups. Several institutions have succeeded at accomplishing this by holding collaborative workshops between the Privacy team and functions to align on how different activities will be approached. From there, a plan of action can be devised to meet policy requirements and ensure consistency across the organization.

EMPOWER PRIVACY MANAGEMENT AND OVERSIGHTToday, many Data Privacy Officers do not have sufficient authority to drive significant initiatives in the organization. To be effective, this needs to change. Senior stakeholders need to empower Privacy to ensure that business units and other teams can take ownership. This is essential to making changes, providing resources, and overcoming inertia. Executive support is not only crucial to help tackle organizational issues, but in managing all challenges relating to privacy. Other key program elements—such as systems changes—often come with significant price tags that require executive champions to drive forward. An organization’s approach to data privacy needs to be supported by executives and needs to support (or at least not contradict) its business strategy, business model and customer proposition.

© Oliver Wyman 11

Privacy First: Is Your Firm Seeing The Big Picture?

An organization’s approach to data privacy needs to be supported by executives and needs to support (or at least not contradict) its business strategy, business model and customer proposition.

TEST YOUR PRIVACY SAFEGUARDSTo understand whether the Privacy program is effective the organization needs to test its existing controls. Their effectiveness should be measurable at a department level to understand where in the organization privacy obligations are at risk of not being met. The organization needs to ensure that problems for existing controls are identified, escalated, and acted upon. See our previous paper, “Data Privacy: Growing Expectations (And Risk) For Financial Institutions,” for further details.

FUTURE-PROOF THE PROGRAM THROUGH ONGOING TESTING, REGULAR ASSESSMENT AND CONTINUOUS IMPROVEMENTGiven the evolution of thinking on privacy topics, the way that privacy is considered and thought about within an organization must also be reappraised. It cannot be a “one and done” exercise. The central privacy team needs to take responsibility and ensure that the organization is challenged on its activities, communicated of any relevant regulation and guidance changes, and has put risk mitigation plans in place where appropriate.

Privacy First: Is Your Firm Seeing The Big Picture?

© Oliver Wyman 12

CONCLUSION

Customers expect and trust that financial institutions will keep their personal information safe and use it appropriately.

Reorienting the way an organization considers privacy and embeds privacy-thinking into the business is a significant challenge. Strengthening a company’s data privacy program requires the full support from executive leadership, developing an understanding and accountability across company functions, and successfully executing the plans laid out.

As a senior executive or privacy leader, you may already be considering change and it’s a daunting task. Oliver Wyman is a leading consultancy to the financial services industry and has worked with many financial institutions to strengthen their data privacy programs. Our experience includes helping institutions set up operating models for the proprietary framework described—both within privacy teams, and across the organization.

Together, we will collaborate with your team to operationalize your privacy program and achieve impactful results for what has been a significant challenge for the industry—until now.

Oliver Wyman – A Marsh & McLennan Company www.oliverwyman.com

Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organization transformation.

For more information please contact the marketing department by email at info-FS@oliverwyman.com or by phone at one of the following locations:

Americas EMEA Asia Pacific +1 212 541 8100 +44 20 7333 8333 +65 6510 9700

Copyright © 2020 Oliver Wyman

All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect.

The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.

AUTHORS

Elena BelovPartner in Financial Services, Lead for Data Privacy in North America elena.belov@oliverwyman.com

Allen MeyerPartner, Finance & Risk, Americas Compliance Practice Head allen.meyer@oliverwyman.com

Paul MeePartner, Financial Services and Digital, Cyber Platform Lead paul.mee@oliverwyman.com

Rico BrandenburgPartner, Risk & Public Policy and Digital rico.brandenburg@oliverwyman.com

Edward HardingEngagement Manager, Financial Services and Digital edward.harding@oliverwyman.com