May 22, 2018

GDPR: What Boards Need To Know Now

This article was originally posted by Corporate Board Member and Written by Patrick Gorman


With Europe’s General Data Protection Regulation (GDPR) fast approaching (May 25th is the implementation date), boards are likely putting their final preparations into place.

Diligent, which offers secure corporate governance and collaboration software solutions for boards and senior executives, has come out with a checklist on the wide-ranging data security regulations that aims to help ensure an organization is complaint. Corporate Board Member spoke to Diligent CEO Brian Stafford and CFO Michael Stanton about the coming regulations and final steps boards should be taking before the implementation date.

Below are excerpts from this interview.

What are some of your general thoughts on the overall impact that these new regulations are going to have on corporate boards?

Brian: Look, I think GDPR is going to have a material impact on board rooms. For the first time ever, board directors are going to be held personally responsible and accountable for protecting data. So for example, if they aren’t compliant, they can be hit with fines as much as 4 percent of global revenue. And there’s implications and at least threats that they could face jail time as well. So I think if you look at the scale that, within Europe, of keeping a focus on GDPR, you know, it’s pretty material impact on the business and impact in particular on the board. I think one of the more interesting components is, you know, it doesn’t matter if you’re based in the EU. It impacts U.S. companies as well. And if you look at even the well-known Facebook kind of breach of trust, I think GDPR represents not just a European standard, but a great global standard for boards to focus on and make sure that they maintain the trust and privacy of information on a global scale.

In terms of what does that mean, what should boards do, do you assign a role of a data protection officer? How do you think about that? Who’s focused on it all the time? From a board perspective, it’s great to have someone come into your board and get accountability around who owns this and who is solving it. So having one central person do that is an interesting option. It requires material changes to marketing, how you reach out, how you connect with your prospect and customers, and it really requires end-to-to end encryption across all data across businesses. And given the proliferation of digital forms of marketing, it really is something that impacts just about any global company. It’s a pretty material, exciting change.

Why it so important that a dedication to cybersecurity starts from the top?

Brian: Quite candidly, it represents a material amount of risk for the business. So anything that tends to be risk and/or compliance focused tends to run through the audit committee, which is simply made up of current and former CROs. It ends up being a material area that is owned by the board. The other reason that cyber in particular is owned by the board is… you typically have director and officer insurance, which means that, if the company did something wrong, if you were sued personally as a director, you’d have an insurance provider be able to pay for any of those expenses.

“I THINK GDPR REPRESENTS NOT JUST A EUROPEAN STANDARD, BUT A GREAT GLOBAL STANDARD FOR BOARDS TO FOCUS ON AND MAKE SURE THAT THEY MAINTAIN THE TRUST AND PRIVACY OF INFORMATION ON A GLOBAL SCALE.”

And for the first time, actually being negligent around cybersecurity has a risk of piercing your DNO insurance. That means as a director, for you to actually say, “Oh, I didn’t go through all,” pardon the pun, but, “diligent processes to actually make sure that we as a company were not in violation of anything from a GDPR perspective and/or from a cyber risk perspective,” that can pierce your insurance and people can go after you personally. So not only are board members focused on good governance, but when the impact of these changes can actually directly get at them, that of course also drives that awareness, which is part of the reason why GDPR legislation is actually focused on or has visibility into and by the board.

What are some of the important things that directors ought to keep in mind in terms of making sure that everybody on the board is up to a certain level in terms of cyber-savviness? 

Brian: I think there’s two different levels that you’re already starting to see most boards take and/or you will expect more boards to take. The first one is, cybersecurity ends up being a pretty frequent topic within the board, just the subject of cyber risk. So the first step is making sure that your directors are, to use your phrase, cyber-savvy enough to ask the right questions. And there’s a lot of different training programs and experts that I think boards will have come in to teach them how to ask the right questions. And I think that has gone from something that maybe three to five years ago was something that happened infrequently to something that actually is a pretty darn frequent and a very visible issue for boards. I think it actually has hit the top of the agenda.

The second area that I think you’ll see more and more boards invest in is bringing on a technology or cyber risk expert to your board. Step one, like I said, is asking the right questions. Step two is, you have to have someone sitting in the room as a board member where, when the CTO or CIO or CISO, the chief information security officer, comes and says, “Here’s what we’re doing?” Someone who has the depth to push that person and actually get underneath whether there is more that you could be doing, more so than just bringing a consultant or someone else. So I think you will see more and more investment around either technology expertise specifically, that means someone who has a very technical background, has been a CTO or CIO, and/or specific cybersecurity experts who sit on the board.

Michael: Yeah, I couldn’t agree more… I do think you are going to see, whether it’s a changing of the guard or an enhancement to the broader board and, look, also the management team. Brian referenced data privacy officers and whatnot. A lot of organizations are going to have to sort of a responsibility, whether it’s under the CFO or the general counsel. That’s how you’re going to see it evolve. But I think on both sides, corporate management as well as the board, I think the evolution of this is going to be, you’re going to see more dedicated expertise for sure.

Why is it so important for directors to kind of look in the mirror and start with themselves when it comes to cybersecurity?

Brian: Ultimately, in a world where we’re constantly reading about culture and the tone from the top, I think the tone from the top not just comes from the CEO and CFO, but also from the board. And you have to be in a world where people practice what they preach, and you can’t have the top of the house preaching something else and not adhering to those same principles at the very least, if not a higher principle or standard. You’re right, you have some of the most sensitive information that is out there for a company, in many cases going to board members in insecure kind of channels that’s out there in the open for everyone. So whether that is emailed board materials, whether that is emailed or sent around a M&A pipeline, material, whatever it might end up being. I think you’ll probably remember the phishing attack that Colin Powell was unfortunately caught by where all Salesforce’s M&A pipeline got out in the open.

No director means for anything bad to happen to any of the companies that they’re associated with, but you know, hacking and sophistication around cyber just continues to go up and people need tools to help them be more effective. Most directors are retired and they use their own personal email address, and we would be kidding ourselves if we didn’t think that there was communication about company initiatives, decisions, actions that weren’t happening between the board [through those emails]. And we just recently released a survey where 92 percent of directors said they used their personal or unsecure email for communications… so you look at all this communication that goes back and forth over free third-party email service providers that have either been hacked [or are] prone to a phishing attack. So just more secure tools that can help directors actually be more protective of their data and kind of practice what they preach are incredibly effective and helpful.