As companies prepare for the biggest shake-up in data protection legislation in a generation, with the enactment of the GDPR and the UK Data Protection Bill, Company Secretaries have a pivotal role to play. A new survey carried out by the Department for Culture, Media and Sport has found that fewer than half of UK businesses and charities are aware of the coming changes. Here are three reasons why being aware of the challenges of data protection is vital for Company Secretaries.
A central aspect of the role of a Company Secretary is ensuring that the organisation complies with relevant legislation. Thus, data protection has already been among the responsibilities of many Company Secretaries since the passing of the Data Protection Act in 1998. The vastly increased scope of the new legislation, plus the increased level of associated legal, financial and reputational penalties, means that it will become an even more critical part of Company Secretary duties in the future.
Time is of the essence. The UK’s Information Commissioner Elizabeth Denham has confirmed that there will be no “grace period” following the regulation’s implementation on 25 May 2018, so companies that do not have their houses in order risk immediate investigation and sanctions.
However, the government wishes to foster principles of openness and transparency around the topic; therefore, companies that self-report and that engage with the ICO to show accountability and resolve issues of non-compliance will find this attitude taken into account by the Authority. Company Secretaries can put their business in the best place to benefit from this approach by embodying clarity and frankness when bringing matters of data protection to their board’s attention.
A key principle of the new legislation is accountability, meaning that organisations must be able to demonstrate documented evidence of compliance with the principles of data protection. This makes a sound framework critically important in showing that a company is embedding data security and privacy by design throughout its operations and processes. Ensuring that the board has proper oversight of this framework is a key element of the Company Secretary’s duties.
Company Secretaries need to clarify their own position and practices around data protection. Naturally, as trusted individuals within the organisation, they have access to confidential documents, registers and business data. Therefore, Company Secretaries must ensure that the communications systems and process that they control are compliant with data protection legislation.
Independent organisations that provide company secretarial services to businesses may be classified as data controllers or data processors, as they are handling confidential and third-party data. The new legislation, while placing most of the burden on data controllers, does include liability for data processors if they are found to be negligent.
Given the high profile of data legislation now and in the future, it is vital that company secretaries have a practical working knowledge of it and understand how it relates to the business that they serve so they can facilitate compliance.
The scope of the new legislation is extensive. Whether considering the GDPR or the UK’s Data Protection Bill, which is due to become law this year to ensure adequacy with EU standards when the UK leaves the EU in 2019, it is clear that its scope will touch every part of an organisation. Departments from Human Resources and Legal to Finance, Marketing, IT and Governance itself will need to examine their processes through the lens of data protection.
This broad remit requires a sound reporting framework that leads to a sponsor who is familiar with the different aspects of the business. Company Secretaries are well positioned to carry out this role. Indeed, they are often the logical choice to synthesise the information reported by those closely linked to data management across the different departments and to distil it for the Board.
UK Governance Institute ICSA has produced its own guidance for Company Secretaries to help them contribute to the practical implementation of GDPR. Pete Swabey, Policy and Research Director at ICSA, notes: “Company secretaries will need to act as conduits for information from multiple functions including legal, HR, IT and other departments, such as customer services and marketing, in order to help board members to raise appropriate questions with management and assist respondents by highlighting important or missed considerations.”
ICSA describes Company Secretaries as “uniquely placed” to fulfil this role.
Linked to their remit of supporting the organisation to comply with legislation is the important element of cross-company communication involved in the role of Company Secretary. Evidence suggests that many company directors are still unclear on their duties to protect privacy; in fact, the Institute of Directors found in a survey of 900 of its members that nearly a third had not heard of GDPR just six months before it was due to be implemented, and four in 10 didn’t know whether it would affect their organisation.
With the penalties for non-compliance becoming much more severe, Company Secretaries have a duty to raise awareness among their board and to address any gaps in knowledge or process. This is just as true for individual board members as for the company as a whole. Directors should be aware of their own responsibilities for safeguarding any data they may hold on personal devices. Systems to assure the confidentiality of external board communications should be put in place.
A Company Secretary’s links throughout the business can also be used to good effect to support the development of a culture that views data protection as “business as usual” and that welcomes transparency and accountability as the correct way to treat the rights of individuals in the 21st century.
The months following the implementation of the new legislation are likely to see some high-profile test cases and some hefty fines and enforcement for companies who are found to be non-compliant. By ensuring the open and positive flow of information about data protection strategy between the business and the board, Company Secretaries can help their companies to avoid coming under scrutiny.
Diligent Boards Portal Supports GDPR Implementation
Evidently, communication among all of these actors must be maintained in a secure environment and at a high level of efficiency.
Diligent Boards provides real-time and secure communication. With Touch ID sign-on access, real-time updates and 24/7/365 mobile collaboration, Diligent board portal software gives directors the information they need, when they need it, for swifter, more informed decision-making. For company secretaries and administrators, intuitive tools and customisable archives mean more efficient, effective information delivery —supported by remote wiping if a device is lost or stolen. Diligent delivers peace of mind with state-of-the-art encryption, data storage, access controls and more.
Board Portal Buyer’s Guide
With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.
July 29, 2021
What Technology Issues Are Boards and Governance Leaders Facing in 2021?
Discover the biggest technology challenges faced by board governance leaders in EMEA during 2021, where progress is being made and the solutions to where it is lagging.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…