Tremors in the boardroom as GDPR moves the regulatory paradigm from compliance to exposure

Unless you have been living under a rock, you will be aware of the impending activation of the General Data Privacy Regulation on May 25^th of this year. The shocker is that many organizations are only now beginning to realize the potential impact to their business of this new regulatory direction of travel. Cap Gemini estimates that many organizations will not be ready.

The impact of GDPR is so potentially devastating to an organization that it can be considered a watershed as to how regulators govern areas of public concern

GDPR is audaciously crafted to ensure that the most significant tech companies of our time, Google, Apple, Microsoft, Facebook will be forced to take heed. Major public showdowns over the years between EU Commissioners such as Ms. Neelie Kroes and Ms. Margrethe Vestager and these large enterprises have taught the EU that if one is to tame industry giants, regulation would need to be much bolder, even impudent, than what has gone before. Enter GDPR.

The compliancy requirements of GDPR in themselves are very reasonable. So reasonable, that a false sense of security prevails in the boardroom. That is why most companies have approached their GDPR challenge as a compliancy exercise. After all, you have lived and survived other compliancy regimes such as Sox, FDA, HIPPA, MifId.

Why change a successful approach?

In a nutshell, there are two reasons why a board member of a large organization should be concerned:

1. The effect of a combination of sanctions
2. The presumption of guilt when potential violations occur in its application

These new factors mean that every senior executive needs to consider their exposure to the effects of GDPR in addition to their compliance to GDPR.

As my colleague, Simon Walkden, explained in an earlier piece, GDPR will take some time to reach maximum force. The dangerous thing for business leaders is that the regulator believes you have already had a two-year transition period to prepare. So, what have you done? Do you now understand your potential exposure?

Does this affect you?

Companies with a strong domestic/offshore culture might be particularly at risk of underestimating their exposure to GDPR. US companies, for instance, might not realize that they are fully liable for fines over their worldwide income for breaches of GDPR affecting any EU citizen. So irrespective of whether your organization is domestic to the EU or trading from outside of the EU; if you hold or process data from an EU citizen you are potentially in scope. A recent survey by Hytrust indicates that 80% of US companies are exposed to GDPR.

Types of GDPR exposure that can affect you

There are four types of exposure that can affect your organization:

1. Vicarious liability including a variation of class action suits
2. Regulatory fines
3. Director’s personal liability
4. Reputational risk through disclosure and investigation

1. Vicarious liability

In the Morrison’s case, working its way through the courts, a class action suit by employees seeks damages for a willful breach of their privacy by a rogue employee and while under appeal has been initially successful.

2. Regulatory fines

Because this legislation was crafted precisely to address multi-jurisdictional reach, within and external to the EU, companies with recent breaches should hear alarm bells ringing in the board rooms. Consider what Equifax, Uber, Sony, and eBay would have experienced under GDPR?  A variation of class-action suits, personal liability for its directors and millions of dollars in regulatory fines (4% of global turnover, with a maximum of 20 million Euros for each infraction that involved an EU citizen.)

Getting GDPR wrong can seriously impair and even destroy an enterprise. While some argue that the US Congress has overly protected Equifax following its recent breaches, GDPR would have taken Equifax to the cleaners. Consider in this context that the Equifax breach is estimated to have affected between 400,000 and 4 million EU citizens.

3. Director’s personal liability

The matter in which personal liability is arranged varies from country to country. The UK, Italy, and others have chosen to make directors liable. The global law firm, Norton Rose Fulbright point out that Under German law, directors can be held accountable for breach of their duties, which include a responsibility to ensure that the IT infrastructure of a company is sufficiently protected in order to ensure the security of data and the avoidance of cyber risks.

4. Reputational risk through disclosure and investigation

It isn’t just breaches, even simple requirements as Article 17 Right to Erasure, more commonly known as the ‘right to be forgotten’, can trip up organizations. How confident are you that your company can identify and erase all traces of an EU citizen when asked to do so?

In this respect I would also advise boards to consider another less discussed aspect of GDPR when evaluating their potential exposure; the demeaner of the leaders of the National Data Protection Authorities. Each EU country has appointed an executive to lead their GDPR enforcement. Many of these appointees have, during their career, developed a strong sensitivity to politics. Several have a long track-record in government. We can safely assume that they will react visibly and forcefully to breaches that offend the public.

The renowned GDPR expert, André Biesheuvel, has been involved in GDPR from day one and is a Principal at GDPR experts Duthler Associates. He states, ‘many organizations have not recognized the essential paradigm change in GDPR compared to other regulations. They have fallen into the trap of relying on auditors and lawyers to arrange compliance rather than address the true threat, which is financial and legal exposure.’

The board should also consider unintended cumulative effects of separate regulations. Other regulatory directives can compound the exposure to GDPR for affected organizations. A great example is the UK’s Open Banking regulations which came into effect on January 13^th of this year. Open Banking requires the UK’s largest current account providers to open their data via a set of secure application programming interfaces (APIs). The Brightalk website has explained that Open Banking will force banks to shift from being one-stop-shops for financial services to open platforms where consumers can start to embrace a more modular approach to banking by giving verified third-parties direct access to this data.

The fact that Open Banking is frequently happening on an infrastructure of dubious legacy should alarm the leaders of those account providers given the imminent activation of GDPR. Indeed, The Financial Times warned about this as far back as 2015.

Mark de Jonge, Senior Partner at Roland Berger, the leading global consultancy of German heritage and European origin, explains, “for executives, the financial and commercial exposure arising from GDPR is much more onerous than the compliance requirement itself. Financial institutions are among the most likely organizations to suffer, owing to the extent of personal data they accumulate, their reliance on legacy technology to store and process it, the sensitivity of such data and its potential value.”

So, what should you do?

Look beyond compliance, to understand and mitigate your potential financial and legal exposure!

The law firm DLA Piper is clear, “GDPR is not a legal and compliance challenge – it is much broader than that, requiring organisations to completely transform”

Any business leader who wants to sleep at night after May 25^th, 2018, will need to move from a defensive to an offensive posture on GDPR. Look beyond compliance, to the potential financial and legal exposure that accompanies this new breed of regulation and take steps to protect and mitigate that exposure before the rude awakening.