Directors are specifically mandated to manage data protection risk, under the General Data Protection Regulation (Regulation EU 2016/679), which takes hold in the UK and throughout the EU on 25 May 2018 – Brexit will not change this. The process of implementing GDPR involves a large part of the organisation, so boards must step up communications as well as their work with the Data Protection Officer and Risk Committee. The Board Portal manages this process efficiently and securely for directors.
Race to Implement GDPR at UK Companies
References to GDPR are everywhere at the moment in the UK. Directors are being bombarded with news and information on the subject, yet many are simply burying their heads in the sand and hoping that management will handle the reorganisation of data protection. Unfortunately, it’s more likely that the responsibilities and reliance on the board to manage this complex transition will increase.
Much was said last year about security fatigue and the fact that many people were growing weary of hearing about the latest cyber-attack and endless advice to change their passwords. We see this sort of communication fatigue in many areas of people’s lives, in response to health campaigns, electioneering and, in general, in relation to an ‘always on’ culture of email and social media. The same applies to GDPR communications. When we overwhelm people with messaging, we run the risk of becoming yet more noise in an already-overflowing inbox.
Holistic Approach Is Needed
GDPR is an operational exercise, not a legal one, so directors cannot rely on the lawyers alone to determine a corporate response.
Instead, GDPR in its full extent breaks down siloes, and it touches a very broad range of roles in an organisation, as well as different levels. Legal, finance, compliance, audit, IT, security, training, as well as the board of directors, all own a slice of the GDPR pie. Combinations of technical tools, plus ongoing sustainable process governance and cultural change, are required.
GDPR needs to be addressed with a carefully contextualised holistic approach. Organisations shouldn’t be acquiring and implementing niche tools to tick off stated problems as presented by third parties, but rather should be taking a holistic approach to rolling out the business change that is required by GDPR. Yes, this includes software, but also a permanent cultural shift in how the organisation thinks about and handles personal data, as London-based expert Neil Patrick, director of the SAP Centre of Excellence for GRC & Security, EMEA, explains it.
Focus of Roles for UK Boards
The CEO and the board of directors will be focused on:
- Impact of GDPR on business processes: Achieve top-to-bottom review of relevant privacy data being processed within the business processes. Understand risks and challenges as well as new opportunities.
- Employee trainingsabout new requirements. Creating awareness of how they should be taking notes and recording information about their customers, prospects and employees.
- Protect against GDPR-related fines, impact on directors’ and officers’ liability insurance (also known as D&O Insurance). Company’s current GDPR risk exposure.
- Cost-effectiveness of data. Is the company collecting and accessing more personal data than is needed? Check possibilities of reducing the amount of data being gathered, since continued accumulation of siloes of unused, and potentially toxic, data increases the need for encryption—and, therefore, will require more investments.
The data protection officer (DPO) will collaborate with the chief compliance officer (CCO) and the chief risk officer (CRO) will focus on “Lawful Processing,” as defined by Art. 6 of the GDPR text, and “Accountability,” as explained in Art. 5 of the regulation.
These executives will be working closely with the board to introduce clear company-wide data protection policies to ensure rapid and effective reaction to potential breaches, and the ability to inform the relevant authorities quickly in case of a breach – this is a clear responsibility that devolves on both the board and management.
Equally important will be establishing an accountability framework. This will involve adding documentation of current risks and controls for the GDPR regulation into the existing internal controls system. This will involve cooperation between the DPO, the CRO and the Risk Committee.
These will also have to establish a risk-based approach by assessing the “likelihood and severity of risk” of personal data processing operations. For example, “high-risk” processing operations will raise additional compliance obligations, such as data protection impact assessments (DPIAs), and encouraging a culture of monitoring and assessing data-handling processes.
Role of the DPO and the Board
The actual organisational titles and roles will vary from organisation to organisation, but businesses implementing compliance with the GDPR will each need to establish comprehensive programs addressing the key data privacy areas. The more automated and integrated the program is (with existing business applications, audit and compliance tools), the more effective, cost-efficient and preventive this program will become.
As we have seen, all businesses of a certain size that market goods or services to customers within the European Union and collect data must appoint a Data Protection Officer. The DPO works on behalf of the customer’s privacy. Thus, many of the recommendations of a data protection officer will risk causing conflict with the aims of other data roles within the company. As this is usually a board-level position, coordination with the risk and audit committees is essential.
The DPO is responsible for staying up-to-date on all laws and practices around data protection, and for briefing the board and its committees. He or she ensures that all other matters of compliance pertaining to data are up-to-date as well. The DPO must report directly to the highest level of management and the board itself, assuring that the executive’s expert knowledge of data protection is communicated in a form that the board can work with.
Then the DPO conducts privacy assessments internally, ensuring that obligations and monitoring compliance are also in a correct state.
The chief information officer (CIO) will work closely with the DPO on technical solutions that ensure the consent of data subjects and that all rights are protected. The GDPR imposes a new regime in which companies must show the consent of data subjects for the use of personal data, and that the impact of the processing will not affect the subjects. A process for revoking consent must also be set up.
Data subjects — such as customers, subscribers, users, employees, partners and external workforce — will get extended information rights: the right to correct information, the right to export and transfer, as well as the right to be forgotten. All this must be integrated.
Diligent Boards Portal Supports GDPR Implementation
Clearly, communication among all of these actors must be maintained in a secure environment and at a high level of efficiency.
As we’ve seen, communication must be continual among the DPO, the CIO, the Chief Compliance Officer, the Risk Committee and the entire board itself.
Diligent Boards provides real-time and secure communication. With Touch ID sign-on access, real-time updates and 24/7/365 mobile collaboration, Diligent board portal software gives directors the information they need, when they need it, for swifter, more informed decision-making. For administrators, intuitive tools and customisable archives mean more efficient, effective information delivery —supported by remote wiping if a device is lost or stolen.
In today’s climate of escalating security risk and increasingly high stakes, boards can’t leave security to chance. Diligent delivers peace of mind with state-of-the-art encryption, data storage, access controls and more.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…
December 8, 2020
Board Meeting Minutes Best Practices and Guidelines
Guidelines for Board Meeting Minute Taking In order to keep the courtroom from invading the boardroom, the most basic rule is, “saying less is often better,” warns the London-based law firm Bricker & Eckler in a recent note. “Today’s business climate places heightened…