All EU businesses that handle data will have to comply with the General Data Protection Regulation (GDPR), which will require investment in systems and training for employees. As the deadline for implementing GDPR approaches, data privacy is rising up the agenda for senior management and board directors. The GDPR will affect many departments and goes beyond any border within an organisation, so the relevant level for accountability has to be at board level. As a minimum, boards must ensure that their businesses remain compliant with the GDPR. Companies will have to constantly monitor their systems and processes against the regulation’s requirements, avoid data breaches and manage the risks. Large companies may want to create privacy committees to improve oversight or link data privacy objectives to directors’ performance management.
Board members must ask themselves some fundamental questions on GDPR:
- What do they really know about their company’s GDPR readiness? Have they seen their company’s GDPR-readiness assessment? This provides an overview of the risks and where they are located.
- How do they ensure they have all the information they need?
- Have they seen their company’s implementation action plan with specific recommendations, such as system adaptation or cyber-training programmes?
Boards simply can’t ignore these questions. Companies that fail to comply with the GDPR could face fines of up to 4% of global turnover or €20m, whichever is greater, in the case of a breach. Most importantly, the reputational damage of such a breach can have major consequences for a business.
However, I strongly believe it’s important to stress that smart companies are focusing on the opportunities to maximise returns on investment, rather than focusing on the threat of sanctions. The new GDPR requirements can be an opportunity for organisations to promote a data-responsible image. Companies need to find new ways to limit the amount of data they collect, and communicate the benefits to customers. For large, international companies the harmonisation of the data protection rules across Europe is a positive step. The introduction of the “one stop shop” principle, for example, allows businesses to rely on only one regulator when they are a cross border organisation.
The strategic importance of data protection will remain a boardroom issue long after the May 2018 deadline and boards need to ensure they are ready for the impact of the GDPR. However, whether that impact is positive or negative is largely in their hands.
This blog is an excerpt of an article, “New frontiers in data privacy” which appears in the Spring 2017 edition of Board Agenda. The full article can be found here.