Uncategorized

Brace for Impact: Why the GDPR Should Remain at the Top of Directors’ Agendas

UK sees Data Protection Compliance Changes

Data protection law in the UK will change “comprehensively” as of 25 May, 2018, when the European Union General Data Protection Regulation (GDPR) (Regulation EU 2016/679) comes into force – and it will be implemented regardless of Brexit. The purpose of the law is to protect individual privacy, but its effects on board-level corporate governance are extensive. Fines for non-compliance can reach 4 per cent of global turnover, but damage to a corporate’s reputation could also be considerable. Directors may also be held personally liable for types of non-compliance.


Data Protection Responsibility of Directors under previous UK law

The UK has had Data Protection legislation since 1984, which required organisations to register their use of data and to provide rights of access to individuals to their data when it was in use by business.

These rules and rights were revised and superseded by the Data Protection Act 1998 which came into force on 1st March 2000, and which implemented the European Data Protection Directive (95/46/EC). That law determined that data protection applies when personal data is processed or is to be processed by a computer, or is recorded or to be recorded in a structured manual filing system. The data controller – whoever processes the data – must use data responsibly and handle sensitive data with prudence; notification must also be made to the Information Commissioner’s Office of data use. Individuals do not lose the right of privacy, that is, to retain a certain degree of control of their data when companies make use of it. Under the terms of this law, the maximum fine imposable for non-compliance was £500,000.

The board is held responsible for the implementation of these policies and for auditing them. Directors have personal liability for compliance, and, under certain circumstances, can face criminal charges for non-compliance.

GDPR will strengthen board’s responsibilities

The EU General Data Protection Regulation (GDPR) will come into force in the UK on 25 May 2018, regardless of the UK’s withdrawal from the European Union (Brexit). This was first stated by Prime Minister Theresa May on 17 January 2017, and reaffirmed after the Conservative Party formed a new government by Minister of State for Digital and Culture at the Department of Culture Matthew Hancock.

The EU has spent four years working on the GDPR legislation, and the new law will impose regulatory requirements that will impact organisations across all sectors. These requirements concentrate on improving consumer protection and placing increased responsibility on organisations that collect, store or use personal data relating to EU and UK citizens.

Clearly, the first step for directors under GDPR is to appoint a Data Protection Officer – this is a requirement of the new legislation. Many experts feel that this should become a board-level position, or at least one reporting directly to the audit committee. The Data Protection Officer leads the effort to ensure compliance, and should have both management experience and technical skills.

That executive should then take ownership of an inventory of all the data that the organisation holds, where it is located, how it is being processed, and how it is being made secure. The GDPR introduces significant new requirements around maintenance of audit trails and data journeys.

Record keeping is crucial, because consumers must be able to give and withdraw consent to the use of their data. If a consumer challenges the accuracy of given consent, it is now the business that bears the burden of proof.

To protect record keeping, encryption and other security measures are established as data protection standards which responsible organisations are expected to utilize or face the consequences.

When determining data security, businesses must take into account the nature, scope, context and purposes of their use of personal data.  But GDPR now expressly calls for protections, including:

  • The pseudonymisation and encryption of personal data
  • Measures to ensure resilience of systems and services processing data
  • Measures that allow businesses to restore the availability and access to the data in the event of a breach
  • Frequent testing of the effectiveness of the security measures.

Encryption can be a means to ensure compliance. If there is a data breach, companies are required under GDPR to notify all those affected. But if the data were made unreadable by encryption, there is no longer a notification requirement.

Each time an organisation processes personal data, it will do so as either a controller or a processor. These roles bear different responsibilities, so organisations must identify how they act as controllers and comply with the obligations of that role. Each organisation that acts as a controller should identify the data processing activities for which it is a controller, and ensure that it understands its responsibilities as a controller; ensure that, in respect of each processing activity for which it is a controller, it has implemented appropriate technical and organisational measures to ensure compliance, and ensure that it has appropriate processes and templates in place for identifying, reviewing and (to the extent required) promptly reporting data breaches.

Data breaches are subject to an entirely new regime. The GDPR will introduce a name-and-shame mechanism in which businesses must make official notification to the Information Office if there is a security incident that affects the security of the personal data that they hold.

If the breach is likely to result in harm to the data subject in any way, businesses will have to notify the subject about the breach.

Learn the 8 ways board directors should be preparing for GDPR right now or book a demo to find out more about how we can help.

Strict compliance rules

To ensure that data protection becomes a board-level issue, penalties for non-compliance are strict. If a business fails to comply with its data security obligations under the GDPR, it may get a fine of up to €20 million or 4 % of its total worldwide annual turnover, whichever is higher.

Where board-level actions are found at fault, criminal charges may be pressed. Even if no criminal charge is made, a board member’s inability to ensure protection of personal data may be considered a failure to exercise reasonable care and diligence, and that could result in action for damages, termination or disqualification.

It is worth noting here that companies outside the EU, but which transfer data to the region, are subject to all the same rules as EU companies.

Given the significant complexity and number of rules that GDPR imposes on boards, experts advise organisations to not wait to allocate budget, select the Data Protection Officer, and begin taking data inventory, along with planning all the structural changes that compliance may require.

Effective GDPR compliance could be good for a company’s reputation, some analysts note. Potential clients, along with the general public, will respect companies that make an effort to manage personal data with care. The issue is one that is likely to become very public after GDPR comes in to law, so it is in the interest of directors get started on complying with it.

Featured Blog