Investors and Portfolio Managers: Ensuring Compliance with Privacy Laws for Your Investee Companies

1. Conduct a Thorough Discovery

Do you truly understand your organization’s privacy posture, or do you merely assume you do? If you’re unaware of the actual level of risk within your organization—including where data is collected, how it flows through various systems, to whom it’s transferred, what technologies rely on user data, and what processes are currently in place—you won’t be able to identify areas for improvement. If you haven’t recently conducted a data inventory or a record of processing activity, now is an ideal time to do so.

2. Take urgent steps to ensure Necessary Compliance

Understand your compliance obligations and establish a program to meet these requirements. Consider using a specialized compliance services provider that employs automated compliance management. AI-powered automation will facilitate the establishment of policies, risk management, evidence collection, and compliance credentialing, making these processes efficient and strategically structured. This way, your team can focus on the business rather than becoming overwhelmed by the complexities of compliance regulations. Importantly, this approach will help the business meet its compliance objectives within set timelines and ensure necessary framework certifications.

3. Objectively Assess Your Privacy Operations

If you are already compliant, that’s great news. However, it is crucial to assess whether you are operating an efficient data privacy program. Establish and report on quantitative metrics focused on data privacy. Here are some areas to measure:

• The time taken for current privacy operations, such as fulfilling Data Subject Access Requests (DSARs) and conducting vendor assessments.
• The costs associated with these operations and the potential savings from investing in a data privacy program aimed at addressing these issues.
• The volume of DSARs being received and trends in specific regions where the business operates. Are deadlines for fulfilling DSARs being met, or is the business inviting risk by missing them?
• How often privacy comes up in discussions with sales representatives, as even a few mentions could indicate a growing demand for privacy protection among your target audience.
• Whether privacy is included in voice-of-the-customer surveys and referenced in internal pulse surveys.

While this list is not exhaustive, these metrics illustrate how privacy intersects with broader business objectives. Exploring these intersections will be key to evaluating the scalability and effectiveness of your data privacy program.

4. Define Objectives for Improvement

Establish tangible business outcomes based on the metrics you have reported. Next, identify what is needed to achieve these outcomes. Do you require additional investment? If so, in what areas? Will you need more staff or new tools? Where are the gaps, and how will you address them? This process will help you formulate your privacy improvement strategy.

1. Plan and Deliver

With your strategy in place, you need to develop a plan and allocate resources for its execution. Consider appointing an expert compliance services provider to ensure you have the right tools and expertise to create a realistic plan and successfully deliver on your privacy objectives.

Once you have got your investee companies focusing on privacy compliance make sure you track their progress at Board meetings.

• Cost of compliance is significant – Just check this tracker to focus your mind: https://www.enforcementtracker.com/.
• Reputational Damage may permanently impair your investment. Just check this out – https://www.nytimes.com/2023/05/22/business/meta-facebook-eu-privacy-fine.html. One of the world’s biggest businesses might just be able to overcome this hit to their digital trust credentials – do you want to bet your investee company can?