We get a lot of requests on how to report on data privacy obligations, especially as they gain more visibility with boards. In the IAPP-EY Annual Privacy Governance Report 2018, 78 percent of respondents, reported their boards are not just focused on data breaches but on demonstrating privacy compliance over the long term.
We recently conducted a webinar with Vanessa Henri, Data Protection Officer and Director of Legal and Compliance for Hitachi Systems Security to address how to report privacy obligations to the board.
Why Does Reporting Matter?
If reporting on the status your data privacy compliance has not yet become a focus or priority for your board, it’s time. Corporations and, in particular, corporate directors have a number of responsibilities and liabilities which require them to be aware of an organization’s compliance posture.
Know your obligations to respond to or prevent law suits.
In our webinar, Ms. Henri discussed that while data breach class action lawsuits are increasing, in the past, courts were not awarding damages as it was very difficult for an individual to prove direct damage and causality. However, courts are increasingly moving to models where the damages are presumed. Article 82 of the GDPR includes right to compensation and liability. This includes material and immaterial damages that are the result of data processing that infringes on the regulation. Article 146 takes it another step; the controller or processor should compensate ANY damages which a person may suffer and data subjects should receive full and effective compensation. In this changing environment, the notion of damages should be broadly interpreted in light of the GDPR objective.
Securities fraud implications.
According to Ms. Henri, if as a public company, an executive or board member misrepresents your compliance posture in a public statement (10K filing, verbal, social media, marketing), the company and your board could face securities fraud class action legal action.
It’s not just about the fines.
Outside of securities law, data privacy regulations contain their own set of fines. Perhaps the most covered regulation is the GDPR where fines can reach 2-4% of annual revenues. While only a few high profile companies (Google, €50M) have been in the news for being fined under the GDPR there have been numerous smaller fines with many complaints also in the queue. In addition, other countries are increasingly taking action under their data privacy regulations.
And it’s not just about the fines. Under Article 58 of the GDPR, there are a number of other penalties a DPA can levy. These range from issuing warnings and reprimands to harsher punishments such as temporary or even definitive restrictions or bans on processing in the European Union, all of which could hurt more than a 2% of revenues fine.
What do boards need to know?
Boards need to know that your organization has a data privacy program in place and, more importantly, are able to demonstrate through evidence that you have the capabilities to sustain compliance The most effective way to demonstrate an ongoing compliance posture under the GDPR or any other data privacy legislation, is to put in place a privacy compliance infrastructure. Structured privacy compliance will enable you to get information about your privacy program and monitor ongoing privacy compliance over time and effectively demonstrate evidence of that compliance with regulatory authorities if you come under investigation.
Just the facts
You will likely have no more than five minutes at any given board meeting to present the status of your data privacy program. A board is going to care about where the organization stands with regards to compliance posture and the risk and/or exposure to not only data breaches but also lack of compliance and the organization’s ability to respond to and prevent data breaches. Here are some key data points that are appropriate for board level reporting:
- Compliance by Systems of Interest or Functional or Operational Units (for example HR, Marketing, IT, etc.)
- Compliance progress or status against privacy management categories
- Compliance progress or status related to relevant geographic regulations (GDPR, CCPA, etc.)
- Distribution of resources relative to privacy management categories
As more countries and states pass privacy legislation, implementing and reporting on privacy programs will become increasingly complex, making the ability to generate board level reports efficiently and consistently more challenging.
Build Your Privacy Management Framework
Nymity believes in an accountability approach to privacy which enables a culture of privacy across an organization. The Nymity Privacy Management Accountability Framework structures your privacy program based on 13 privacy management categories. By taking a structured approach, privacy management is implemented as an ongoing capacity to comply and a sustainable program rather than a one-time project. By taking this approach, organizations can also leverage existing activities and evidence to on-board compliance to new legislation and report to the board in one report as a harmonized program.
There are no silver bullets to reporting to boards on compliance, and every board/executive will have questions you may not have anticipated. We have a number of resources you can leverage to help you achieve, manage and maintain your privacy compliance and improve your board reporting.
If you missed our webinar, Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, click below to watch the recording and download the presentation.