This year will see real progress in 5G network implementation, an expansion of the connected device marketplace, further adoption of applied AI and the advancement of ad-tech capabilities. These constituent parts will more noticeably converge and begin to firm up the long-term vision of global commerce, in which online platforms will have greater reach into the real world and the consumer’s data will fuel unprecedented insights and outcomes.

In parallel with this push into the future, global Technology, Media and Telecom (TMT) corporations will continue to struggle with data privacy regulatory risk. European regulators were expected to begin issuing large, multimillion-dollar fines under the General Data Protection Regulation (GDPR) within the first few months of 2019. And in fact, in the first few weeks of the new year, French regulators levied a large fine against a large global technology/ad-tech company. The newly-passed California Consumer Privacy Act of 2018 (CCPA) is also taking shape, and upon its January 1, 2020 effective date, will further complicate the global TMT industry’s handling of U.S. personal data.

Add to this the potential – though perhaps unlikely – passage of the EU’s ePrivacy Regulation, which could present unique and extremely strict privacy requirements for global ISPs, Telecoms and “over the top communication” providers. Growing momentum in the development of an omnibus U.S. federal data privacy law may also throw additional complexity into TMTs’ forward-looking business strategy and planning. Personal data and privacy regulation is and will continue to be a strategic business challenge for TMTs in 2019 and beyond.

Yet many organizations pigeonhole privacy as purely a legal or compliance problem. This view overstates the regulatory risk and neglects the potential operational, reputational and business model risk. The result is a wasted opportunity and a failure to capitalize on a source of competitive advantage. Proper data privacy risk management presents fundamental technical, commercial and strategic opportunities to differentiate an organization’s products or services. Poor data privacy risk management, on the other hand, can negate product innovation, call into question product or service quality and deteriorate customer lock-in. With the net result being the long-term erosion of shareholder value.

In the mission to preserve and grow shareholder value corporate boards across the TMT industry sector should consider taking a greater role in data privacy risk management when devising overall direction and strategy of the business for 2019 and beyond.

Yet many organizations pigeonhole privacy as purely a legal or compliance problem. This view overstates the regulatory risk and neglects the potential operational, reputational and business model risk. The result is a wasted opportunity and a failure to capitalize on a source of competitive advantage. Proper data privacy risk management presents fundamental technical, commercial and strategic opportunities to differentiate an organization’s products or services. Poor data privacy risk management, on the other hand, can negate product innovation, call into question product or service quality and deteriorate customer lock-in. With the net result being the long-term erosion of shareholder value.

In the mission to preserve and grow shareholder value corporate boards across the TMT industry sector should consider taking a greater role in data privacy risk management when devising overall direction and strategy of the business for 2019 and beyond.

The board should:

  • Prioritize privacy as a central feature of the organization’s strategy and story: Clearly articulate the value add of such a position to management and communicate expectations of this approach to investors in proxy disclosures and direct discussion.
  • Enhance board governance to address the changing privacy risk environment and maximize board effectiveness under this privacy-centric strategy: Be creative with committee structure (where possible), adding to the list of key committees an additional committee dedicated to overseeing specialized risk (like privacy, cyber and emerging technology risk).
  • Align the board’s skills and talents to the company’s data privacy risk management strategy: Enlist new directors or onboard advisors to close skills gaps.
  • Give management the space to craft the strategy and implement the vision: The board should assess whether the strategy as implemented sufficiently preserves shareholder value and mitigates bottom line impact of data privacy risk. To that end, the board must also determine if the strategy is overly restrictive and compromises previously-communicated financial objectives set for the company. This can be particularly challenging for companies that rely on the sale of personal data as a revenue stream. In these situations, management must take extra efforts to implement a strategy that balances board concerns with the need to enable (and grow) data monetization.

TMT boards must take privacy seriously in 2019. Doing so now will allow for a more effective development of forward-looking strategies equipped to weather the new privacy-driven climate.

Andrew Shaxted is a Senior Director in FTI Technology’s Information Governance, Privacy and Security practice, and is based in Chicago. He is a licensed attorney, global data privacy and infosec consultant with a background in technology and global risk management program implementation.