TELESTO STRATEGY

Board Series: Ongoing data wars: A CPG board of director’s risks to data oversight

DECEMBER 2024

Data privacy has become a critical issue in the boardroom, especially within the CPG sector. While awareness varies across industries, recent high-profile data breaches, and privacy scandals have heightened board-level attention to these matters. The reputational and financial risks are significant, particularly for consumer-facing brands. Many boards have begun recruiting directors with specific expertise in technology and data privacy, which reinforces the business trend that data will be essential to navigating the evolving regulatory landscape. Notably, younger board members often bring a heightened sensitivity to digital and privacy risks, contributing to a more balanced and informed board composition.

Key takeaways:  

  • CPG boards must stay informed about evolving data privacy regulations like GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and the SEC (Securities and Exchange Commission) Cyber Rule, ensuring they integrate compliance into their oversight and governance strategies and should do this by regularly conducting privacy audits, receiving ongoing training, implementing robust reporting systems, and recruiting members with data privacy expertise 
  • Boards should emphasize the importance of proactive data management, legal consultation, and transparent communication with stakeholders when privacy violations occur, learning from past cases of non-conformance and litigation 
  • To prepare for potential data breaches or non-conformance issues, boards should regularly engage in education and training, review industry best practices, conduct tabletop exercises, and ensure frequent updates from the Chief Information Security Officer or other security leaders  
  • Now that cyber risks are becoming uninsurable, boards should look to manage it as part of a governance framework in ESG reporting

Regulatory compliance landscape for data privacy 

CPG boards, given their access to extensive consumer data, must remain attuned to privacy issues and emerging technologies that may impact data security. Regulations such as GDPR,  CCPA, and others are becoming increasingly central to board discussions, often within the context of ESG sub-committees. In 2023, the SEC followed suit by adopting rules requiring U.S. companies to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. 

These discussions typically cover: 

  • Data Collection, Consent, Security, and Third-Party Risk Management 
  • Cross-Border Data Transfers and Ethical Use of AI 
  • Risks Associated with IoT and Smart Packaging 
  • Handling of Employee Personal Data and Data Integration Post-M&A 
  • Description of process for identifying, assessing, and managing material risks from cybersecurity threats 

Staying informed and proactive on these topics enables boards to provide effective oversight and guidance, crucial in today’s digital environment where regulatory frameworks like GDPR and CCPA extend beyond their geographical origins, impacting global CPG operations. 

Governance learnings from non-conformance and litigation cases for CPG companies 

GDRP has had a significant impact on how companies manage and oversee employee and stakeholder data since it went into effect in 2018. On the other hand, CCPA came into force in 2020. These are new regulations. Yet, companies have faced significant penalties and fines already:  

The California Attorney General (responsible for enforcement of CCPA) has issued notices to companies to cure violation rather than imposing fines. This approach has led to fewer public announcements of penalties for CCPA violations, and some companies may have reached confidential settlements. These publicized cases highlight the importance of robust data management and security practices. Boards must ensure proactive assessment, documentation, and legal consultation. In cases of non-conformance, timely and transparent communication with stakeholders is crucial. The board’s role in overseeing data privacy compliance and risk management cannot be overstated. 

What can CPG boards of directors and ESG sub-committees do? 

Given the evolving nature of privacy regulations, CPG boards should adopt the following measures to enhance their preparedness. In case of non-conformance, the board needs to:  

  • Assess the span and cause of non-conformance 
  • Engage external experts if necessary to ensure an impartial evaluation
  • Ensure adequate resources allocation to address issues quickly 
  • Consider self-reporting to relevant authorities if required and advisable
  • Ensure legal transparency and manage reputational risks through a robust communication strategy for employees, customers, and shareholders 
  • Implement necessary changes to prevent future non-conformance 
  • Determine if oversight failures occurred and take appropriate action accordingly 
  • Ensure all actions taken are well-documented for potential regulatory inquiries 
  • Require frequent updates on the progress of remediation efforts 

In preparation for eventualities, boards need preparation in the form of: 

  • Regular board education and training including benchmarking exercises 
  • ESG Committee reports on data privacy 
  • Briefings from the Chief Information Security Officer or equivalent roles
  • Review industry best practices 
  • Tabletop exercises simulating data breaches to identify gaps in preparedness
  • Regulatory updates and Board visits to company data centers or security operations 
  • Third-party audits and recommendations for improvement  
  • Annual review of the company’s overall posture regarding privacy and protection 

Actions boards can take: 

To further support management and the company, boards can consider the following steps: 

  • Require external training for the board or ESG sub-committee on privacy related matters
  • Employ a third-party specialized company to do a competitive benchmarking exercise for the board  
  • Require legal update regarding regulatory compliance landscape 
  • Employ third-party audits on data privacy governance 
  • Ensure data privacy is a topic for regular updates through enterprise risk management framework for the board  
  • Recruit board members with sufficient data management and cyber credentials and standardize a minimum requirement for future directors  
  • Audit insurability of data breaches and cyber risk to determine full operational and financial exposure to most critical risks  

Questions for the boardroom 

  • How effectively is our board overseeing data privacy and compliance with regulations like GDPR and CCPA, especially in managing consumer data and third-party risks? 
  • How does data management strategies intersect with cyber risk and good governance (as part of ESG)? 
  • Now that most cyber risks are no longer insurable, what new processes and systems will we need to better manage our data? 
  • What steps are we taking to ensure our board stays informed about the latest developments in data privacy, cybersecurity, and the ethical use of emerging technologies like AI and IoT? 
  • In the event of a data breach or non-conformance, do we have a clear, actionable plan for addressing the issue, engaging external experts, and maintaining transparency with regulators, customers, and shareholders? 

Additional Telesto resources: 

Telesto Strategy supports Corporate Directors in CPG to mitigate ESG and climate risks, stay ahead of changing regulatory regimes, and enhance disclosures and reporting in the face of increasingly complex environments. See additional resources to equip Corporate Directors: 

Contact us
RELATED ARTICLES

Where the World is Going

Linkedin-in

Copyright © 2025 Telesto Strategy, LLC
All rights reserved

Scroll to Top