Leaders of manufacturing and distribution (M&D) companies don’t rank data privacy among their list of top concerns for their organization this year — or even for the next decade. That’s one of the most striking takeaways from this industry group, based on a new top-risks survey conducted by Protiviti and NC State University Poole College of Management’s Enterprise Risk Management Initiative.
It’s also in stark contrast to the survey’s overall results: Privacy and identity management issues rank fifth on both the 2021 and 2030 lists of top 10 risks cited by executives and board members at companies across the globe. But if you drill down on responses specifically from leaders in the M&D industry, you won’t find this risk ranked nearly as high.
Why data privacy isn’t as top-of-mind for these executives as it is for, say, executives of retail companies, financial institutions and healthcare systems may be intuitive to some but, as we explain below, the risk profile in the M&D space is changing in the digital age. Data privacy is a key risk for any company handling potentially sensitive data related to its customers, employees and business partners. Few organizations today have a good handle on managing data privacy issues. And there are plenty of reasons why companies in the manufacturing and distribution industry should consider stepping up their efforts to improve in this area.
Increased Privacy Regulations and Rising Consumer Privacy Requests
Since the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018, more than 60 jurisdictions around the world have enacted privacy and data protection laws. In the United States, California and Virginia have instituted state consumer privacy laws, and other states, such as Maine and Nevada, have passed privacy laws designed to protect the privacy of online consumer information. There is also an expectation that under the Biden administration, Democrats will advocate bringing U.S. privacy rules closer to these standards, giving consumers the right to know how their personal information is collected and used.
As privacy and data protection regulations mature and potentially become more complex, compliance risks will continue to rise, along with the penalties for violations. Several well-known companies have already been hit with substantial fines — tens of millions of dollars, in some cases — for violating the GDPR. The risk of private litigation is also a concern for businesses that fail to sustain privacy compliance and respond effectively to privacy requests from consumers.
Emerging Technologies and the Expanding Internet of Things
Many manufacturers have been focused on digital transformation in recent years, positioning themselves to compete in the data-driven and highly interconnected Industry 4.0. They’re embracing emerging technologies like machine learning and artificial intelligence, which are fueled by massive amounts of data, and cloud computing, which makes data accessible to users anytime, anywhere. Digital technologies have already completely changed how businesses can collect and use personal data. And as manufacturers do more business online, the risk of data privacy compliance missteps grows.
Unfortunately, many manufacturers don’t fully understand how much data they’re collecting; what they’re collecting and from whom; and how the business is using, storing or sharing that information. The rapidly expanding Internet of Things is a factor in this.
For example, think about a company that makes smart connected devices and applications for home use. That business may be collecting a wealth of data about how consumers use those devices and apps so that it can ensure they’re working properly and continually improve their performance. But those devices and apps are likely collecting more information than they need, including sensitive data. Worse, they may be sharing that data with third parties without the consumers’ knowledge or consent. There’s also the risk that malicious hackers might target this data, as in the most recently publicized Verkada breach.
Some manufacturers may think they aren’t handling sensitive data because they aren’t collecting personally identifiable information like Social Security numbers from customers. But the scope of what is considered sensitive has changed in the digital era. For example, geolocation data that reveals personal behavior, interests and beliefs could present data privacy risks to individuals.
Overcoming a Shortage of Data Privacy Expertise
All of the above trends and risks should have the leaders at M&D companies more concerned about data privacy than they appear to be relative to other risks, based on our top-risks survey. Currently, we see many manufacturers lacking a robust data privacy process. Some are relying on — or, really, hoping or assuming — that their resource-strapped information technology or security teams will alert them to potential issues. Few firms have dedicated staff focused on data privacy matters.
Many manufacturers that recognize they need to improve their approach to managing data privacy are seeking to hire experienced data privacy professionals. Some have added executive-level oversight roles, such as a data protection officer (DPO), to guide the implementation and supervision of privacy compliance efforts across the enterprise. However, finding available talent for data privacy roles is a significant challenge, as these professionals are in high demand and short supply. Also, few companies have the resources to assemble and maintain a full, in-house privacy team that can keep up with new and changing regulations in all the geographies where the company operates.
A managed services approach to data privacy — privacy as a service (PaaS) — is one solution that manufacturers may want to explore. How can a company determine if it needs to engage outside experts to help it improve how it handles data privacy? The following types of questions can help with decision-making:
- Do we know exactly which data privacy and protection laws apply to our operations?
- Have we found it challenging to comply with data privacy regulations in the various jurisdictions where our business operates?
- Are we confident we know of and/or have a plan to address any data privacy compliance gaps?
- How are we currently addressing consumer privacy requests? How many such requests are we receiving?
- Are we using any or the right tools to inventory and classify personal data to comply with all applicable data privacy requirements?
Tapping a PaaS resource is a way for the business to quickly grasp which data privacy regulations are applicable to its operations, identify potential gaps in compliance and create a plan for remediation. And the cost to deploy this strategy is often far less than the cost of creating and supporting an in-house team. A managed services approach to data privacy is also cost-efficient, because it’s flexible for companies — they can scale up or down as their needs change.
Sustainable privacy programs are built on a foundation of data management and governance. A PaaS will typically center on five main priority areas:
- Recurring data inventory, classification and assessments
- Data subject rights request management
- Privacy platform management
- Privacy by design assessment and engineering
- Monitoring privacy legislation and program management
For manufacturers, the benefits of engaging with a PaaS provider are multipronged: from proactive monitoring and identification of data privacy risks to better visibility into data processes, vendor risk management and ongoing compliance.
Even though manufacturing and distribution companies did not cite data privacy as a top risk in our survey — instead citing other priorities like health and regulatory concerns in the short term and digital disruption in the long term — that doesn’t mean that the risk does not exist and warrant significant attention. While the steady parade of household-name companies with millions of sensitive records exposed, sold or ransomed may be having a somewhat desensitizing effect on the public at large, it only takes one breach for a major manufacturer to realize the pain of having its intellectual property, vendor list or confidential customer information made public. Acting proactively now and making data privacy a priority can place manufacturing and distribution companies ahead of the game and ensure they are ready to confidently and securely reap the benefits of digitization, big data and Industry 4.0.
Learn more about Protiviti’s data privacy solutions here.