Are the Alarm Bells Ringing Yet?
The biggest change to data protection in over a decade.
Major changes to European data protection and privacy laws have recently been announced and alarm bells have started ringing in the ears of CEOs and boards. The EU General Data Protection Regulation (GDPR) will have a massive impact on business continuity, and organisations will need to change existing management protocols to ensure they comply over a two-year transition period that will begin this month.
The GDPR is substantially different to the previous Data Protection Directive 95/46/ECand Data Protection Act 1998; changes include just one data protection and privacy regulation across all 28 EU Member States, a 72-hour breach reporting obligation and fines of up to 4% of global turnover based on the preceding 12 months.
This is the biggest challenge in data protection in over a decade and has the potential to destroy many promising careers in its wake with implications including:
- the risk to brand and reputation
- major penalties for personal data breaches and administrative fines
- an obligation to appoint a senior level Data Protection Officer for all organisations employing over 250 employees, and where data processing is likely to result in a risk for the rights and freedoms of the Data Subject or is ‘high-risk processing’
You just have to look at what is happening in both the US and EU in the last 12 months, in terms of data protection and privacy breaches by large corporations across all sectors, to realise that data protection and privacy has moved from a minority sport to a mainstream board agenda item. When it goes badly wrong, we may see another senior executive being dragged through social networking sites and the business media. The only way to meet the business continuity risk that the GDPR presents is for all organisations to invest in adequate data protection and privacy training as part of a move to a risk-based approach to privacy by design.
A significant part of the change is the need to appoint a new breed of Data Protection Officer (DPO) who will take centre stage as a ‘compliance orchestrator’. The DPO must perform their duties independently, meaning that they must not take instruction from anyone internally, not even the board. They are likely to look to HR for input in a range of areas – such as training, performance management and procedures to be followed when employees join, leave and make subject access requests.
The DPO will be responsible for creating much greater transparency around use of data in their company. They will build clear policies and principles in order to present a road map to the supervisory authorities of how data protection and privacy will be handled in the context of the organisation.
Professor Andrew Kakabadse, Programme Co-director for the Data Protection Officer Programme, one of the world’s leading experts in boardroom effectiveness and recently voted into the Thinkers50 Hall of Fame, explains:
It's clear that engagement throughout the whole organisation is a critical challenge awaiting the DPO in the effort to achieve sustainable performance. In a sense, the DPO must be able to get on the same wavelength as the board, and vice versa, if the relationship is going to work and the enterprise is going to be compliant with the new standards imposed by the GDPR. Getting that right will require more than just strategy but also the multiplier effect of engagement and alignment in order to deliver value and competitive advantage to the organisation.
Compliance will be costly and companies need to build additional costs into their budgets now to ensure that the individuals who fill the role of DPO have the requisite qualifications, knowledge, experience and training in order to undertake such a critical role within the organisation.
At Henley, we have developed a new programme in response to the changes to support organisations and individuals. The Data Protection Officer Programme will help participants to get to grips with the GDPR and confidently implement changes in their organisations. Find out more here.