GDPR: What Boards Need To Know Now

GDPR Compliant
What role with the board have with GDPR compliance?

With Europe’s General Data Protection Regulation (GDPR) fast approaching (May 25th is the implementation date), boards are likely putting their final preparations into place.

Diligent, which offers secure corporate governance and collaboration software solutions for boards and senior executives, has come out with a checklist on the wide-ranging data security regulations that aims to help ensure an organization is complaint. Corporate Board Member spoke to Diligent CEO Brian Stafford and CFO Michael Stanton about the coming regulations and final steps boards should be taking before the implementation date.

Below are excerpts from this interview.

What are some of your general thoughts on the overall impact that these new regulations are going to have on corporate boards?

Brian: Look, I think GDPR is going to have a material impact on board rooms. For the first time ever, board directors are going to be held personally responsible and accountable for protecting data. So for example, if they aren’t compliant, they can be hit with fines as much as 4 percent of global revenue. And there’s implications and at least threats that they could face jail time as well. So I think if you look at the scale that, within Europe, of keeping a focus on GDPR, you know, it’s pretty material impact on the business and impact in particular on the board. I think one of the more interesting components is, you know, it doesn’t matter if you’re based in the EU. It impacts U.S. companies as well. And if you look at even the well-known Facebook kind of breach of trust, I think GDPR represents not just a European standard, but a great global standard for boards to focus on and make sure that they maintain the trust and privacy of information on a global scale.

In terms of what does that mean, what should boards do, do you assign a role of a data protection officer? How do you think about that? Who’s focused on it all the time? From a board perspective, it’s great to have someone come into your board and get accountability around who owns this and who is solving it. So having one central person do that is an interesting option. It requires material changes to marketing, how you reach out, how you connect with your prospect and customers, and it really requires end-to-to end encryption across all data across businesses. And given the proliferation of digital forms of marketing, it really is something that impacts just about any global company. It’s a pretty material, exciting change.

Why it so important that a dedication to cybersecurity starts from the top?

Brian: Quite candidly, it represents a material amount of risk for the business. So anything that tends to be risk and/or compliance focused tends to run through the audit committee, which is simply made up of current and former CROs. It ends up being a material area that is owned by the board. The other reason that cyber in particular is owned by the board is… you typically have director and officer insurance, which means that, if the company did something wrong, if you were sued personally as a director, you’d have an insurance provider be able to pay for any of those expenses.

“I think GDPR represents not just a European standard, but a great global standard for boards to focus on and make sure that they maintain the trust and privacy of information on a global scale.”

And for the first time, actually being negligent around cybersecurity has a risk of piercing your DNO insurance. That means as a director, for you to actually say, “Oh, I didn’t go through all,” pardon the pun, but, “diligent processes to actually make sure that we as a company were not in violation of anything from a GDPR perspective and/or from a cyber risk perspective,” that can pierce your insurance and people can go after you personally. So not only are board members focused on good governance, but when the impact of these changes can actually directly get at them, that of course also drives that awareness, which is part of the reason why GDPR legislation is actually focused on or has visibility into and by the board.

What are some of the important things that directors ought to keep in mind in terms of making sure that everybody on the board is up to a certain level in terms of cyber-savviness? 

Brian: I think there’s two different levels that you’re already starting to see most boards take and/or you will expect more boards to take. The first one is, cybersecurity ends up being a pretty frequent topic within the board, just the subject of cyber risk. So the first step is making sure that your directors are, to use your phrase, cyber-savvy enough to ask the right questions. And there’s a lot of different training programs and experts that I think boards will have come in to teach them how to ask the right questions. And I think that has gone from something that maybe three to five years ago was something that happened infrequently to something that actually is a pretty darn frequent and a very visible issue for boards. I think it actually has hit the top of the agenda.