The Bailiwick of Guernsey’s Data Protection Commissioner, Emma Martins, gave a speech at a Non-Executive Director Forum event on 13 February 2019. Emma summarised why it is essential that all board members engage with their organisation’s data protection commitments in the same way that they would approach any other area of corporate governance:
“After headline grabbing fines and looming deadlines of 2018, there can be few boards and board members that are not aware of GDPR and our local equivalent legislation, The Data Protection (Bailiwick of Guernsey) Law, 2017.
The role played by the board and by individual board members is absolutely critical if organisations are to get this right.
Strong board members have, traditionally, had to demonstrate financial and commercial acumen. That is, of course, still the case, but in this data-driven era the role has become so much broader. Governance is key to success and governance now, without question, encompasses the handling of data.
As a starting point you should know what your organisation is up to in terms of data.
You must know:
- what data your organisation is responsible for
- where the data is sourced from
- what the legal basis is for the processing
- what role data plays in your organisation’s business processes
- where your organisation’s data is located
- who else may have access to it
You also need to have a good understanding of risk because data has become so intrinsic to all business activity, regardless of sector. If your data is compromised, you have a problem – operationally, reputationally and economically.
So one of the important processes that you need to ensure is in place and ensure everyone is aware of is a data breach response plan – regardless of the size, or nature of your business.
BREACH RESPONSE PLAN:
REPORTING – ESCALATION – CONTAINMENT – ASSESSMENT – RESPONSE – REVIEW AND IMPROVE
This is a very basic illustration of steps and you will need to tailor them to your own organisations.
The mapping of your data processes and an understanding of the technical and operational activities as well as having a plan for when things go wrong are crucial, but so too is culture.
When talking about a culture, one of the most important and influential aspects has got to be the tone at the top. Whether you like it or not, how you approach data governance, how you respond and, engage with the compliance requirements will determine how the rest of your staff do too – both positively and negatively.
If you want to create a positive culture around how data protection is handled in the organisations you are responsible for, my advice is:
Get to know your data protection officer (DPO)
If your organisation has a DPO, get to know them. Even if you do not have a DPO, there should be someone who is responsible for this area of the business and compliance. Find out who that is.
Take an interest in what they are doing and remember that they are autonomous and should have a direct line of communication with the board.
Use your DPO’s knowledge and professional expertise to improve your own knowledge and understanding.
Meet and talk with them regularly – both formally and informally.
Support them and make sure their voice is heard at the top of the organisation and amongst all staff.
Encourage and allow constructive challenge
You are an ambassador for your organisation and how you communicate both internally and externally really does matter.
Always be mindful of the significance of C-suite level communications and attitudes.
Fines have grabbed attention but this is not just about fines. Resourcing good data governance means supporting your DPO and all staff in their personal training and development.
Data security should be on the risk register of all organisations and appropriate investment is important in this key area.
You should ensure that an ongoing governance programme and framework for data protection compliance is in place. This should be reflected in the organisation’s policies and procedures and staff need to be updated.
Talk the talk and walk the walk.
Make sure that you align your own practices with company policies and procedures and general good governance principles.
Show leadership and lead from the front, staff need to value and trust you.
Above and beyond law, ethics matters and will increasingly become a market and commercial differentiator. Doing the right thing is increasingly important in all areas of our lives. How organisations engage with their legal and ethical responsibilities when handling data will determine their economic and reputational health in fundamental ways. Taking short cuts may feel beneficial in the short term but this approach will come back to haunt you. Consumers and citizens are demanding more transparency, accountability and ethics from businesses. Those that deliver on those demands have the opportunity to take the best advantage of the opportunities that present themselves in this data-driven era.”