Compliance with data protection laws is the ultimate responsibility of the Board of directors of every organisation. Every Board or sub-committee, such as the audit and risk committee (ARC), must be aware of its current compliance status and the operation of its data protection framework.
While this responsibility can be delegated to management, it is also important to note that, technically speaking, it is not the responsibility of the DPO, whose role it is to guide and advise. The reason for this is a potential conflict of interest. A solution is to outsource your DPO.
Under the Data Protection Act 2018, directors may be liable for a fine of up to €50,000 and/or five years imprisonment if they are found to have allowed the organisation to commit an offence through consent, connivance or negligence.
With the recent Uber decision in the US, the pre-GDPR IKEA case in France, and most relevant to, Ireland, the ICO has made personal monetary penalties against company directors. These actions demonstrate an appetite to keep senior management and company directors accountable for their actions. At the time of writing, we are unaware of any such actions against company directors in Ireland, but penalties will inevitably be made.
The data protection world is changing rapidly with the onset of fines, decisions and guidance from regulators, and evolving technology and new legislation. As such, it is crucial that organisations remain vigilant to change and can proactively manage it, avoid risks and improve opportunities.
Some key data protection questions for Board members to ask include:
We regularly receive such questions at ARC meetings or in our updates to Boards where we act as the outsourced DPO. The questions should pull further information from the organisation and ensure that senior management is accountable for ensuring effective compliance efforts. It also emphasises the level of priority that the Board places on data protection compliance.
For an organisation to have data protection embedded, the Board should oversee change and the direction of data protection. This should be tailored to the organisation, considering its sector and industry. The below demonstrate examples of what high, medium and low levels of Board involvement may look like in an organisation:
We regularly identify gaps with Board involvement where the only data protection information they receive is a single risk in the enterprise risk register. This is a failure on both the Board and the data protection framework. The Board should be involved as much as required to be aware of risks and compliance status. This means receiving more information than a single risk can provide.
Every organisation has a data protection framework, some more formalised than others. Your framework must operate effectively, ensuring you will achieve your desired outcomes.
You will be able to know that your framework is effective if:
Many organisations made regular updates to the Board in 2017 and 2018 when implementing their framework, but the urgency has moved to other areas and priorities. Recently we have seen a growing number of organisations looking for assistance with their programmes. They have made no changes since that initial project leaving them non-compliant with current guidance and case law.
There are many reasons to keep privacy in your strategic plans ranging from compliance, fine mitigation, risk management and consumer trust. Evidence is mounting that demonstrates consumer sentiment is changing. People are becoming more concerned about how their personal data is protected and are making more choices based on these concerns. No stronger evidence is needed than actions being taken by the world's largest consumer technology firms' efforts to increase privacy and security, as seen with Apple's push to give more control to users about tracking across applications.
To use privacy as a strategic and competitive advantage, the direction needs to come from Board level and be embedded into the company culture. The most effective programmes are in organisations with clear ownership of data protection at the very top level, and the messaging is clear and well communicated.
Data protection is changing and evolving as the business world changes and adopts new technology. Ensuring your organisation has the right tools and people to manage these changes is critical.
To do so, the Board need to:
Data protection starts and ends in the Board room.
Got a question? Just get in touch
We have insights into developments that affect your business. We can provide you with unique perspectives and thoughtful solutions so you can meet new challenges and seize opportunities.
Since the start of the year, many Central Bank of Ireland (CBI) articles and speeches have called out the Payments Institutions (PI) and Electronic Money Institutions (EMI) sector as being one of increased risk. One area of focus has been the wind-down plans for relevant institutions, ensuring that these are credible and prioritising minimising any negative impact on consumers.
2024 has seen the appointment of two new commissioners in the Data Protection Commission (DPC). The Digital Services Act is now effective, with several large organisations already being required to comply and establish a new regulator, Comisiún na Meán.
The role reports to the President and provides executive, administrative, and development support. The Director of the Office of the President serves as the primary point of contact for internal and external stakeholders on all matters pertaining to the President, serves as a liaison to the Governing Body and senior leadership team when required, and oversees internal and external communications for...
Tailored solutions for assurance and value creation in a changing world
Mazars supports you in achieving and maintaining data protection & privacy compliance.
Mazars provides outsourced data protection officer (DPO) services to organisations that do not wish to directly employ a DPO
Mazars has partnered with Europrivacy to provide companies with General Data Protection Regulation (GDPR) compliance certifications. This is the first GDPR certification to be created since the launch of the GDPR four years ago, and has been authorised by the European Data Protection Board (EDPB). This certification positions companies as front-runners in data protection with a strong competitive...
A GDPR audit provides you with assurance of your data protection compliance efforts.
Mazars DPIA methodology has been developed using years of experience, ensuring that risks are identified and mitigated in line with business needs while keeping a focus on individuals.
Satisfying subject access requests can require a very significant amount of time and effort. Gathering the data, filtering out the irrelevant records, making decisions on what is necessary to include and redacting information appropriately can turn one SAR into a project in its own right.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.