The role of the board in sustainable GDPR compliance

With headline grabbing fines and a looming deadline of 25th May there are unlikely to be many executives who do not know the basic obligations introduced by GDPR. However, what may not be quite as clear to members of the board is the critical role they must play in their organisation’s GDPR compliance activities.

It is easy to reach the conclusion that GDPR is primarily a data cleansing exercise. The GDPR introduces new rules around the personal data that the organisation can capture and store and as a result the company needs to clean this up to be compliant going forwards. Of course, this significantly over simplifies the compliance initiative that most companies are undertaking and additionally there are a number of challenging issues that need to be tackled around data archiving, subject access rights and other areas. However, the GDPR legislation itself does not specify one critical element of an organisation’s GDPR response. Namely the cultural shift that most companies need to make in their treatment of personal data.

So, is it just the lack of available fines that has led the current legislation to be ineffective?

Not really. Most companies will have considered how they intend to treat personally identifiable data at some point. Existing data privacy legislation may not be as far reaching or punitive as the GDPR but it has been in place for over 20 years and the majority of companies will have considered their data protection obligations at some point. The problem is that for many companies the response they have taken to date has been primarily process or data driven and has not tackled the change management aspects required to achieve compliance.

Issues such as employees and management’s attitudes towards sensitive data are difficult to resolve. Moving an organisation towards a more responsible approach to the handing of personal data requires a sustained programme of co-ordinated training and communication.

One of the most critical elements of achieving cultural change is the behaviours of management and the board. Setting the ‘Tone at the Top’ and demonstrating that sensitive handling of personal data matters to management should be a critical component to your organisations GDPR response.

The board’s role in achieving GDPR compliance therefore becomes key in the following areas:

Communications: Company-wide communications will often carry more weight when the sender is a C-level executive. This tool must be used sparingly but can be extremely effective.

Funding: Employees will often judge the importance of an initiative by the funding it receives. If GDPR initiatives struggle to secure funding ahead of other projects the perception amongst the workforce may be that GDPR is less important to the organisation. 

Personal Behaviours: Executives have their own role to play in handing personally sensitive data responsibly.  Making a point of the fact that your own practices are aligned with the company’s new data protection policies could be as simple as deleting CVs from your laptop. However, this is an important statement of intent that could have a much more profound change impact.

Governance: The Board also has a role to play in the ongoing Governance framework for GDPR compliance. Reporting lines should be put in place to ensure that summarised GDPR compliance information is reported to the Executive and that the Board’s ongoing support is demonstrable.

The current focus for most companies is understandably on ‘getting clean’ from a GDPR perspective. However, many GDPR initiatives are failing to adequately address how the organisation will ‘stay clean’. Effectively tackling the cultural shift required to ensure personal data is treated with the respect it deserves is critical. Combining this with the implementation of a Governance framework to ensure ongoing compliance will pay dividends in the long run.

We all have our part to play in ensuring that our organisation is GDPR compliant. As a member of the board perhaps your role is more important than you first thought?

By Richard Hunt, Managing Director, Turnkey Consulting

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.