3 board members walk into a bar – the bartender asks – what is your top governance priority for 2022? They each furrow their broadly-brows in contemplation.

One leans forward conspiratorially and – in almost a whisper – says “privacy”. The second board member sidles up to the bar more confidently, with a loud clear voice says “growth”. The third, chewing nervously at a breadstick and appearing to be sweating says “risk”. We need to mitigate risk!”

The bartender responds with “it sounds like you three have a lot in common” – he is then called away to serve his other customers. But the board members are left wondering – what do those three answers have in common?

The answer is data.

Spoiler alert – there isn’t a punchline hidden in here somewhere – this is not a joke and neither is the digital health, security and privacy compliance of your organisation. 2022 commenced with privacy, growth and risk all top of mind for boards and management. We’re now a quarter of the way through the year and it’s a good time to reflect to see if concerns are being addressed.

Organisations all want data-driven digitisation (even if they don’t realise it or call it that) and must ensure that privacy is part of the very foundations of their systems and processes. Managing growth and risks means having a robust approach with a “when” not an “if” approach to privacy-related incidents or regulatory actions.

Perhaps you identify with one of our three friends from the bar and want to understand what you could be doing to build data related growth. Here are some ideas:

1. Implement privacy by design. Privacy shouldn’t be an after-thought. Ensure that good privacy practices are built into your organisation’s decision-making, as well as the design and structure of your information systems, business processes, products and services.
2. Maintain good infotech hygiene. As we have learned from cases like Marriot and British Airways, simple ‘good practice’ measures like effective security and threat-detection software and multi-factor authentication can be critical in preventing catastrophic security breaches.
3. Be aware of current regulatory actions. The ICO may be on a listening tour, but it is still the regulator responsible for actively enforcing data protection compliance. Understanding the Regulator’s focus and concerns can help shape and prioritise your efforts.
4. Review your supply chain contracts. Ensure that you have data and privacy protections in them – and if you do – consider refreshing the language to meet the challenges of data and privacy now.
5. Continuously improve and update your controls and processes. There is no one thing that can be implemented or purchased that will ensure the cybersecurity or privacy compliance of your organisation. Internal compliance needs to be regularly updated and systems need to be re-evaluated periodically for their effectiveness as well as for how well members understand and are able to contribute to them. Your systems are only as good as the way in which they are used day-to-day.

Brett Farrell provides strategic legal advice for companies that are digital-first or on a digital transformation journey through his substantial experience in data protection and privacy. If you’d like to chat with Brett about the legal support he can offer your business, get in touch.