How much do you know about the General Data Protection Regulation?
For many board members, the answer will be ‘not as much as I probably should’.
The new regulation comes into force on 25 May this year – but many firms are still struggling to understand the requirements and put in place action plans to comply with them.
So, what is the GDPR, and what is the board’s role in making sure your organisation is compliant?
What is GDPR?
The General Data Protection Regulation is a new EU regulation. It aims to strengthen and increase consistency in data protection for individuals within the EU. It also governs the export of personal data outside the EU.
It will replace the 1995 EU data protection directive (officially Directive 95/46/EC) and the UK Data Protection Act 1998 (DPA) when it comes into force on 25 May.
What will you have to do differently under the new regulation?
The big change is that, in many instances, firms need to get prior consent from an individual before they can start marketing to them.
In other words, before you can send someone an email (even to their business email address) you need to get their permission. It brings business-to-business privacy rules more in line with the requirements governing personal data use.
This is a huge change, not just for your marketing team’s work but for any customer communications. And it’s vital that your organisation gets it right: some commentators have suggested that GDPR has the potential to be the next PPI scandal if not managed properly.
Will your firm be affected?
The regulation will affect any organisation that:
- Possesses or processes data pertaining to an identifiable person
- Contacts those individuals via email, phone, SMS or mail
- Tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual
Almost all, if not all, B2B firms will fall into one or more of these categories.
What are the exact requirements of the GDPR?
One of the reasons that the regulation is such a debated topic is that the specific requirements and rules were unclear for quite some time.
In an attempt to clarify some of the confusion, the Information Commissioner’s Office published a series of blogs. These aimed to clear up some of the GDPR ‘myths’ in circulation – we summarise them in our blogs on GDPR – sorting the myths from the reality and How to separate GDPR compliance myths from reality.
The Information Commissioner’s Office (ICO) is the UK’s representative on something called the ‘Article 29 Working Party’ – representatives from EU Member States who input into the process of developing guidelines on the new law.
The ICO therefore has a lead role in making organisations in the UK aware of the new regulation and helping them to prepare for it.
Why does this matter to boards?
A number of good reasons!
First, the ICO can impose fines of up to €20m (£18m), or 4% of the firm’s worldwide turnover for any organisation that fails to meet the GDPR requirements. This potential penalty will in itself be enough to make many C-suites sit up and take notice.
Second, the reputational damage that accompanies a compliance breach – not just in data protection, but any area of regulation – can be huge. This should also be an issue of concern to boards already in the spotlight for perceived governance failings.
And third, the board should lead from the top in terms of setting the ethical tone for the business. Ensuring compliance with regulatory requirements starts with an embedded culture of good governance; your board of directors is central to this.
How can I find out more?
The ICO website has a comprehensive microsite on the GDPR, with updates and downloadable tools.
We look in more detail at the requirements in our blogs on GDPR compliance – do you know everything you need to? and 10 things you need to know and do now about GDPR.
If you don’t feel prepared, start by reading these blogs, which will give you a briefing on the new rules and the immediate actions you should take to prepare.
For directors, the GDPR is just the latest in a list of new regulations, requirements and best practices that keep you awake at night. If your board is struggling to keep pace with everything required of them, there are steps you can take.
Making your board meetings more efficient and effective increases your ability to make the right strategic decisions for your organisation – regardless of the pressures you’re facing. Download a case study showing how one of our clients, Carey Group, streamlined their own board processes.
The case study is free to download here.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.