UK: GDPR Threats and Board of Directors – Is Your Board Ready?

A vast majority of UK companies still run the risk of data exploits due to unsecured vulnerabilities. Boards have the responsibility of seeing that such security weaknesses are repaired. In fact, board members may be held personally liable for failure to do so. Establishing a solid programme of cyber risk management is critical. The methods of data collection and use, and the technologies employed to accomplish them, must be structured with data security in mind; this includes the software and systems through which private data passes, with documented standards and practices to minimise your attack surface. And boards must appoint a Data Protection Officer, ideally at the board level, who can oversee the entire process.

Danger of Data Exploits

According to a survey by Black Duck Software, 62 per cent of companies have serious and dangerous vulnerabilities in their systems, making them easy victims of data exploits (attacks). The European Union’s General Data Protection Regulation (EU 2016/679) (GDPR) will come into effect in the UK and the EU on 25 May 2018.  In the UK, it will be enacted in the form of a new Data Protection Bill replacing the Data Protection Act of 1998. The Bill is intended to provide the UK with comprehensive data protection legislation that harmonises with that of the EU, according to the Information Commissioner’s Office (ICO).

Definition of Data Exploits Under UK Version of GDPR

The mitigation of data exploits, or the control and management of vulnerabilities and threats to cybersecurity, is a priority under the Data Protection Bill and follows the breakdown used in the GDPR. Data security must be assured by design and by default, according to Article 25 of the Bill.

“The methods of data collection and use, and the technologies employed to accomplish them, must be structured with data security in mind; this includes the software and systems through which private data passes, with documented standards and practices to minimise your attack surface. Article 25 specifically calls for measures which ensure that personal data is not made accessible without the individual’s permission. Any negligence to take reasonable steps to identify and patch known application vulnerabilities, or to evaluate risks associated with third-party APIs, could be viewed as failure to comply with this article,” comment analysts at Black Duck Software.

The UK Institute of Risk Management explains that it is critical to establish a flow of appropriate risk management data throughout the organisation, particularly data relating to forward-looking key risk indicators. A coherent risk management programme, supported by solid internal control technologies, is the key to assuring risk forecasting in the future, the Institute says.

The risk of data exploits must be anticipated and protection must be assured. “It is important to institute controls and policies to manage risk before it can put your applications and data in harm’s way. With automated policy enforcement, and integration of such policies into development and deployment tools, you can further enable security and legal teams to support GDPR compliance by preventing vulnerable open source components from entering your applications or from being pushed into production. For the greatest influence, structure policies based on variables like development phase, deployment model, vulnerability severity, component version and release date,” the Black Duck Software analysts say.

Learn the 8 ways board directors should be preparing for GDPR right now or book a demo to find out more about how we can help.

Boards Bear a Heavy Responsibility

Nigel Houlden, Head of Technology Policy at ICO, wrote, “Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”

“And, under the General Data Protection Regulation taking effect from 25 May this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously,” Houlden added.

Are your Board of Directors Ready?

As a first step to being GDPR-ready, companies (and their directors) should be able to confidently answer the following, according to consultants at the London-based Ashfords:

  1. What personal data do we hold?
  2. Where is it?
  3. What is it being used for?
  4. How secure is it?

Depending on the nature and size of an organisation, answering these questions could involve significant time and resources. Accordingly, if they have not already done so, boards should start allocating budget for this now. Finding and analysing data, and then ensuring that it is, amongst other things, accurate, up-to-date and only processed for the specified purpose, can take a lot of time.

Given the level of potential fines and reputational harm, a board’s failure to ensure protection of personal data may be considered a failure of directors’ duties to promote the success of the company and/or to exercise reasonable care, skill and diligence, which could result in action for damages and/or termination or disqualification.

All private organisations should consider whether they should appoint a Data Protection Officer (DPO) at the board level.

The DPO will be responsible for advising the organisation of their obligations and monitoring compliance. They must report directly to the highest level of management and have ‘expert knowledge’ of data protection. Larger companies must appoint such an officer, although not necessarily at the board level. But there are considerable advantages to doing so.


Find out how Diligent’s Governance Cloud helps organisations monitor compliance with legislation.

Diligent Board of Directors Software Automates Compliance and Security

Governance Cloud is Diligent’s ecosystem of cloud-based governance tools that provides a complete solution to enable leading bodies of organisations to mitigate risk and collectively govern at the highest level.

Seasoned in the governance space, Diligent has been in the leading position in the market for more than 15 years, offering the industry’s leading, most secure and intuitive board management technology. Our deep customer insights and heavy investment in R&D have allowed us to expand our offering to support the full governance journey. The Diligent Board Portal also provides the highest grade of encryption for all content so that directors may communicate and share documents in a completely secure environment.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog