Board level GDPR engagement may need more attention
The British government has warned that boards of 15% of FTSE 350 companies are scarcely aware of the introduction of the GDPR, while only 8% are completely prepared, meaning a significant number of top organisations are set to be stung by the major new data regulations. The relatively far reaching effects of the legislation, as well as the costs of failing to comply, mean boards looking to avoid hefty fines need to do more to determine whether the companies they govern will meet requirements before enforcement, in May next year.
The General Data Protect Regulation (GDPR), which is already binding on companies in the UK (as a current EU member) will come into enforcement from May next year. The new policy, which aims to improve customers’ control of their data, will have a range of impacts on the business environment. This includes everything from the conditions under which data can be processed and reporting requirements, to how customer data is actually being used, as well as the condition under which data can be retained or transferred – while the GDPR rules also require large companies to appoint a Chief Data Officer, as well as wider rules around reporting and audit practices. Failure to comply with the GDPR could be costly, with FTSE 100 companies alone warned of a collective $5 billion bill in fines, should they fail to adapt swiftly.
In the 2017 edition of the UK government’s FTSE 350 Cyber Governance Health Check Report – supported by its audit partners, the Big Four firms Deloitte, PwC, EY and KPMG – researchers explored how prepared FTSE 350 companies are for the new rules at board level.
Awareness of the the GDPR (in so far as it already binds), is heavily skewed towards those that are very aware (almost 40%) and somewhat aware, around 45%. Few of the respondents said that they are only slightly aware of the new rules, at a little over 15%. However, this is still a significant proportion, considering the hefty fines that could be levied against them.
In terms of how prepared organisations are to comply with the rules, very few said that they are ‘completely prepared’ at around 8%. The vast majority of organisations said that they are somewhat prepared for the new rules, while 15% said that they are slightly prepared. Given the wider implications of non-compliance, particularly the harsh fines, focusing on becoming compliant would be prudent.
The report also notes the wider implications of the GDPR for organisations, including how cybersecurity operations are implemented and run, as well as where investment in such capabilities is best spent. In the wake of major hacks hitting the UK government, institutions such as the NHS, and even top cyber-security advisors Deloitte, the issue has taken on major importance, with protecting the data of service users from hostile sources a paramount responsibility.
Matt Hancock, Minister of State for Digital, said on the matter, “Acquiring Cyber Essentials will provide companies with a good, basic level of cyber security, which they will need to supplement with further protection based upon their own risk profile. This will be particularly important as we approach the May 2018 deadline for GDPR to come into force. Our economy is a digital economy. Cyber security is critical to the successful growth of this digital economy. Working together, government and businesses can help to deliver the shared goal of making the UK the safest place in the world to do business online.”
Key concerns
When it comes to meeting the requirements of the GDPR, the ‘individual right to personal data deletion’ and a ‘tightening of consent requirements’ lead were causing companies the most concern in relation to compliance, at around 45% of respondents each. Data portability, which could improve the competitive environment, comes in second, at 30% of respondents, while increases in supplier liabilities, and a requirement to report breaches within 72, was cited by around 25% and 20% of respondents respectively.
Around 12.5% reported ‘none of the above’, while a disconcerting proportion of around 15% replied ‘I don’t know’. Given the impact of the various concerns on potential fines and liabilities, the consultancy notes an increased importance to turn to the Information Commissioner’s Office’s guidance on meeting the new requirements.
In terms of board level involvement, various different levels of engagement with the GDPR were noted. Around 40% of boards said that they ‘... have head about it once or twice but it is not regular board business’, while almost 30% of respondents said that they listen to occasional updates about it, for example at bi-annual briefings. Some boards are more active, although only around 15% say that they ‘... regularly consider GDPR and make decisions (e.g. investment policies). Around 12% either did not know, felt it wasn’t applicable, or treated it as a ‘technical’ topic, outside the scope of the board.
That 4% believe the GDPR is not applicable to their organisation is a major concern, according to the authors, with the paper stating, “GDPR will almost certainly apply to all respondents to this survey, and all those within the FTSE 350. Therefore, Boards should now have GDPR as a regular agenda item in their Board discussions.”
