Boards must direct sweeping cultural and managerial changes
There will be serious consequences for UK business when the General Data Protection Regulation (GDPR) (Regulation EU 2016/679) takes hold in the UK and throughout the EU on May 25, 2018 – Brexit will not change this. A “sweeping and comprehensive” reworking of data protection requirements, GDPR will demand changes to business models for UK companies in every sector. All companies will have to reorder the organisation of data processing, but each sector will see changes to the way companies do business as a result of the EU legislation. UK Boards must plan to direct major cultural changes throughout their organisations.
GDPR brings fundamental changes
The consequences of the General Data Protection Regulation (GDPR) to business in every sector are considerable: Manufacturers expect job cuts; healthcare will see sharply increased expense around the collection and use of personal data; financial services must expect increased auditing and thematic reviews by multiple agencies; the public sector has to develop and implement new strategies.
To give a straightforward example: B2B marketing will now require far more extensive controls for data processing and to manage consumer consent, as the British Direct Marketing Association points out in a recent report.
Nearly every UK business today is dependent on data, and GDPR enforcement in the UK can lead to losing access to data. Analysts agree that UK boards must make the company-wide changes the law requires, creating a new framework for decision-making and a new organizational culture to manage the risks and achieve compliance.
Making these changes will raise costs, and lead to job cuts and management changes in some sectors. Board members and management will succeed or fail based on their ability to chart a clear course. Those that do succeed will, however, create new opportunities for their organisations.
Manufacturers must boost data controls
Some sectors clearly are lagging. The majority of UK manufacturing businesses are unaware of the new wide-ranging data protection rules which come into force in less than a year’s time – despite 18 per cent admitting the maximum fine for non-compliance would force them out of business and 14 per cent saying it would lead to large scale redundancies, according to a YouGov survey of 300 manufacturing businesses.
Fourteen per cent of UK manufacturers think they would need to make significant job cuts with a further 20 per cent admitting that smaller scale headcount reductions will be necessary.
Manufacturers are likely to have access to a large amount of personal data from customers, suppliers, sub-contractors and employees. They must make recording its uses possible, and allowing consent by consumers. Where employees have previously used consumer data for any purpose, there now must be specific reasons to justify its collection and use – this makes for a cultural change.
That change must be directed by a board-level data officer who must take ownership for GDPR compliance across the organisation – this means vast changes in management structure.
Healthcare must redefine “personal data”
For the healthcare industry, personal data is an essential element. But GDPR redefines personal data, creating a special category known as “sensitive personal data.” Use of this data must be specifically justified, and it can only be used in certain cases.
The GDPR prohibits the processing of certain special categories of personal data (or “sensitive personal data”), subject to certain exceptions. The special categories of personal data include, among other things, genetic data and data concerning health.
“Genetic data” includes personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. The GDPR also defines “data concerning health” for the first time. “Data concerning health” includes personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status. Organizations operating in the life sciences and healthcare sectors must show that they are within one of the exceptional circumstances set out in the GDPR for which sensitive personal data may be processed.
The calls for a massive reorganisation of management and operations for healthcare companies. It raises costs and will require boosted data controls.
Financial Services require “risk-based implementation plan”
“It’s very clear that the GDPR is a “Game Changer” in data protection and privacy and as a result FS firms must now urgently start to create a risk-based implementation plan rather than delay this process,” advises Bryan Foss, one of Europe’s leading governance and data protection experts.
All of the data controls we’ve discussed above apply to financial services, of course, meaning that the same kind of boardroom-led reorganisation is required for banks, brokers, wealth managers, etc.
The Financial Conduct Authority, the main watchdog for the financial sector in the UK, and the Information Commissioner’s Office will be working together to audit the sector. Thematic reviews will be increasingly used in these audits, and this will put extra pressure on financial institutions to make certain they are compliant.
New organisation, new culture, new procedures
Regardless of the sector, a unified data protection regulation brings a whole new set of challenges. Companies need to evaluate their data processing and security practices to implement procedures for consumer consent, sensitive data authorisation, notification to the Commissioner’s office, and notification in case of data breach. However, for companies that have never prioritised data protection before, the next two years will place a considerable onus on compliance.
Says London-based data protection lawyer at the Taylor Wessing group Vinod Bange: “The obligations on processors mean that large numbers of organisations are going to be brought directly into the data protection regime for the first time. Coupled with the increased audit trail requirements, boards must take steps to take up this greatly increased compliance burden under the GDPR.”
November 16, 2018
Cybersecurity – The Disconnect Between the Chief Information Security Officer and the Board
Chief Information Security Officers (CISOs) need to better communicate strategies and initiatives to board members. UK companies are under threat from cyberattacks, yet only about five per cent have a Chief Information Security Officer, either on the board or working with the board, a recent Deloitte poll shows.
May 31, 2018
Irish Fund Management, Boards Prepare for CP86 deadline
After three years in consultation, 1 July 2018 is the deadline for Irish Fund Management companies to comply with the guidance issued by the Central Bank of Ireland (CBI) in Consultation Paper 86 (“CP86”). This guidance represents a resetting of the governance framework for Irish Fund Management Boards. It aims…
May 29, 2018
Board Collaboration – 5 Top Tips for Directors
An effective Board of Directors needs to become greater than the sum of its parts. Without a collaborative approach, a group of talented individuals can fail to realise their team potential – to the company’s cost. Board collaboration benefits directors to work together in a positive, energised…