Compliance with data protection legislation is the responsibility of the board of directors of every organisation and must be prioritised in the boardroom. David O’Sullivan explains why
Data protection starts and ends in the board room. Every board member should have a good understanding of data protection and how it affects their business, and every board- and sub-committee must be equally aware of the organisation’s existing compliance status and the operation of its data protection framework.
Data protection fines to board members and directors
the Data Protection Act 2018 (GDPR), directors may be liable for a fine of up to €50,000 and/or five years imprisonment if they are found to have allowed the organisation to commit an offence through consent, connivance, or negligence.
In the UK, the Information Commissioner’s Office has levied personal monetary penalties against company directors, demonstrating an appetite to keep senior management and company directors accountable for their actions.
And while at the time of writing we are unaware of any such actions against company directors in Ireland, penalties here will inevitably follow.
What questions should board members be asking?
The data protection world is changing rapidly with the onset of fines, decisions and guidance from regulators, alongside evolving technology and new legislation. As such, it is crucial that organisations remain vigilant to change and proactively manage it, avoiding unnecessary risks.
There are some key data protection questions board members should ask:
- How are we staying abreast of changes?
- What are our current top risks?
- What are our industry peers doing?
- Are we making the most of this challenge/opportunity?
- Do we have the right level of expertise to deal with this? Do we need a full-time resource? Can we outsource the Data Protection Officer (DPO) role?
- What are the upcoming actions in the data protection framework?
How involved should the board be in data protection?
For an organisation to have data protection embedded, the board should oversee change and the direction of data protection. The below demonstrates examples of what high, medium and low levels of board involvement may look like in an organisation:
High – a member of the board is made responsible for data protection. They regularly meet with the DPO or data protection manager for updates and report to the rest of the board on compliance at each meeting. The DPO presents to the board regularly, and the board actively asks for updates on risk actions.
Medium – the board receives bi-annual reports from the DPO outlining compliance efforts and key risks and receive updates on risk actions.
Low – an update report is provided to the board every quarter, with one annual report is presented by the DPO or another person responsible for data protection compliance.
How to know if your data protection framework is effective
Every organisation has a data protection framework, some more formalised than others. Your framework must operate effectively, ensuring you will achieve your desired outcomes.
You will be able to know that your framework is effective if:
- staff receive regular training and awareness updates;
- you are informed of data protection risks;
- privacy has been built into processes and procedures; and
- frequent updates are given to the board on compliance status and steps to reduce any compliance gaps.
How to use data privacy to your advantage
There are several reasons to keep privacy in your strategic plans, ranging from compliance and fine mitigation to risk management and consumer trust.
Consumer sentiment is changing, and people are making choices based on how their personal data is protected. No stronger evidence is needed than the actions of the world’s largest consumer technology companies’ efforts to increase privacy and security—Apple giving more tracking control to users, for example.
To use privacy to create strategic and competitive advantage, the direction needs to come from board level and be embedded into the company culture. The most effective programmes are in organisations with clear ownership of data protection at the top level.
David O’Sullivan is Consulting Manager with Mazars