The General Data Protection Regulation (Regulation EU 2016/679) takes hold in the UK and throughout the EU on 25 May 2018 – Brexit will not change this. A sweeping and comprehensive reworking of data protection requirements, GDPR demands that UK boards must plan to direct major cultural changes throughout their organisations. A board portal can make a significant difference in managing these complex changes.
The GDPR and how a board portal can help
The General Data Protection Regulation (GDPR) (Regulation EU 2016/679) takes hold in the UK and throughout the EU on 25 May 2018 – Brexit will not change this.
UK boards must make the company-wide changes the law requires, creating a new framework for decision-making and a new organisational culture to manage the risks and achieve compliance. In addition, as London-based law firm Ropes & Gray pointed out: “The principle of accountability provides an opportunity for organisations to bolster individuals’ trust in them by showcasing their robust data protection efforts and for demonstrating transparency and corporate responsibility. Responsible information handling practices can attract customers, investors, and talent.”
These are vast responsibilities for directors, and, to achieve them, efficient and secure communications are critical. A board portal can not only provide such an environment, but it can enable the exchange of documents and updated information in real time. Managing the GDPR-mandated changes with a board portal will save time, money and make the board perform better.
The challenge for directors
As Deloitte pointed out in a recent study, proper action by the board at this juncture will point to the overall cultural change needed. “Directors are advised to build a proper base for GDPR compliance by analysing the risk of processing personal data in your organisation. This will enable you to prioritise the many actions you will likely need to take, and minimise your risks in a short amount of time,” Deloitte analysts noted.
See how Diligent Boards can help your board prepare for GDPR.
GDPR addresses both data controllers, organisations that determine the purposes and means of processing personal data, and data processors, organisations that handle personal data and carry out technical operations on behalf of data controllers and in accordance with their instructions. Under the GDPR, data processors will also be required to comply with certain data protection requirements, including those related to cross-border transfers of personal data, security, appointment of data privacy officers and recordkeeping of processing activities.
Given the complexity of the new regulations, the UK Information Commissioner’s Office (ICO), which is responsible for implementing GDPR in the UK, has provided extensive guidance on what actions companies should take to comply.
The first stage includes:
- Appointing a Data Protection Officer (for larger organisations) to the board to manage the GDPR process
- Documenting the data your company holds. Sources of personal data should be identified, sensitive personal data (as per the GDPR criteria) should be classified. Document where data came from and who you share it with. A full-scale information audit is probably necessary for most organisations.
- Auditing procedures to protect individuals’ rights. A board-level review should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Communicating privacy information. You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Role of the board portal
A board portal can support all of these actions, obviating the need to send out scores of emails or to circulate documents in an insecure way. The nominating committee can communicate directly with all directors on the choice of a Data Protection Officer, and then a meeting to officially elect that director can be arranged rapidly with director agendas already on the portal. Setting up the procedure, then, for data documentation and rights audit can be discussed via the portal and the necessary steps can be communicated to management. A new policy for privacy information can also be discussed ahead of a meeting calling for a new resolution.
Second stage: consent and breaches
The second stage of compliance should include:
- Consent procedures. Directors should review how consent for the use of personal data is sought out, recorded and managed, and whether you need to make any changes in this area. Existing consent should be checked to see that it meets GDPR standards. The use of children’s data, and other data for which third-party consent is required, should be carefully reviewed.
- Data breaches. Directors should review procedures in place to detect, and investigate, a personal data breach. The audit committee and the risk committee should collaborate with the Data Protection Officer for this purpose. Reporting breaches promptly is required by GDPR rules, and serious fines will result from non-compliance.
- Implementing procedures for Privacy Impact Statements. Companies are responsible for the preparation of Privacy Impact Statements (PIAs) under conditions specified by GDPR. PIAs are a systematic process to assess privacy risks to individuals in the collection, use and disclosure of their personal data. Specifically, data controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimised. This part of the law is covered in Article 29, and directors should consult it and related guidance.
Diligent Board Portal and GDPR
Just as in the first stage, board portals can make a tremendous difference in the efficiency with which compliance is achieved. Diligent board portals are particularly apt for this purpose, as they provide real-time communications with the highest level of security. Directors can hold portal discussions, and they can share information and documents without concern — levels of access for particular materials can be customised.
From conducting reviews of procedures for consent and data breaches, to sharing responsibilities for reporting, the Diligent Board Portal can provide the support directors need.
The Diligent Board Portal works with any major operating system, and is easily accessible from whatever devices the directors prefer to use.
A library of materials related to GDPR, and to all matters of corporate governance, can be kept on the Diligent Board Portal.
Given the intense activity GDPR compliance will require, directors should contact Diligent to get the support they need.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…
December 8, 2020
Board Meeting Minutes Best Practices and Guidelines
Guidelines for Board Meeting Minute Taking In order to keep the courtroom from invading the boardroom, the most basic rule is, “saying less is often better,” warns the London-based law firm Bricker & Eckler in a recent note. “Today’s business climate places heightened…