GDPR Fallout Shines Spotlight on Board Privacy Awareness

Most companies don’t provide director privacy training, even beyond Europe's new regulation.

By Eve Tahmincioglu

I had a conversation with a top privacy lawyer for a U.S. company last week who was proud to share that almost every employee in the organization had completed GDPR training for the European Union’s far-reaching data privacy regulation before it kicked in Friday.

When I asked her if the board received the training, she said, “I never thought of that.”

GDPR, which stands for General Data Protection Regulation, is already shaking up companies around the globe, including causing blackouts for a host of websites. Consumers in the EU have been blocked from accessing U.S. newspapers and some companies have suspended support for their products, according to a USA Today article on the GDPR fallout.

Given the high stakes, GDPR knowledge among the leaders of global companies, including directors and executives, is surprisingly lacking. According to an EY study, only 40% of global respondents believe they know GDPR fairly or very well.

GDPR is just the tip of the iceberg when it comes to privacy and the risk to all organizations, no matter where they’re based or who their customers are. But are boards being brought into the privacy fold?

Not in great numbers, according to a recent cybersecurity survey by the law firm Fox Rothschild.

Although 68% of companies train their employees on cybersecurity issues, the survey found, only 14% reported that they train directors.

And that’s even with more respondents — 52% — thinking privacy awareness among the C-suite and the board is more critical than staff awareness — 46%.

Beyond training, the study’s authors recommended directors receive quarterly updates on data security — and more frequently if something material changes — “from an informed, qualified C-level executive who is fluent and knowledgeable about cyber-issues.”

Mark McCreary, Fox Rothschild’s chief privacy officer and co-chair of its privacy and data security practice who helped lead the survey, says, “Many companies think it’s sufficient to have a well-funded information technology department, or even someone considered an expert in charge of cybersecurity.”

But, he adds, “Not every IT department, regardless of the size of its budget, is equipped to manage table-top risk exercises, sophisticated software and other aspects of breach prevention and response. Likewise, not every alleged expert is a veteran IT executive with a comprehensive understanding of how to truly safeguard the company’s data and systems.”

As far as what directors need to think about GDPR right now, Dominique Shelton, co-chair of law firm Perkins Coie’s ad tech privacy & sata management group, offered the top three things boards need to know:

  • Fines.  The GDPR has the potential for exorbitant fines — 4% of gross sales for the year prior or 20 million euro, whichever is higher. (It’s unclear if there will be a grace period. According to an article in The Parliament Magazine, EU officials have threatened GDPR would be “strictly enforced” as of Friday. But accoding to an article in Financial Times, "Several countries have failed to pass the necessary legislation to implement them nationally. Serious questions have also been raised about the ability of data protection authorities across the bloc to enforce the new rules adequately.")
  • This is a global trend. Other regulators in the U.S., Brazil, Asia, Africa and elsewhere are looking at similar rules.  It is important to develop a top-line compliance strategy for global compliance in all of the jurisdictions you care about.
  • It’s never too late. There are moving parts, but a compliance program (starting with designating someone responsible for privacy) is possible.

“GDPR is astonishingly broad. It applies to basic personal information, not just sensitive data,” says McCreary. “A key provision allows customers to compel companies to delete their personal data, which is an extremely complicated task because you cannot simply delete information anymore. Data is tenacious. It’s sitting in backups, in emails, in a host of other places.”