Data privacy – too strategic for boards to ignore

Data privacy – too strategic for boards to ignore

Thu 18 May 2017

Personal data security is increasingly important, but many companies may not be ready to comply with the EU’s tough new data protection laws, which must be implemented by May 2018.

All EU businesses that handle data will have to comply with the General Data Protection Regulation (GDPR), which will require investment in systems and training for employees. As the deadline for implementing GDPR approaches, data privacy is rising up the agenda for senior management and board directors. The impending GDPR is a particularly pressing issue for Financial Services (FS) business, as within the FS sector there are unique issues which generate specific data protection challenges:

• The Global nature of the industry means that there are increasing amounts of transactions, customer data and storage for historical databases. Furthermore, there are vast quantities of complex outsourcing arrangements involving off-shoring and cloud computing systems.

• Managing compliance and risk management, through Anti Money Laundering customer due diligence, employee monitoring and calls carrying out credit checks.

• Data privacy and security not only places significant pressure on infrastructure but also the necessity to comply with ever increasing regulatory constraints beyond customer confidentiality obligations. FS business are subject to multiple supervisory bodies such as EU member state laws, the FCA and also payment schemes.

The GDPR will affect many departments and goes beyond any border within an organisation, so the relevant level for accountability has to be at board level. As a minimum, boards must ensure that their businesses remain compliant with the GDPR. Companies will have to constantly monitor their systems and processes against the regulation’s requirements, avoid data breaches and manage the risks. Large companies may want to create privacy committees to improve oversight or link data privacy objectives to directors’ performance management.

Board members must ask themselves some fundamental questions on GDPR:

• What do they really know about their company’s GDPR readiness? Have they been seen their company’s GDPR-readiness assessment? This provides an overview of the risks and where they are located.

• How do they ensure they have all the information they need?

• Have they seen their company’s implementation action plan with specific recommendations, such as system adaptation or cyber-training programmes?

Boards simply can’t ignore these questions. Companies that fail to comply with the GDPR could face fines of up to 4% of global turnover or €20m, whichever is greater, in the case of a breach. Most importantly, the reputational damage of such a breach can have major consequences for a business.

However, I strongly believe it’s important to stress that smart companies are focusing on the opportunities to maximise returns on investment, rather than focusing on the threat of sanctions. The new GDPR requirements can be an opportunity for organisations to promote a data-responsible image. Companies need to find new ways to limit the amount of data they collect, and communicate the benefits to customers. For large, international companies the harmonisation of the data protection rules across Europe is a positive step. The introduction of the “one stop shop” principle, for example, allows businesses to rely on only one regulator when they are a cross border organisation.

The strategic importance of data protection will remain a boardroom issue long after the May 2018 deadline and boards need to ensure they are ready for the impact of the GDPR. However, whether that impact is positive or negative is largely in their hands.

This blog is an excerpt of an article, “New frontiers in data privacy” which appears in the Spring 2017 edition of Board Agenda. The full article can be found here.