GDPR Readiness – A Board of Directors Level Issue

Recent high-profile data breaches have kept cybersecurity in the news and made data protection a priority at many companies. What firms don’t realize is that the impending European Union (EU) General Data Protection Regulation (GDPR) has elevated the data privacy issue to a Board-room level for any company doing business or collecting data on residents of the EU. For more on GDPR, see How to Comply with GDPR.

Financial and Risk Responsibilities of the Board of Directors

In the US and in the EU, a publicly traded company Board of Directors typically has an Audit Committee responsible for overseeing financial reporting and risk management. This is where the GDPR readiness discussion needs laser attention, full understanding and top-line support.

compliance-writing-wall-crop-600x338.jpgCompliance requires a review of strategy and risks

 

Asking the hard questions

Audit Committee Chairs should be asking some essential GDPR readiness questions of the company’s senior executives:

Is our company able to answer and show documentation that sufficiently addresses these questions?

  • WHAT: What personal data do we have?
  • WHERE: Where is it stored?
  • WHY: For what purpose do we have it? Do we know all the processing that is done with it?
  • WHO: Who has access to it? Do we have appropriate data controls?
  • WHEN: When do we dispose of this data? Do we have the right retention policies?

Implications

If your executive team cannot clearly articulate the company’s position for each of these questions, it may be time for the Board of Directors to get more actively involved. Here are some suggested next steps:

  • Set up a Board-level committee to supervise GDPR compliance across the company. This could be led by the Audit Committee Chair.
  • Ask the Legal Counsel and Chief Information Security Officer to set up a GDPR Readiness and Remediation Program, and provide regular updates starting with the next Executive Board meeting.
  • Jumpstart this Program with a review of what personal data is collected about customers, prospects, employees and suppliers.
  • Assess the risk that uncontrolled growth in file shares and cloud storage may be lurking within a GDPR non-compliant information governance platform.

Significant Opportunities

While GDPR compliance helps enterprises mitigate extensive risk inherent in non-compliance fines and lost customer trust, a critical “by-product opportunity” is revealed when a well-executed personal data protection program is enacted. Customers have more confidence and trust in companies that protect their personal data, and will be more willing to share more of this data. This enables the enterprise to continue to collect the data necessary to provide advanced services, and savvy-customers will be willing to participate.  

There’s Still Time to Act

As a Board member at a public company that collects European Union resident data, the time to act is now. Ask the right questions, become the sponsor of a GDPR Readiness Program. Talk to your Legal Counsel and Chief Information Security Officer (CISO). There is still time. Veritas can help. Our Advisory Services can help get you started with GDPR. Contact us for a GDPR Readiness Assessment or review our capabilities at www.veritas.com/gdpr