GDPR and the Boardroom: What directors need to know.

By Eve Tahmincioglu
June 15, 2018

The General Data Protection Regulation (GDPR) kicked in May 25 and many companies around the globe are still trying to figure out what that means for their businesses, even as some could face fines for privacy shortfalls.

The European Union’s far-reaching data privacy regulation, was implemented to secure the privacy of EU citizens, but some experts believe similar laws will eventually be implemented around the globe.

GDPR, and the bigger issue of cybersecurity, is an issue that should not only concern company management.

Michael Stanton, the chief financial officer for Diligent Corp., a board solutions company, answers questions about GDPR’s impact and what directors need to know.

Q. How much impact will GDPR have on boards and directors?

A. It is too soon to know how GDPR will change the business landscape, but the regulation did get off to a tumultuous start. What we have seen thus far is a substantial amount of litigation in this short timeframe, particularly against the largest organizations in the technology space. This puts a spotlight on businesses’ board directors and management teams to be ready to pivot to new ways to generate revenue, particularly the ones that were overly reliant on traditional demand generation in EU markets.

The impact GDPR could have on boards and directors cannot be overlooked — imposing strict new rules on how organizations collect, manage, and use customer data, and levying steep fines for those that violate the new rules. In the case of GDPR, organizations that do not comply will be met with fines of as much as 4% of annual worldwide turnover, or €20 million, whichever number is greater.  

Given the seriousness of the fines, the complexity of the new rules, and the potential impact on how companies approach marketing, sales, customer service businesses can’t afford to wait to take action. Now would be a good time for boards to reevaluate the expertise in the boardroom and augment it with outside expertise as needed. Boards should make sure they are fully briefed on the implications of the new rules — for example, many organizations are required to assign a data protection officer and gain explicit written consent from customers to store or use their data.

Another critical area that has particular implications for board members related to GDPR is global M&A. Board members and their respective management teams may conceivably have prepared well for GDPR compliance within their own organizations, but recently acquired or pending merger or acquisition targets may not have the same requisite hygiene. Boards need to ensure that their companies conduct proper due diligence on targets with respect to GDPR and be well prepared to negotiate protective terms and remediate as necessary post-closing.

It’s also important to note that while this regulation is one being instituted by the European Union (EU), its implications are far reaching as it pertains to every company that has any presence in the EU — including EU customers visiting the company’s website. The truth is every company collects, stores and manages data today, and it is now essential for every boardroom to understand its company’s practices and the impact GDPR could have on business operations. Additionally, with the current conversations surrounding trade, U.S. organizations are warning there could be repercussions stemming from the regulation given the sharing of data across the globe.

(Related Article: GDPR Fallout Shines Spotlight on Board Privacy Awareness.)

Q. Is the board setting the tone for cybersecurity?

A. To some degree this is the case but a material gap exists between what is being said within organizations and what is being done by management. According to the nonprofit IT governance firm ISACA, 59% of companies that are affected by GDPR are going through governance changes to fit regulations, yet only 32% are satisfied with their progress preparing for it.

Driving regulatory compliance throughout the entirety of an organization always starts at the top, however, it is particularly the case with GDPR. This regulation requires them to modify their current thinking and shift their focus from being observers to leaders. The truth is the boardroom has historically operated under the assumption that cybersecurity risks are out of their hands. That has begun to change in recent years however with concerns that liability related to cyber events that could pierce an organization’s D&O insurance. The reality is it’s too early to tell exactly how personal liability will apply across the European Union but GDPR will likely result in increasing responsibility for the board director.

Q. Are boards “cyber savvy” enough?

A. Again, I think that there is a huge amount of variability in how “cyber savvy” boards are today. It is fair to say that we are seeing increasing savviness globally and I expect that GDPR will materially accelerate the cyber acumen within the boardroom. In conjunction with the NYSE, Diligent released a survey that found more directors now recognize that their company’s cyber risk management strategy is an area of board concern, however many directors lack the necessary expertise to feel fully confident in navigating cybersecurity issues.

Given this, I expect there to be a shift in the background seen in board directors as a result of this regulation. Companies will benefit from requiring board directors to have a substantial understanding of cybersecurity that will put the organization in a position to navigate the time of change in which we operate. One potential solution for the lack of cyber knowledge is to create a board committee specifically focused on cyber risk and cybersecurity. I consider myself incredibly fortunate as I am in the enviable position of having nearly an entire board that is expert in cyber issues.

Q. Does the board and its members practice good cybersecurity hygiene?

A. With the rapid pace of change today, on a holistic level, I do not see board members keeping sufficient pace with the rapidly changing environment. As with any aspect of business, it is most effective to practice what you preach and leaders who are apathetic with their own cybersecurity will find it difficult to lead an organization with tens of thousands of employees. For example, in our survey with the NYSE, we found that 92% of directors use their personal and unsecure email for communication. What’s more alarming is almost two-thirds (62%) of directors reported not being required to undergo cybersecurity training at all! This is particularly worrisome as it poses a massive threat to the decision makers at the world’s largest companies while highlighting the lack of action by today’s businesses.

There is yet to be a group that uniformly owns the issue of cybersecurity at the board level. With GDPR taking effect, it’s no longer an option for board directors to sit on the sidelines to wait and see what happens.