As we close in to the final run to full implementation of the General Data Protection Regulation (GDPR) companies need to start taking a hard look at their company practices. In particular the board of these companies needs to take an active part.
It’s not too late
But it will be soon. With maximum fines up to 4% of global turnover, increased administrative implications and data breach notification requirements being only 12 months away, there is a lot of work to be done.
Unfortunately many companies have taken an ostrich approach to the whole problem – expecting Brexit to save them from having to put their hands in their pockets. It won’t.
Not only because we will still be in Europe for at least three years after the full implementation of GDPR. Not only because the act applies to any company who has dealing with people in Europe. (and in these days of global websites, who doesn’t). Not only because The Information Commissioner, Elizabeth Denham, has already stated that the Regulation will still become part of UK law. But because it is the right thing to do.
If that isn’t enough to make your board tremble, what about the fact that all directors can already become personally accountable for up to £500,000 (each) in the case of a major contravention.
I have to admit, if I was in their shoes (and I guess I am as a business owner), then I would be concentrating like heck. Forget the Marketing Plan, forget the Health and Safety tinkering, forget the proposed mergers – one good contravention of GDPR could bankrupt your company and personally financially damage the whole board.
The GDPR contains a number of requirements designed to increase accountability, including: training staff; carrying out audits and privacy impact assessments; implementing privacy by design; and establishing breach notification procedures.
What should the board do?
As a first step to being GDPR-ready companies (and their directors) should be able to confidently answer the following:
- What personal data do we hold?
- Where is it?
- What is it being used for?
- How secure is it?
Depending on the nature and size of an organisation, answering these questions could involve significant time and resources. Accordingly, if they have not already done so, boards should start allocating budget for this now. Finding and analysing data, and then ensuring that it is, amongst other things, accurate, up-to-date and only processed for the specified purpose, can take a lot of time.
Given the level of potential fines and reputation harm, any board failing to be ready for GDPR could be seen to be failing as directors of the company in terms of exercising reasonable care, skill and diligence, which could result in action for damages, termination or disqualification.