The global consensus that personal data is the "new gold" has led to an avalanche of global and domestic regulatory compliance obligations imposed on data controllers and data processors under extant data protection laws such as the EU General Data Protection Regulation 2016 ("GDPR"), California Consumer Privacy Act of 2018 ("CCPA"), Nigeria Data Protection Regulation 2019 ("NDPR"), amongst others. In the light of these laws and regulations, organisations are now facing increased pressure from well-informed customers and data subjects as well as regulatory scrutiny from strong-willed data protection regulators to prioritise and invest in data privacy compliance.
More than ever before, data privacy has continued to take centre stage at different levels within most organisations. As such, data privacy, data security and compliance with privacy laws are no longer just the core responsibilities of the Data Protection Officer ("DPO") or the Information Security team. It has indeed become a Board and governance issue and the era of simply ticking the "regulatory compliance checkbox" only has since passed, especially with the myriad of data breaches occurring and the implications these may have on an organisation's bottom line and reputation.
In this article, we examine the important reasons why the Board of Directors should be actively involved in data privacy compliance within their organisations as well as practical steps towards promoting effective board participation on data privacy related matters.
Moving Away from Mere Ticking of the Box – Why the Board of Directors Should be Actively Involved in Data Privacy
For most businesses (whether in the banking, fintech, insurance, pension, healthcare etc. sector), personal data is regarded as one of an organisation's greatest assets. Therefore, ensuring the adequate protection of personal data is critical to the continued success of any business. This is where the strategic role of the Board of Directors ("BoD") on data privacy comes in. The BoD, being the highest decision-making organ of an organisation, is required to set the appropriate tone "at the top" and exercise oversight functions as it relates to compliance with applicable data privacy and protection laws and regulations affecting its operations, including the organisation's data privacy and governance policy framework.
In Nigeria, for example, the fact that the maximum fine for a data breach under the NDPR can be as high as 2% of a company's revenue, and which could potentially bring an end to a company's operations is enough testament that the BoD cannot ignore or pay lip service to data privacy and protection. In addition, when you consider reputational risks, business disruptions, loss of revenue etc., the cost of a data breach or non-compliance is significant.
Furthermore, it is important to note that good data privacy and security practices can directly impact sales. Gaining and maintaining customers' trust and confidence is vital for all businesses. However, data security concerns could ruin an organisation's relationship with its customers or potential customers. This means that paying attention to privacy related matters could potentially increase sales – and by implication, a company's bottom line. Therefore, every BoD should see expenditure in the areas of data privacy, information technology and security more as an investment in the growth of the company rather than costs to be minimised.
In an ever dynamic world, data privacy issues are constantly changing especially with increased technology and emerging laws leading to more compliance obligations on companies. Some organisations have been able to comply with industry standards and best practices (such as ISO 27001, PCI DSS, NIST Framework etc.), which could indicate strong privacy programmes and compliance with applicable laws. Whilst these frameworks are commendable, they do not guarantee that data protection/security programmes within an organisation are adequate. This underscores the fact that compliance in itself does not equal data protection. Consequently, the BoD should constantly ensure that all privacy and security programmes and framework with their organisation are regularly reviewed, as the BoD's involvement in data privacy matters has become an absolute necessity.
Practical Steps towards Promoting Effective Board Participation in Data Privacy and Security
We have provided below a number of practical steps that can encourage effective Board participation on data privacy and security matters.
a. Embedding a Data Privacy Culture within the Organisation and Setting the Tone at the Top
In order to set the appropriate tone at the top and ensure that data privacy becomes embedded within its organisation's culture, the BoD is required to demonstrate overall leadership and support for the successful implementation of the organisation's data privacy, data governance and cybersecurity framework. This can be achieved through overseeing the timeous approval of relevant data privacy policies within the organisation. The BoD should devote sufficient time and resources to oversee the management's implementation of all board-approved data privacy and protection policies, including monitoring for effectiveness. This measure will ensure that the organisation's data privacy, data governance and cybersecurity framework, processes and controls remain fit for purpose in line with emerging trends and practices.
b. Formal Appointment of a DPO and Ensuring Direct Access to the Board
The NDPR and the Implementation Framework 2020 sets out the criteria for the appointment and job description of a DPO. In appointing a DPO, consideration should be given to a senior management staff with a direct reporting line to the BoD or board committee in charge of data privacy and protection.
The BoD should ensure that the DPO has the full support of the management and BoD, including funding and allocation of resources to implement sustainable data privacy and protection programmes such as training, data privacy toolkits etc.
Furthermore, the BoD should put in place measures to ensure that data privacy and meetings to ensure relevant updates are provided to the Board through the DPO or the board committee exercising oversight function over data privacy and protection. The DPO should be required to submit periodic reports relating to data privacy and protection in line with clearly defined privacy reporting metrics covering, amongst other things, compliance issues remediated within specified period; number of privacy complaints received from data subjects and regulators; number of privacy incidents and breaches and the average time taken to resolve a breach; result of internal audits on privacy; any security or threatened security concerns and number of data protection training attended to enable the BoD make informed decisions on the appropriate action plan to be taken to remediate any data privacy concern.
c. Embedding Privacy by Design in Products and Services
With the increasing demand for transparency of organisation's data processing activities by data protection regulators, it has now become expedient for the BoD to ensure that the management team, in conjunction with the relevant unit(s) responsible for new product development, put in appropriate data privacy and protection safeguards to ensure that privacy by design is integrated into all new products and services from its conceptualisation phase. Such data privacy and protection safeguards include but are not limited to the use of appropriate consent clauses and privacy notices, data encryption technologies, data pseudonymisation, multi- factor authentication, privilege and access right controls etc.
d. Ensuring the Conduct of Annual Data Protection Compliance Audit
The BoD, as part of its oversight function in ensuring compliance with the requirement of the NDPR, should ensure that the organisation engages a licensed Data Protection Compliance Organisation ("DPCO") to conduct the annual audit and file the audit report with the Nigeria Data Protection Bureau on or before the filing deadline date of 15th March of every year.
The BoD should equally make appropriate budgetary allocation to cover associated fees for engaging the services of the DPCO and payment of statutory filing fees amongst other things.
e. Prioritising Data Privacy Awareness and Data Security
In order to engender a data privacy culture within the organisation and to increase the level of employees awareness of their duties under the NDPR, the BoD, through the management, should allocate the necessary resources including funding to organise in-house and external training on data protection for all employees of the organisation. Furthermore, members of the BoD, management and the DPO should also attend regular training on data protection which is tailored to meet their specific training needs. To this end, a board-approved data protection training plan backed with the required funding, should be implemented and strictly adhered to in order to sensitise and increase the general awareness level of all employees, management and BoD on data protection.
Conclusion
The BoD play a prominent role in directing the affairs and setting the strategic objectives of an organisation which is cascaded to the management for implementation. In order to remain effective and demonstrate leadership in the area of data privacy and protection, the BoD and its members should have well defined collective and individual Key Performance Indictors ("KPIs") which will form the metrics for measuring their overall performance at the board-level on issues bordering on data privacy and protection. Such metrics will cover the number of data protection training attended, number of board meetings where data protection issues were discussed, nature of board support provided to the organisation's data privacy and protection programmes etc. These KPIs should be one of the criteria for boardroom evaluation and re-election into the board for existing directors.
Furthermore, organisations who are heavy on data (such as banks, insurance companies, fintech, pension fund administrators etc.) should consider the appointment of a data privacy and protection/cybersecurity expert to the BoD who will serve in the capacity of an independent director. Such expert will bring their expertise and independent judgment on issues bordering on data privacy and protection/cybersecurity, which will assist the BoD in making informed decisions regarding issues of data privacy and protection.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.