UK Corporate Governance and the General Data Protection Regulation (GDPR)

UK corporate governance is divided into specific legal regulation, like the Companies Act of 2006, which defines fiduciary duties for directors, and the so-called “Combined Code,” which provides general principles; it is voluntary for most companies, except for those with a Premium listing of equity shares on the London Stock Exchange. The key principle for UK corporate governance is “comply or explain”; that is, when companies choose not to comply with the code, they are expected to provide good reasons for their departure from it.

The effect of the European Union General Data Protection Regulation (GDPR, Regulation EU 2016/679) – which will remain UK law after BREXIT to take this area of risk management for directors out of the “comply or explain” area and to put it squarely into that of specific legal regulations. Previous data protection legislation in the UK was much more limited in scope. Directors have extensive responsibilities under the law, which will go into effect in the UK on May 25, 2018.

In addition, directors have direct liability under some terms of the new legislation, which imposes effective data management and governance requirements. The risk of regulatory non-compliance, and the cost and operational impact associated with poor data quality and inaccurate reporting, must be addressed at the board level, including the appointment of a board-level Data Protection Officer, the oversight of internal controls to ensure compliance, and review by the audit committee.

Current Reforms of UK Corporate Governance Underway

Corporate governance in the UK is undergoing significant reform this year. The government has announced its intentions to make major changes to the corporate governance system, taking much that is in the voluntary code and shifting it into enforceable regulation. Risk management measures, in particular, are part of this program. Maintaining the GDPR post-BREXIT and providing additional legislation on data privacy are part of the risk management program.

A survey by accounting and consulting firm Grant Thornton in December 2015 showed that only 57 percent of the FTSE 350 companies fully complied with the Code. This, along with popular anger about executive pay, has led the government to take action on corporate governance.

Adherence to the Code by private companies is still voluntary in the UK today. It has always been a precept of UK corporate governance that one size does not fit all, and frequent disparaging reference is often made to the “checkbox system” in US law. But this is changing, as authorities seek more specific, more easily enforceable measures. It is interesting that the current government is seeking to impose compliance with the “Combined Code” on the largest private companies as part of its reform.

There is already legislation, like the Companies Act of 2006, that provides specific direction about aspects of corporate governance. The so-called “Combined Code,” essentially a consolidation of a number of different reports, first took shape in 1992 with the publication of the Cadbury Report. Produced by a committee chaired by Sir Adrian Cadbury, the Report was a response to major corporate scandals after major UK company Polly Peck went insolvent, and after the BCCI and Robert Maxwell scandals.

Cadbury authored the “comply or explain” principle, and in 1994, the Code required obligatory compliance by London Stock Exchange-listed companies, with the proviso that they could opt out and explain their failure to comply.

But that precept has been evolving in the direction.  In 1999, the Turnbull Report set up general requirements for internal controls and audits. Publication of the Code became official when that function was taken over by the Financial Reporting Council in 2006. In 2010, the Council produced a new version of the Code, and there have been a number of updates since then, the latest in 2016.

The Council’s Ethical and Auditing Standards were also revised in that year, and the government designated the Council to be the competent authority for audit, with responsibility for the regulation of statutory audit, including setting auditing and ethical standards, monitoring and enforcement. The Council also set standards for board effectiveness.

In February 2017, the Council announced plans for a fundamental review of the UK Corporate Governance Code with respect to issues raised in a government Green Paper on the subject released late in 2016. Executive pay is a subject of focus, along with boardroom composition and directors’ duties, and risk management is a specific area of interest.

GDPR Fills UK Corporate Governance Gaps

As Deloitte UK noted in a recent study, GDPR and the changing data technology landscape mean that this is a key area of risk for organisations. A number of key risks and impacts are associated with ineffective data management and governance, including regulatory non-compliance, cost and operational impact associated with poor data quality, which can impact businesses at the boardroom level.

When GDPR comes into force, it will fill gaps in UK corporate governance with regard to data protection – the expression “filling gaps” is not intended to mean that such legislation was lacking, but rather that the need for “checkbox-type” specifics has been perceived as real and pressing.

The “Combined Code” does not address data protection specifically. Rather, it assigns responsibility to directors for risk management, auditing best practices, fraud avoidance and good accounting. Under the terms of the Code, directors who have not upheld their responsibility for these areas, or who have breached their duty of skill, care and diligence, can be held responsible for damages where the company or its shareholders have suffered loss as a result of the breach.

As we have seen, the UK Companies Act of 2006 also lays out general fiduciary duties for directors. There are seven general directors’ duties set out in the Companies Act, which are:

  1. A duty to act in accordance with the powers set out in the company’s articles;
  2. A duty to promote the success of the company for the benefit of its members;
  3. A duty to exercise independent judgment;
  4. A duty to exercise reasonable care, skill and diligence;
  5. A duty to avoid conflicts of interest;
  6. A duty not to accept benefits from third parties; and
  7. A duty to declare to the company’s other directors any interest a director has in a proposed transaction or arrangement with the company.

But the UK Data Protection Act of 1998 does not define the duties of directors and management with regard to controlling data. Rather, it sets up general principles for compliance, as the Institute of Chartered Accountants in England and Wales (ICAEW) summarizes it:

  1. A fair and lawful data processing
  2. Data is obtained only for one or more specified and lawful purposes
  3. Data is adequate, relevant and not excessive when processed
  4. Data is accurate and kept up-to-date
  5. Data is not kept for longer than is necessary
  6. Data is processed in accordance with the rights of data subjects
  7. Appropriate technical and organizational measures are taken against unauthorized or unlawful processing of data and against accidental loss, destruction and damage
  8. Data is not transferred to a country or territory outside the European Economic Area unless there is an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their personal data

As the ICAEW notes, the 1998 Act has been notoriously ineffective, with fraud and data breaches currently costing UK companies about £200 billion per year. The Information Commissioner’s Office has had very little success in imposing fines, which were limited to a total of £400,000.

The GPDR introduces an enhanced set of requirements and challenges for legal and compliance functions to manage, and, in the case of security failure or non-compliance, directors may be held personally liable for damages.

What’s more, the Information Commissioner’s Office has the power to impose fines of up to 4 percent of annual global turnover. The GDPR creates the potential for increased invasive investigations, and grants supervisory authorities extensive powers and responsibilities, which include broad investigative and corrective powers. These go far beyond what the Information Commissioner’s Office could undertake previously.

The GDPR introduces significant new requirements around maintenance of audit trails, so that the audit committee must reorganize its system of internal controls.

The appointment of a Data Protection Officer at the board level is another important specific requirement. As one study notes: “This will present a challenge for many medium to large organisations, as individuals with sought‑after skills and experience are currently in short supply.”

Under the GDPR, data processors will also be required to comply with specific data protection requirements, including those related to cross-border transfers of personal data, security and recordkeeping of processing activities. Consent for use of personal data must be obtained and recorded.

Directors will be required to understand the risks surrounding implementation of new data stores and management platforms, and to drive more insightful and efficient internal audits.

Overall, there is vastly increased accountability for corporate governance at the board level under GDPR. Compliance will involve large-scale reorganization and management change, if the risk of non-compliance penalties is to be avoided.

In addition, as London-based law firm Ropes & Gray pointed out: “The principle of accountability provides an opportunity for organisations to bolster individuals’ trust in them by showcasing their robust data protection efforts and for demonstrating transparency and corporate responsibility. Responsible information handling practices can attract customers, investors, and talent.”

Why GDPR Will Remain in Force After BREXIT

The status of law imposed by EU legislation after BREXIT depends on both the type of legislation and the UK government’s intentions.

Some parts of the so-called “acquis communautaire” have already been implemented into UK law, and others await implementation or complete implementation. EU directives, for example, that have not yet been implemented, may never be.

But GDPR is a regulation, and as such, is implemented directly and automatically after passage by the European Parliament on April 14, 2014. Thus, it is already part and parcel of UK law.

The UK government, of course, has the option to revise EU legislation, and there are plans to change much of the “acquis” – but not the GDPR.

Matthew Hancock, Minister of State for Digital and Culture at the Department for Culture, Media and Sport, speaking to Parliament on February 17, 2017, affirmed that the government would uphold GDPR so that data would be able to move easily from the UK to the EU.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog