There’s a fast evolving area of responsibility about which some directors know very little and for which they can be held personally liable – the protection of data. Net-Defence is delivering workshops for the Institute of Directors [IOD] to support education on avoiding a Director’s data duties downfall in an era of evolving digital threat. Debra Cairns, Governance specialist at Net-Defence explores some risk areas for Directors, their legal accountabilities and urban myths;
“We all know that being a director of a business is a responsible role. You’re accountable for steering the strategy of the company and for ensuring that it grows and is a success. There’s a duty of care to the company’s people too, to make sure that it’s a great place to work and that issues like health and safety are taken seriously and addressed. You also need to ensure that obligations such as the filing of accounts and tax returns are attended to on time and with the appropriate levels of rigour.
Most commonly referred to simply as “GDPR” (General Data Protection Regulations) the protection of data represents a relatively new set of responsibilities for directors to get their heads round and, when combined with the Government’s existing Private and Electronic Communications Regulations (PECR), make for a serious and potentially confusing set of new responsibilities.
Now there’s already a plethora of information available from countless sources on what GDPR is and how the PECR regulations apply to companies – so I’m not going to replicate that here. But at Net Defence we’ve also been focusing on what directors need to do to protect their own personal positions on this issue. After all, in the space of only a year,(Q2 2018 – 2019) 16 directors were banned from holding office for a total of more than 100 years due to GDPR breaches.
A lack of understanding of your personal GDPR obligations is not an excuse in the eyes of the law! It’s your responsibility to know these obligations and to act on these. Think of GDPR as today’s equivalent to Health & Safety regulations – you wouldn’t send one of your people up a ladder without suitable protection or risk assessment. If you did, and something went wrong, you would expect to be sanctioned for that. Well it’s the same for a loss of data.
Think of GDPR as today’s equivalent to Health & Safety regulations. It’s important too that you don’t see this as just an IT issue.
It’s important too that you don’t see this as just an IT issue. Your business could invest heavily in protecting its IT systems from external attack, but in the final quarter of 2018 only 14% of breaches were cyber security related, whereas 50% were attributable to human error. It’s always a good idea to ensure your IT infrastructure is secure but this is also about people, processes and procedures for effective real world security.
You need to understand where your data assets are and identify where the risks are. Having done so, you then need to take action to either remediate, accept or transfer that risk. Skilled teams like Net-Defence can help your business to do this, but you need to take the first step. Make sure GDPR is on the agenda of every board meeting, appoint someone to lead this and if your colleagues can’t reassure you that data protection is under strict control, take action.”
only 14% of breaches were cyber security related, whereas 50% were attributable to human error
Top Director’s GDPR myths to avoid
Watch out for some of the myths that have grown up around GDPR:
- “This is just a cyber problem” – no, it’s much more than that. GDPR breaches can occur wherever and however you hold personal data
- “We can outsource this to shift the responsibility” – not true. Even if you hire a third party to handle this for you, you’re still liable as directors.
- “This is European legislation so Brexit will remove the threat” – not the case as GDPR has been adopted in UK legislation.
Top tips for Director’s data governance in an era of evolving digital threat
The most important piece of advice I can give is that whatever you do, do something:
- Ask your colleagues what processes and procedures are in place to protect people’s personal data
- Ask yourselves why you’re holding that data in the first place. If you don’t need it, delete it. Less is more in this case.
- Ask if anyone has audited the steps you’ve taken to protect personal data. If not, make sure this is arranged.
- Come to one of our Directors’ workshops on GDPR or give us a call for a free GDPR consultation.
Remember, as a director of your business, you’re accountable…
Net-Defence delivers workshops for the IOD – BOOK NOW 7 November (Edinburgh)