Data privacy case study
Collection of personal data has fuelled the rapid growth of internet-based technology companies.
Firms that rely on the handling and processing of personal data are under intense scrutiny from customers and regulators. As a global asset manager with extensive investments in the technology sector, we believe that we can have a positive role to play in encouraging good data privacy practices and helping protect clients from associated investment risks.
Our research found that companies collecting personal data are exposed to regulatory, operational and reputational risks, and that a fine line separates success from failure in terms of privacy policies and practices. It framed our 2020 engagement discussions with firms exposed to data privacy issues.
Our engagement goals and activity
In 2020, we engaged with 20 companies exposed to privacy risks around how their way of working compares to the good practices we identified around:
- Transparency on data privacy policies and practices
- Oversight of the issue at board level
- Data collection minimisation
- Privacy by default
As part of this we sent an engagement letter to the board chair at 12 of those firms, requesting information on their data privacy policies and practices and inviting them to begin constructive and open dialogue on the topic. Most companies responded positively – we had direct discussions with 16 out of 20. We were glad to see that technology companies were open to discussion and willing to learn about investors’ expectations around data privacy.
Results and next steps
We found that most of the firms we targeted acknowledge the materiality of data privacy and are taking steps to mitigate risks. We often received positive responses from companies with regards to management of privacy issues and day-to-day practices. Some of the best practices we have seen through our engagement include:
- A company that established a dedicated privacy committee at board level
- A company applying strict non-content based and behavioural targeting, meaning that users’ data is not used to propose personalised advertising
- A company that published a human rights policy that encompasses privacy issues.
We were also glad that the tech companies we engaged with were aligned with our central message on data privacy – that responsible privacy practices are key in building and maintaining user trust. We believe that this allows responsible firms to create and deliver sustainable, longterm value through the collection and processing of data.
IIn 2021, we will continue our engagement programme with firms exposed to privacy risks, as work still needs to be done. In addition, we believe that scrutiny around corporations collecting personal data will be even greater in 2021. Most notably, the US Federal Trade Commission recently ordered some technology companies to share information about how they collect and use data, while the European Commission targeted digital economy firms in its recent Digital Services and Digital Markets Acts.