Whether we like it or not, whether it’s yet fully realised by many businesses, data protection (and for that read, data security or cyber security) is here to stay. So, what are directors’ responsibilities for this emerging business issue and what are the consequences for those who fail to discharge those responsibilities.
Perhaps a useful parallel is Health & Safety. If we look at how this issue has progressed over the last 30-40 years, there is a clue, but with a slight qualification? Observing mainstream news coverage and the increasing prominence of data issues, from the clamour for regulation of the “Tech Giants” and the apparent rise of fake news, to the perceived abuse of personal data, the rate of change will be faster. But back to example of Health & Safety.
Whilst some industries might still rely on a light touch, many such as construction, agriculture, oil & gas and manufacturing now have it at the forefront their business’s operations, promoting their safe working credentials as a positive factor in their delivery. To set the tone and to focus the attention of directors and senior managers, Health & Safety can often be a prominent agenda point; sometimes the first item on an agenda at many meetings. Director’s bonuses are not only predicated on the financial performance of the company,
but its safety record too. And you’d be very unlikely to gain access to a construction site or manufacturing plant without the ubiquitous hi-viz vest, safety glasses and some form of headwear alongside other paraphernalia. Will we see a similar change in the culture of businesses whose operations and success are reliant upon the use of data? In particular, professional service businesses like accountants, lawyers, real estate agents and financial advisers, who because of the requirements of Anti-Money Laundering regulations collect large volumes of particularly sensitive data about their clientele?
Wherever one looks to understand expectations on the issue, be it government advice from the Information Commissioner’s Office (ICO) or the National Cyber Security Centre (NCSC) or from professional bodies such as the FCA (Financial Conduct Authority), SRA (Solicitors Regulation Authority) or the RICS (Royal Institution of Chartered Surveyors) to name but a few, there is a common stance. The expectation is that boards of directors will define their company’s approach on the matter and will be held responsible for its data protection compliance and governance. The case of the alleged misuse of personal data by Cambridge Analytica in 2018 gives an insight as to what could be in store for those who get it wrong. Firstly, after the story broke Cambridge Analytica became a toxic brand. When we look at the consequences of getting data protection wrong, it is easy to focus on things like fines (under the GDPR €20 million or 4% of global turnover) because they’re easily quantified. But reputational damage is more difficult to calculate. For Cambridge Analytica it spelt the end! Secondly, having been left with no option but to wind up their imploded business, the ICO made it clear this would not absolve the directors of responsibility for data protection wrongdoing and that if found negligent the Regulator would pursue the directors individually.
But that’s all very negative and whilst boards have a responsibility for good governance and compliance, they also have a responsibility to lead. So, what might a more positive and proactive approach to data protection look like?
Recently we have seen progressive businesses, whose operations rely on data, deciding to make data security a key feature of their service. They are not only making sure they are compliant with the Regulations. But recognising that it is simply not good enough to put some insipid line in a company’s Privacy Notices, such as “…. your information is very important to us (and) we have measures in place to secure your personal information…..,” with no substantive detail provided. More enlightened companies are seeking ways to assure both customers and business partners of their data security credentials.
One area many businesses seem to have overlooked are the requirements placed upon them if they share data with another organisation. Businesses engaging others to process their data are required to undertake due diligence on their prospective supplier (processor). And, they need to be able to demonstrate that they have done this. As important, when your business is asked to demonstrate that it can be a trusted business partner, as others carrying out their due diligence on your company, how will you answer? We are finding businesses increasingly seeking reports or certification from an independent third party, which can help them demonstrate to their inquisitors that they have indeed put in place “appropriate measures,” to secure the data they handle on behalf of others.
Back to the Board. The bad news is that ignorance is no defence. But the good news is that all of this doesn’t need to be as complicated as it might sound. The critical first step is understanding. Understanding of your responsibilities as envisaged under the law and understanding how to discharge these in a simple, pragmatic and cost effective manner. One that is focussed on doing the things you need to do to protect your business, whilst avoiding wasting money on the things you don’t need to do. And in this, unless you have the knowledge to hand, drawing on some professional expertise might be a good place to start?
Loading...