Data protection in the boardroom

Compliance with data protection laws is the ultimate responsibility of the Board of directors of every organisation. Every Board or sub-committee, such as the audit and risk committee (ARC), must be aware of its current compliance status and the operation of its data protection framework.

While this responsibility can be delegated to management, it is also important to note that, technically speaking, it is not the responsibility of the DPO, whose role it is to guide and advise. The reason for this is a potential conflict of interest. A solution is to outsource your DPO.

Data protection fines to board members and directors

Under the Data Protection Act 2018, directors may be liable for a fine of up to €50,000 and/or five years imprisonment if they are found to have allowed the organisation to commit an offence through consent, connivance or negligence.   

With the recent Uber decision in the US, the pre-GDPR IKEA case in France, and most relevant to, Ireland, the ICO has made personal monetary penalties against company directors. These actions demonstrate an appetite to keep senior management and company directors accountable for their actions. At the time of writing, we are unaware of any such actions against company directors in Ireland, but penalties will inevitably be made.

Data protection questions Board members should be asking?

The data protection world is changing rapidly with the onset of fines, decisions and guidance from regulators, and evolving technology and new legislation. As such, it is crucial that organisations remain vigilant to change and can proactively manage it, avoid risks and improve opportunities.  

Some key data protection questions for Board members to ask include:

• How are we staying abreast of changes?
• What are our current top risks?
• What are our industry peers doing?
• Are we making the most of this challenge/opportunity?
• Do we have the right level of expertise to deal with this? Do we need a full-time resource? Or can we outsource the DPO role?
• What are the upcoming actions in the data protection framework?

We regularly receive such questions at ARC meetings or in our updates to Boards where we act as the outsourced DPO. The questions should pull further information from the organisation and ensure that senior management is accountable for ensuring effective compliance efforts. It also emphasises the level of priority that the Board places on data protection compliance.

How involved should the Board be in data protection?

For an organisation to have data protection embedded, the Board should oversee change and the direction of data protection. This should be tailored to the organisation, considering its sector and industry. The below demonstrate examples of what high, medium and low levels of Board involvement may look like in an organisation:

• High – A member of the Board is made responsible for data protection. They regularly meet with the DPO or data protection manager for updates and report to the rest of the Board on compliance at each meeting. The DPO presents to the Board regularly and at least quarterly. The Board actively asks for updates on risk actions.
• Medium – The Board receive bi-annual reports from the DPO outlining compliance efforts and key risks. The Board receive updates on risk actions.
• Low – An update report is provided to the Board every quarter, with one annual report presented by the DPO or other person responsible for data protection compliance. 

We regularly identify gaps with Board involvement where the only data protection information they receive is a single risk in the enterprise risk register. This is a failure on both the Board and the data protection framework. The Board should be involved as much as required to be aware of risks and compliance status. This means receiving more information than a single risk can provide.

How to know if your data protection framework is effective

Every organisation has a data protection framework, some more formalised than others. Your framework must operate effectively, ensuring you will achieve your desired outcomes.  

You will be able to know that your framework is effective if:

• Staff receive regular training and awareness updates
• You are informed of data protection risks
• Privacy has been built into processes and procedures
• Frequent updates are given to the Board on the status of compliance and steps being taken to reduce any compliance gaps

Many organisations made regular updates to the Board in 2017 and 2018 when implementing their framework, but the urgency has moved to other areas and priorities. Recently we have seen a growing number of organisations looking for assistance with their programmes. They have made no changes since that initial project leaving them non-compliant with current guidance and case law.  

How to use data privacy to your advantage?

There are many reasons to keep privacy in your strategic plans ranging from compliance, fine mitigation, risk management and consumer trust. Evidence is mounting that demonstrates consumer sentiment is changing. People are becoming more concerned about how their personal data is protected and are making more choices based on these concerns. No stronger evidence is needed than actions being taken by the world's largest consumer technology firms' efforts to increase privacy and security, as seen with Apple's push to give more control to users about tracking across applications.

To use privacy as a strategic and competitive advantage, the direction needs to come from Board level and be embedded into the company culture. The most effective programmes are in organisations with clear ownership of data protection at the very top level, and the messaging is clear and well communicated.

Key points

Data protection is changing and evolving as the business world changes and adopts new technology. Ensuring your organisation has the right tools and people to manage these changes is critical.

To do so, the Board need to:

• Keep senior management accountable
• Stay informed
• Ask the right questions

Data protection starts and ends in the Board room.

Got a question? Just get in touch