Speaker: Debbie Reynolds

Introducing the PACT Data Privacy Trust Framework and Scorecard (16 minutes)

Hello, my name is Debbie Reynolds. I'm the CEO, founder, and Chief Data Privacy Officer of Debbie Reynolds Consulting. Today. I'm proud to announce a new PACT Data Privacy Framework and Scorecard I created to help organizations rate not only their regulatory business risk but also be able to engender trust in individuals for the data they handle. So it's called PACT, and it is the Data Privacy Trust Framework and Scorecard. So PACT. The acronym stands for PURPOSE, ALIGNMENT, CONTEXT, and TRANSPARENCY. So before I get into the definitions of this Framework and Scorecard, I wanted to lay the groundwork for why this is important and how organizations can use this tool to help them. So let's look at the Data Privacy landscape right now. So there are rapid developments happening and Data Privacy in data protection regulations around the world.

I think there was a study by Gartner that said that regulation within the next five years is going to increase exponentially. As we've seen over probably the last four or five years, a lot of jurisdictions are creating more and more Data Privacy regulations. We're seeing trusted companies who protect their data or protect the data of individuals enjoy increased revenue. Over the last year or so, Apple recently implemented their app TRANSPARENCY, which forced people to be able to opt in to certain advertising and third-party data sharing. And as a result, I don't think as a coincidence that Apple not only increased their revenue, you know, beyond what it had been before, but also there were reports in the media about how billions of dollars and revenue were lost by organizations that don't enjoy that same level of trust.

And you can't really gather data in those third-party ways they were accustomed to before. So there are also technology shifts that are minimizing alternative data uses and third-party risks of organizations. So this is not going to stop. Regulation is definitely pushing it, but we're also seeing people, not only people like Apple but also Google looking to limit their third-party data risk. And this also creates a risk for organizations when they're looking at the data they collect about individuals and what they do with that data. And then we're seeing leadership in Data Privacy as an advantage. So we're seeing that companies like Apple that can go out of their way to show what they're doing in terms of privacy and data protection really be able to benefit, and it is an advantage to their organization and their brand.

So what is the purpose of this Framework and Scorecard? This Framework and Scorecard aims to communicate Data Privacy risks to investors and boards. Also, C-suite people. A lot of times, when organizations have Data Privacy obligations or concerns, it's difficult to figure out how to communicate what that risk is. So this Framework and Scorecard is an easy way for people to be able to quantify and see what that risk is and then figure out what their plan is going forward to fix it. The Scorecard also and Framework aligns with fundamental principles of Data Privacy regulations. So regardless of what the regulation is, regardless of the jurisdiction, there are basic fundamental things that organizations need to really think about. And I think if organizations implement something like this, they'll be in a better position to respond when there is a new regulation or there's a new requirement as it relates to personal data and how they collect it or retain it.

This Framework helps people pinpoint data practices that reduce trust. So trust, not data, is the new oil as far as I'm concerned. So trust is the thing that organizations really want to have. That is the thing that will increase their bottom line. People who don't trust companies will go to other companies. So I think this is really important, for businesses to know what those problems are. Especially as we know that this can have a bottom-line revenue impact that could be negative, this Framework also will help organizations reduce barriers to the adoption of products and services because it helps to clearly communicate their maturity along the Data Privacy Trust spectrum. And also, it crisscrosses not just regulation but also business as a result of Data Privacy and data collection. And then, there's a guide to organizations throughout the data life cycle.

I consider it like a gut check for organizations, and then it's something that they can do periodically to check, to see how they're maturing along the spectrum. And then also making sure that they're not only focusing on the collection and the immediate business use but also the end of life and the life cycle of data all the way through people's data uses and what to do with it afterward. So let's talk about the benefits. So, as I said, communicating the value of trust to stakeholders and shareholders, not just people who invest in companies or organizations, but also the stakeholders. So that may be people outside the organization, whether it be in roles, investor groups, people who want to do business with your organization, or third parties. This will really help communicate that message. It can reduce the risk of reputational harm.

D

So, in addition to cybersecurity risks that come up, there are privacy risks that come up and regulatory risks. Companies are also fighting reputational harm when they're handling data in a way that individuals can't trust them or don't trust them. We're seeing increased revenues by demonstrating trust in data practices, which you want to be able to show improved data quality. We know for sure that people give companies better data if they trust them. So being a company that's a good data steward, they will get more data from individuals, and they'll get better quality data than their competitors. And then assess the maturity of your data practices and identify gaps quickly. So doing this type of assessment, looking at the Framework can give a high-level idea of where the gaps in your organization may be for Data Privacy and maybe help you triage or decide what are the things that you want to address first and try to organize it in a way that makes sense for the organization.

All right, implementation. You want to assess the risk of the organization around Data Privacy and data stewardship. So this will help you at a high level, figure out what those risks are, and tie actions to that. And also be able to tie things like evidence to that. This is a rating system. So we are rating the risk and developing a plan to increase your data maturity. So based on where you fall in the spectrum, it may require you to maybe do some different work on different areas. So this definitely helps pinpoint the areas where you're weakest and the areas where you're strongest that you want to continue to mature as you go forward. This addresses the business risk, as well as the regulatory risk. So a lot of Frameworks talk about risk around regulation. And we know that there's a lot more risk beyond regulation.

So we have companies that are losing market share losing customers because they can't really pinpoint the trust factor. So being able to look at it, again, not just from compliance, not just from regulatory, but also as a business risk, which is what all organizations really need to do. This Framework and Scorecard help tie that together. It allows organizations to determine which areas need the most immediate focus. So the types of organizations that can use this Framework are any organizations large or small, regardless of where they are, can utilize this type of Framework. Any organization that handles the data of an individual. So an organization that handles any data, personally identifiable, people can use this Framework to rate the organizations that want to benchmark their Data Privacy Trust maturity where they have gaps, organizations that have regulatory obligations and consumer trust, risk around Data Privacy, and data protection and organizations who want to have positive revenue impact related to their commitment to Data Privacy and trust.

So let me go through the Framework portions. It is called PACT. So PACT stands for PURPOSE, ALIGNMENT, CONTEXT, and TRANSPARENCY. So PURPOSE means organizations really need to define the purpose of data use and make it clearer to individuals. So this is not business as usual going forward. It has to be a situation where organizations, even before they take in data, they need to understand what the purpose is because that will help reduce their risk long term, not only for regulatory reasons but also for reputational and trust reasons bottom-line reasons. Then there's ALIGNMENT. So when data use is aligned with the purpose of data collection, it builds trust with individuals. So not having data being used in some other way, but making sure that first of all, you're collecting the data that's most required for your data use, and you're aligning it to what your business needs are or what the needs of the individual are.

Then there is CONTEXT. So CONTEXT is very important. Data use and CONTEXT with the purpose for which it was collected builds trust with individuals is also key that organizations can define clear benefits to individuals for their data use. So context is an issue that comes up a lot. This is where a lot of organizations fall down on CONTEXT. So, for example, just because you collect data for one purpose, it may not be the best thing to use it for another purpose. And so that's one way that, for example, organizations can either run afoul of maybe a regulatory requirement, or they can run afoul of the trust of individuals in terms of how they handle their data. And then last, we have TRANSPARENCY. So making it clear to individuals how data is being used within your organization.

So it may be communication or TRANSPARENCY with the consumer or individual. It may be TRANSPARENCY with the public. It may be TRANSPARENCY with regulators, shareholders, investor groups. This will be a way to roll up all of those things in a way that you can be able to communicate them to a broader audience. And then the second part of this is the Scorecard. So being able to score yourself against these four PACT categories will help organizations figure out where they fall on the spectrum and where they need help. So the Scorecard has points. A company can be rated up to a hundred points. The lowest would be 20 or below is definitely failing. So we rate people as exceptional, above acceptable, minimum acceptable, below acceptable, and unacceptable. So for each category, organizations can rate themselves in these areas and then roll it up into a report or a Scorecard where they can be able to show anyone, board members, investor groups, the public, where they fall on this spectrum.

And so this is I think a very handy tool and is very needed. We haven't yet seen any Frameworks like this, where we're rating the regulatory risk or the things required by regulation and looking at the business risk and finding ways to build that trust. So organizations that are trusted will have more data, better quality data, better revenues, and better acquisition of new customers, not losing customers, not losing money as a result of how they handle data. So if you want to learn more about PACT, don't hesitate to get in touch with www.debbiereynoldsconsulting.com/pact or email us at pact@debbiereynoldsconsulting.com. Thank you.