Skip to content

2 June, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • Succession planning

      News round-up: this week in governance

      UK 'less optimistic' on ESG than European boards; holding stock; ethics codes; governance in Japan;...

    • C-suite barometer Leaders are positive about growth despite economic uncertainty

      Sustainability and technology are strategic priorities for boards in 2023, Mazars’ annual barometer of the...

    • EU CSDDD Pressure builds on EU to amend due diligence rules

      More companies have added their voices to the call to make the EU Corporate Sustainability...

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • Climate finance

      How climate change alters the financial landscape

      To achieve sustainability, companies and boards will need to look not only to their operations,...

    • generative AI

      Five AI issues to consider right now

      We may not know what AI will mean for us all in the long term,...

    • sexual misconduct

      How to prevent sexual misconduct in your organisation

      Revelations about the CBI may be shocking, but there is no place for complacency and...

  • Comment
      • View all
    • hybrid AGM

      Hybrid AGMs maximise shareholder participation

      Avoid virtual-only annual general meetings: although pragmatic in an emergency, they water down shareholders’ rights.

    • ESG break up ESG: Should E and S break up with G?

      In the world of investing, maturity has revealed significant practical shortcomings in combining environmental, social...

    • controlling shareholders The politics and geopolitics of controlling shareholders

      Shareholders with a controlling interest influence not only financial matters but can also wield great...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • information resilience IT transformation sees boards moving to ‘continuous’ management

      Data analytics available on demand requires a resilient—and selective—approach to sharing information, a webinar panel...

    • life sciences podcast Reform of NHS levy ‘harms UK competitiveness’

      Boards in the pharmaceutical and life sciences sector face increasingly difficult decisions, according to a...

    • Board priorities 2023 Board priorities 2023: tact, trust and transparency

      We asked key figures what would help boards this year. The answers ranged from 'smarter...

  • Careers
      • View all
      • Selection
      • Board Moves
    • board survey 2023 Board appointments fell sharply in 2022

      Companies appear to be sticking with experienced leaders—to the detriment of progress—suggests FTSE 350 boardroom...

    • diversity statistics Diversity statistics challenged by new scorecard

      Companies can ‘hit the target, but miss the point’, say academics researching a more ‘holistic’...

    • CEO turnover CEO turnover rises steeply

      The researchers say political changes and business difficulties may have accelerated turnover, which has risen...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Mazars c-suite 2023

      Mazars C-suite barometer 2023

      The Mazars C-suite barometer is based on responses from more than 800 C-suite executives from...

    • CFO Career Survey Report

      Our survey, in December 2022, of almost 200 CFOs across the public, private and non-profit...

    • The Engagement Appeal: The Path to Inclusive Investor Engagement

      The Engagement Appeal: The Path to Inclusive Investor Engagement

      The Path to Inclusive Investor Engagement highlights the need for greater engagement between companies and...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Boardrooms should heed new frontiers in personal data security

by Mazars Mazars SPONSORED

Personal data security is increasingly important, but many companies may not be ready to comply with tougher data protection laws.

data security, data protection

Photo: Shutterstock

data security
Photo: Shutterstock

Citizens around the world are growing increasingly concerned about what organisations do with their personal data. High-profile data breaches at some of the largest global firms have demonstrated the risks to individuals and businesses.

Despite this, many companies have been slow to wake up to the new data responsibilities required under the EU’s tougher data protection laws, which must be implemented by May 2018. This may require a complete overhaul of how companies use, share and obtain consent to process personal data (see box below for more details).

For example, a survey of Irish companies by Mazars in Ireland and law firm McCann Fitzgerald found that only 16% had started a project to meet the compliance requirements of the General Data Protection Regulation (GDPR). Although this survey was conducted in August 2016 and the situation has evolved since then, there are still many major organisations that are just at the kick-off stage of their GDPR project.

All EU businesses that handle data will have to comply with the GDPR, which will require investment in systems and training for employees.

All EU businesses that handle data will have to comply with the GDPR, which will require investment in systems and training for employees. This takes time and the stakes are high. Companies that fail to comply with the GDPR could face fines of up to 4% of global turnover or €20m, whichever is greater, in the case of a breach. Most importantly, the reputational damage of such a breach can have major consequences for a business.

However, smart companies should focus on the opportunities to maximise returns on investment, rather than focusing on the threat of sanctions.

“The new GDPR requirements can be an opportunity for organisations to promote a data-responsible image,” says Vincent Rezzouk-Hammachi, UK head of data privacy and data management at Mazars. “Companies need to find new ways to limit the amount of data they collect, and communicate the benefits to customers.”

Boardroom awareness

For large international companies the harmonisation of the data protection rules across Europe is a positive step. The introduction of the “one stop shop” principle, for example, allows businesses to rely on only one regulator when they are a cross-border organisation.

However, the job of identifying every system and process that may not be in line with the GDPR is a major task. For a large, complex organisation with numerous different systems and a high volume of data, it can take many months to analyse all the programmes and systems that are used within the business. Some systems, for example, will communicate across different functions of the group and with subsidiaries; some will not. Sometimes IT is well coordinated at group level; sometimes it is not.

“The GDPR will affect many departments and goes beyond any border within an organisation, so the relevant level for accountability has to be at board level,” says Rezzouk-Hammachi. “Often, the first question we are asked by companies is, ‘how much will the remedies cost?’”

Board directors need to take a step back and use the GDPR as an opportunity to take a fresh look at what is going on inside the company’s systems, says Rezzouk-Hammachi. The first step is to create a Core Privacy Team, composed of the organisation’s main stakeholders which process personal data.

Know your systems

The best starting point is for companies to do a GDPR-readiness assessment. This provides an understanding of where the data is located and the operational needs of different departments of the business.

It also involves a number of checks including: the purpose of the data processing; how consent was collected; and how long it takes to respond if an individual asks for access to their personal data. This results in a report giving an overview of the risks and where they are located, says Rezzouk-Hammachi.

The next stage is to perform a detailed gap analysis to identify any areas where the company falls short of the requirements in terms of its systems, processes or employees’ awareness of the GDPR principles. This leads to an implementation action plan with specific recommendations, such as system adaptation or cyber-training programmes.

New projects

As the deadline for implementing GDPR approaches, data privacy is sure to rise up the agenda for senior management and board directors. However, companies must ensure that the strategic importance of data protection remains a boardroom issue long after the May 2018 deadline.

As a minimum, boards must ensure that their businesses remain compliant with the GDPR. Companies will have to constantly monitor their systems and processes against the regulation’s requirements, avoid data breaches and manage the risks. Large companies may want to create privacy committees to improve oversight or link data privacy objectives to directors’ performance management.

“Businesses are starting to realise how important it is to limit the amount of data they collect to limit risks and ensure that systems work as smoothly as possible.”

–Vincent Rezzouk-Hammachi, Mazars

Boards also need to be aware of the GDPR principle of “privacy by design”. This means that companies must consider data privacy at the outset of any new project or programme to ensure that personal data is only collected when there is a clear business or regulatory need.

For example, does a bank need a customer’s date of birth? Probably, yes, for regulatory and background checks. But what about a bookshop? The marketing department might argue that, yes, there is an operational need. Without it, the loyalty programme would not be able to send a voucher to customers on their birthdays.

Until now, these questions have not been asked, systematically leading to the collection of unnecessary data. “Businesses are starting to realise how important it is to limit the amount of data they collect to limit risks and ensure that systems work as smoothly as possible,” says Rezzouk-Hammachi.

Data privacy is much more than a compliance process. It has become a key area where companies will be judged in terms of their engagement with customer concerns and their ability to adapt to technology challenges. That should be more than enough to make board directors take note.

The GDPR: new data requirements

OBTAINING CONSENT: Companies must demonstrate that they have obtained appropriate consent from data subjects to process their data where this is a legal requirement.

INVENTORY OF PERSONAL DATA: Companies must maintain an inventory of personal data, including how it is used and shared.

THE RIGHT TO BE FORGOTTEN: An individual can request the deletion of personal data—where a company has publicised it, other data controllers can be required to comply with the request.

DATA PORTABILITY: Individuals have the right to receive personal data that they have provided to a company in a commonly used format and request that it is transferred to another company.

DATA PROTECTION OFFICER: Certain companies must appoint a Data Protection Officer (DPO) to monitor compliance with the GDPR. They must be experts in data protection laws and regulations, they must be independent and they must report to the highest level of management.

REPORTING DATA BREACHES: Companies must report data breaches to their local regulator within 72 hours of becoming aware of the event. The subject of the breach must also be informed where there is a high risk that their rights and freedoms will be affected.

This article has been prepared in collaboration with Mazars, a supporter of Board Agenda.

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • Board effectiveness in the new world of work
    April 21, 2022
    Boardroom at sunrise

    Boards should use this post-pandemic period to reflect and reinvent themselves and their working practices.

  • Investor pressure 'should be primary tool' in changing firms' ESG behaviour
    November 16, 2021
    Green stock market graph

    Study concludes investors are better placed to correct the behaviour and decision-making of boards than rafts of new ESG regulation.

  • Embrace data analytics to boost risk assessment, advises CIIA
    November 30, 2022
    risk data analytics

    Chartered Institute of Internal Auditors’ report cites a lack of skills, resources and time as organisational barriers to effective analysis.

  • MHP chair offers a case study in crisis leadership in Ukraine
    March 8, 2022
    Ukrainian soldier and flag

    John Rich is co-ordinating MHP's distribution drivers throughout the country: "If we fail the biggest distribution of food in Ukraine fails.”

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

data privacy, data security, mazars, McCann Fitzgerald, Spring 2017, Technology, Vincent Rezzouk-Hammachi

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • Corporate governance code review boosts internal controls
  • ESG: Should E and S break up with G?
  • Five AI issues to consider right now
  • Board appointments fell sharply in 2022
  • Pressure builds on EU to amend due diligence rules

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

The Engagement Appeal: The Path to Inclusive Investor Engagement

The Engagement Appeal: The Path to Inclusive Investor Engagement

This is the inaugural white paper from The Engagem...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...
Director's Guide to Internal Investigations

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...
 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|