This week, NEDonBoard brings to your attention the responsibility of board of directors and board members regarding GDPR a few months following the implementation of the requirements and the first few cases of breaches.
Too many organisations are still complacent despite the many high-profile cases of data breaches and fines seen since the new data privacy laws were introduced last year.
Board directors, whether they are executive or non-executive, are responsible for governance and compliance with GDPR and are personally liable for the heavy fines. What is your risk appetite? In this article, we list the questions that company directors should ask during their board meetings or investigate outside the boardroom.
Do you know if your organisation is compliant?
Do you fully understand the risks involved? Be mindful of the following:
- Overconfidence or lethargy: “we won’t be caught”
- There is a 72-hour limit in which to report a breach
- B2B business contracts are often not suitable
- Class/Group Actions are a reality and increasing in number
- Incorrect privacy notices present a risk of fines
- Complaints to the ICO are on the increase
- Lack of ICO registration is indefensible
- Data breaches are a reality
So what key questions you should be asking your executives
A. Can we deliver the 10 data subjects rights to your clients / customers?
B. Can we respond appropriately to a data breach and in time?
“If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability data checks and balances in place – as required by law.” Elizabeth Denham, UK Information Commissioner
C. Have we mitigated our risks? These first 7 risk factors above focus on your “liability without a breach” – but can your organization manage and mitigate them?
D. Can we create a defensible position?
E. Do we need Breach Insurance?
F. What do we need to deliver for data protection?
G. Do we transfer data from country to country?
H. Where is our data stored?
I. Do we have a record of processing, which is a legal requirement?
J. Do we have EU representation in place for post Brexit?
K. Do all our customer facing staff understand their responsibilities and consequences of their actions?
Trust is the driving force behind the major shift that is taking place in the world of private data.
The data economy of the future demands a bridging of the trust gap that exists between the consumer and the organisations with which they interact, requiring greater transparency, responsibility and accountability from these organisations and their senior management.
In this information age, success requires investment in data as a core business asset. It is a valuable asset that must be handled with care. Ultimately, rather than harvesting massive amounts of personal data, it is the intelligent use of permissible data that is key to the success.
The General Data Protection Regulation (GDPR) is about building real lasting Trust.
The intent, backed by strong legislation, is to migrate towards a more trust based, mutually consensual relationship between data processors, controllers and subjects.
- The risks are HUGE for those who do not comply.
- Board Directors are PERSONALLY liable for any breaches of the GDPR.
- All employees who have access to the data need to be aware and comply and therefore it is incumbent on organisations to run GDPR awareness and training courses for all staff.
The whole issue has had significant operational ramifications for the holders and processors of personal details. It cannot be ignored.
This blog post is written by The Trust Bridge. The Trust Bridge can provide the wisdom, experience and skills needed to make sure that your organisation satisfies the supervisory authorities and ensures ongoing trust from your employees and customers alike. For more information, please visit www.thetrustbridge.co.uk.
Not a member yet? Join your NED community and have access to the latest job opportunities, Events and Networking.