Megatrend Spotlight: Earlier this year, 3M shared the megatrends we see shaping the next 5-10 years of life on this planet. To understand the source of these trends, and their impact around the globe, we are taking a deeper dive into their key themes and the ways our people, technology and solutions are working to improve lives.
One important trend we identified is technological breakthroughs. A key component of this is the ever-increasing accessibility and linkage of corporate, consumer and individual data. This accessibility, in turn, can result in data breaches, which may cause or accelerate consumers’ distrust of corporations. Quite simply, many high-profile data breaches have occurred in the past few years, and consumers are generally becoming more concerned about how their mobile phone and internet activities are tracked for advertising purposes.
One response to these concerns has been the passage of privacy laws globally which give individuals more control over their personal information. As countries and states adopt their own regulations, it’s becoming evident that data protection is more than just a legal obligation, but a major factor for brand and reputation.
To learn more about this evolving and complex issue, we chatted with Frances Phillips Taft, 3M’s chief privacy officer.
Q: How would you describe your role with 3M?
A: As 3M’s chief privacy officer, my role is to lead and oversee 3M’s data privacy and data protection policies, advise on the integration of those policies through all 3M businesses and functions, and provide guidance on how the company can collect and use personal data in a legally compliant manner. My role also includes building and implementing a program that aligns privacy with the 3M business strategy, to help sell the company’s products and services and grow revenue by creating stakeholder trust.
Privacy is truly a team sport. It is not solely the responsibility of the legal or compliance function. Rather, it requires everyone across 3M to be engaged, committed and aligned – everyone has a part to play.
To develop an effective privacy strategy at 3M, it is important to engage all stakeholders. I am currently working to foster collaboration across 3M and its businesses, and with various teams, including customer operations, sales and marketing, brand and reputation (corporate affairs), legal affairs, HR and government affairs. We have the commitment from the Board and 3M leadership to ensure that the entire organization prioritizes privacy. We are working to structure a cross-functional approach, and collaboration across the functions and business groups is critical to success.
Q: You started at 3M in July of 2020; tell us about your background in data privacy?
A: I began working on data privacy matters in 2009 for GE Oil & Gas, a GE subsidiary. At that time, I was living and working in Italy. I led an initiative to ensure all GE legal entities operating in Italy were compliant with the local Italian data privacy requirements. If you were not compliant with these requirements, not only were there financial penalties but potential criminal exposure.
I joined 3M in July 2020 and of course, I have been working remotely, given COVID-19 restrictions. Starting a new role in a new company has its challenges, but I have taken this time to learn as much as I can about 3M and its “privacy personality,” and to begin laying the foundation to initiate a privacy governance structure that works seamlessly with Company’s priorities and culture.
Working in the UK and Italy, I recognized privacy as an enterprise regulatory risk that multi-national corporations needed to prioritize to operate in the EU in a compliant manner. Over the next decade, and in the run-up to the E.U.’s passage of the General Data Protection Regulation (GDPR) in 2018, I worked closely with Italian and European regulators to ensure that the GE Oil & Gas data privacy program was legally compliant.
In 2017, when GE Oil & Gas merged with Baker Hughes, Inc., I took over the global privacy role for the GE Baker Hughes. I oversaw the integration of required privacy compliance actions worldwide, including GDPR requirements.
Q: Talk about the current state of data protection regulations?
A: Data protection regulation is expanding globally. More than 90 countries now have broad data protection regulations, and many of these laws have been recently enacted, such as in Brazil, Egypt, and Thailand. Many countries are also strengthening and updating existing laws, as illustrated by recent amendments to privacy laws in Japan, New Zealand, and South Korea. Notably, all these countries are enacting laws modeled substantially after the GDPR.
The U.S. approach to privacy is generally sectoral or based on specific types of personal information, such as health information. It is not nearly as broad as the European approach, or the approach increasingly being adopted by other countries around the world. As a result, in the U.S., because of the cross-national nature of business, multinational companies need to understand and enact internal policies that are compliant with the laws passed by overseas trading partners.
However, we are starting to see states in the U.S. following the GDPR model. In November, California voters approved a “people’s initiative” called the California Privacy Rights and Enforcement Act (CPRA), which broadens California’s existing law and creates the first-ever U.S. regulatory agency dedicated exclusively to enforcing data protection laws. Perhaps more significantly, given California’s reputation for legislation, Virginia, which has never been known for legislative or regulatory activity in the area, enacted a data protection law in March 2021, which is primarily modeled after GDPR.
This is just the tip of the iceberg. There currently are 30 bills pending in 18 states and in Congress to address data privacy. In 2020, we saw data protection regulators, especially in the EU, become even more assertive, imposing significant fines against corporations they deemed to have violated GDPR. As we advance into 2021, we anticipate that trend will continue. There will almost certainly be increased enforcement by regulators to ensure that companies manage data according to the regulations.
Q: How does 3M approach data protection?
A: 3M operates in over 200+ countries with varying privacy requirements. It is imperative that we collect, use and disclose data in a compliant manner, not only from a regulatory perspective but also because our customers and employees will demand it – they already have this expectation.
We are actively developing a governance structure to identify and manage 3M’s data privacy risks and incorporate data privacy regulatory requirements into our business strategy and processes, so that we can effectively compete worldwide while providing our customers transparency and choice, with a full understanding of privacy rights and requirements, while growing our revenues.
We have identified digitalization as a key goal. Digitalization is generally defined as using digital technologies and data to create revenue, improve business, replace or transform business processes, and create an environment for digital business, with digital information at the core.
Like 3M, many companies reinvent their products, services, and business models to incorporate advanced technologies and machine learnings. To support 3M in this process, we need to assemble the right team and tools, and develop a plan to advance our digital transformation strategy.
The Legal and Compliance team knows understands the requirements are for privacy regulations. We need to streamline these requirements and communicate the key messages so that 3Mers understand what they need to do.
Privacy is more than just an issue of compliance. We endeavor to manage personal information consistent with 3M’s core value of integrity. Doing so helps us build customer trust and confidence and reinvigorate employee commitment.
Q: What recent actions has 3M taken to become a better data steward?
A: With new laws emerging almost daily, and enforcement actions rising at a steady clip, we are acting proactively to assure that we implement core privacy foundational needs across the 3M business and operations.
Following my hire, we established a Data Privacy Governance Committee to develop a formal privacy compliance program. The Committee, comprised of 3M executive leaders, provides strategic oversight of our privacy compliance program across 3M functions and business groups. In addition, they provide leadership support to reinforce the message of privacy compliance and make resources available for ongoing privacy compliance requirements.
We have also identified specific owners, or “privacy stewards.” With guidance from our team, these privacy stewards will help implement appropriate privacy-related business processes. We are also increasing training and communication on these issues around the Company.
3M has also joined the International Association of Privacy Professionals as a Corporate Member. Our engagement with IAPP will give 3M access to our peers' latest thinking and best practices.
The Privacy team plans to develop robust processes to anticipate and mitigate risks. At the same time, we stay up to date on the law and regulations, monitor the privacy regulatory compliance requirements, and confirm that our policies and procedures are compliant.
Q: In closing, what should everyone at 3M take away about data privacy and protection?
A: With the advent of regulations and the increasing digitization of our lives, economies, and business, privacy is moving beyond the legal and compliance functions and into the forefront of 3M's strategic priorities.
Everyone’s personal data is online in one way or another, and the world is recognizing that because that information has tremendous value, it is subject to abuse. Governments are focusing on business use of personal and private data and seek to regulate that data in new ways.
In close, I would emphasize that we are all in this together. As a sports mom of a sixteen-year-old boy, we need to play as a team and support each other in addressing these key issues. Complying with these laws is not just a question of avoiding increasingly significant fines. It is also key to protecting and enhancing corporate reputation and brand value. It is essential to winning and maintaining our customers, employees, and other stakeholders' trust.
To learn more about The Shifting Expectations of Corporations, a key theme under the Rise of the Individual Megatrend, click here .