With Brexit as a backdrop, in many ways GDPR has come at the worst time. Although GDPR requirements will not alter whether we have a hard Brexit or soft Brexit, the sheer uncertainty of Brexit combined with the need to get GDPR ready has meant a complex business environment for many organisations.
Also to be factored in, is the need to ensure other compliance does not slip through the net, such as the UK Corporate Governance Code, which takes a number of measures that were once voluntary and turns them into enforceable laws and regulations. Furthermore, the increased focus on governance generally, with media and public attention firmly on the latest corporate scandal, means that the awareness of any failing is now much greater than it ever has been. Overall, it is clear to see the scale of the governance and compliance tasks facing organisations as 2017 draws to a close, and also the pressure that this puts on corporate secretaries and the rest of the board.
But GDPR’s timing could in fact be a blessing, rather than the additional burden that many people are probably feeling. By adopting a more transparent approach to business, there is the opportunity for organisations to not only address GDPR, but also to build a lasting compliance framework, that meets their needs for years to come.
Although GDPR has grabbed more of the headlines, there is little doubt that the UK Corporate Governance Code is potentially just as onerous. A greater worldwide focus on governance actually came at the right time for the UK government, as it gave them an opportunity to consolidate and update its already robust stance on good corporate governance and re-confirm the UK as a prime destination for business in the light of the leave vote following the EU referendum held in 2016.
The governance code already in place, the Companies Act 2006, was already one of the most thorough in the world, defining fiduciary duties for directors, along with the ‘Combined Code’ which provided general principles for organisations to follow under the ‘comply or explain’ basis. But there are three main areas of focus within the UK Corporate Governance Code; executive pay, employee rights and engagement, and corporate governance in large privately held businesses.
When the reforms were announced, all of the headlines were grabbed by the inclusion of the required legislation that companies are to report annually on the ratio of CEO pay to the average pay of its UK workforce, along with a narrative explaining changes to that ratio from year to year as well as putting it in context with pay and conditions across the organisation.
The other main change lies in handing broader responsibility to the remuneration committee to oversee pay and incentives across the whole company and requiring them to engage with the wider workforce to explain how executive remuneration aligns with wider company pay policies, creating greater transparency over pay ratios across the organisation.
There is one theme across the required changes, and that is of accountability and transparency. Overall, the response and new reforms refocuses the director’s attention to proving the salary and incentives they receive are commensurate with their performance and in turn, placing extra responsibilities on them to help ensure this. This is also the case with the GDPR, under which Directors have extensive responsibilities with potentially life changing consequences.
GDPR and accountability
The purpose of the GDPR is to better protect personal data, and is the most significant change to data protection law in the EU for a generation. Under the new GDPR, non-compliance has serious consequences of up to €20,000,000 or 4 per cent of annual global turnover, whichever is greater. The regulation will look to improve consumer confidence in organisations that hold their personal data by reinforcing their privacy and security rights, and also to simplify the free flow of personal data in the EU.
The onus to do so is on the data controllers, or the company that will be using and manipulating the data, to ensure that the data processors or collectors are fully compliant with GDPR. This is a major challenge. For example, banks may have up to 100 different systems with different pieces of data for each client stored on each one, so a joined-up approach to GDPR is a huge task.
This record needs to contain a specific set of information so that it is clear what, where, how and why data is processed. Failing to ensure compliance with this, can lead to direct legal action being taken against the directors by prosecutors, or even shareholders.
Even without this extra element of personal jeopardy, the increased scrutiny that would come with any claims of data misuse or failings would draw significant attention to the directors in question and their suitability.
The ramifications of Brexit do not just affect how we deal with the EU as a third-party, but also has implications on the UK’s trading with other countries as new trade deals, as well as yet more regulations, will have to come into play to enable and secure this after the deadline in 2019.
This all highlights the need for organisations to have a governance operating model, with many elements connected, rationalised, and organised to provide the consistent guidance and incentives that executives, risk managers, and business unit leaders require. This is of course a major task, and the best place to start initially is improving transparency into senior level decision making – doing this will put in place the building blocks for addressing GDPR, Brexit and other compliance via a governance operating model.
By utilising a fully secure and compliant governance platform, a board of directors can be safe that their meetings are captured in a fully transparent way as well as allowing for a traceable and auditable actions and decisions system to capture a complete picture of the business critical meetings and discussions being held. Since ultimate responsibility lies with the board of directors, transparency around meetings and the decisions they make becomes even more important in such a complex business environment.
Alister Esam, CEO, eShare
Image source: Shutterstock/Wright Studio
To learn more about GDPR, visit IT Pro Portal's GDPR Hub, on this link.