The European Union’s (EU) General Data Protection Regulation (GDPR) is causing a seismic shift in the digital information space, and, whether your company has a presence in Europe or not, the sweeping regulation likely applies. As a director in the era of bet-the-farm digital transformation, familiarity with the basics of GDPR is a must. To that end, Michael Walter and Joel Wuesthoff, experts from Protiviti and Robert Half Legal, respectively, recently presented the ins and outs of the regulation at an NACD Atlanta Chapter program.
Does GDPR even apply to my company?
Effective May 25, 2018, it probably does. The regulation is borderless and applies to all organizations—regardless of size and regardless of whether they have a physical European location—that collect and process personal data of data subjects in the EU. An EU data subject is anyone from whom personal data is collected while in the EU (i.e. data subject is not limited to someone with EU “citizenship”). For example, a skier from Colorado who buys a snowboard online while in the EU may subject the product seller to the GDPR. The rules apply to both data controllers and data processors. The range of information that is protected is quite broad, ranging from vehicle identification numbers to photos to employment information to IP addresses.
If GDPR applies, what’s the big deal?
In the U.S., personal information is often collected as a matter of course, with only an “opt out” offered to consumers. By contrast, GDPR requires that in order to collect information from EU data subjects, an affirmative “opt in” consent must be obtained that clearly specifies how the data will be used. Privacy policies must match. Then, once information is obtained, the EU data subject has the right to request that his or her data be deleted; that is, to invoke the right “to be forgotten.” Incorrect information must be corrected upon request. These rights may seem simple enough, but when data is held in multiple locations, developing a process to handle such requests may be quite difficult.
The burdens of GDPR cannot be outsourced, as companies have joint and several liability with third-party vendors. Due diligence requirements for vendors therefore will be heightened, and all in scope data processors will need to be GDPR compliant.
What if my company has a data breach or fails to comply?
In the event of a data breach involving an EU subject, the breached company has 72 hours to notify regulators and must notify EU data subjects without undue delay under certain conditions.
Fines for failure to comply with GDPR can be up to 20M Euros or four percent of an organization’s annual global turnover, whichever is higher. Further, data subjects can claim compensation for damages from breaches of their personal data.
GDPR won’t be enforced right away, will it?
The expectation is that GDPR likely will be enforced right away against global organizations that collect large volumes of personal data. However, beware. EU countries continue to hire people for enforcement of the GDPR. Also, since individuals have a right of action, it is unclear whether GDPR will be used as a manner of protest against companies that are unpopular with EU data subjects.
What should I be asking management?
The path to compliance with GDPR will require a multi-functional task force, including information technology, legal, human resources, privacy, and other functions. Directors may consider asking about the key phases of compliance:
Discovery and inventory: Have we identified high risk areas to ensure a focused approach?
Gap analysis: Have we determined exposure and prioritized compliance activities?
Compliance remediation: Are we implementing changes to achieve compliance?
Ongoing compliance: Are we prepared to provide evidence of accountability and compliance?
Boards may also want to discuss the appointment of—and ramifications of having—a data protection officer (DPO), required under GDPR for companies processing large scale data; however, bear in mind that the DPO is a unique intermediary between the regulators, the organization and the data subjects who is required to be an independent actor within the organization reporting up to the highest levels of the organization. Care must be taken prior to appointing a DPO as significant obligations attach once this decision is made.
In short, GDPR’s long reach and substantial requirements merit fulsome discussions in the boardroom, even of U.S. companies. Is your company ready?
Looking to learn more about how your board will be impacted by GDPR? Stay tuned. NACD will release an FAQ brief in May.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
Scott Zimmerman, Phillip Austin, Marty Baumann, Dan Sunderland, and the author discuss “Challenges Facing the Audit Profession” at the AAA’s 2018 Auditing Section Midyear Meeting.
“The new audit report is a great opportunity for the profession.” So spoke Marty Baumann, chief auditor and director of professional standards at the US Public Company Accounting Oversight Board (PCAOB), at a panel during the American Accounting Association (AAA) Auditing Section’s midyear meeting this past January.
I agree wholeheartedly with Marty.
Updating the auditor’s reporting model in the United States represents an extraordinary opportunity, as it has in the United Kingdom and elsewhere. Yet as we discussed on that January panel, with opportunities come challenges—and I have put together some strategies for addressing those challenges.
To understand the opportunities and challenges associated with updating the auditor’s report, it helps to start with the basic elements of the new PCAOB auditing standard.
The standard features a phased implementation approach. The first phase—which affects PCAOB audits of companies with fiscal years ending on or after December 15, 2017—includes disclosing auditor tenure and other changes to the form and content of the auditor’s report.
The second phase of implementation requires communication of critical audit matters (CAMs). The standard defines a CAM as any matter arising from the audit of the financial statements that meets all the following criteria:
was communicated or required to be communicated to the audit committee;
relates to accounts or disclosures that are material to the financial statements; and
involved especially challenging, subjective, or complex auditor judgment.
The effective dates for CAMs to be included in the auditor’s report are (1) fiscal years ending on or after June 30, 2019 for audits of large accelerated filers and (2) fiscal years ending on or after December 15, 2020 for audits of all other companies to which the requirements apply.
What opportunities will these changes bring? Conversation at the AAA panel covered a range of possibilities.
Possible insights for investors. Scott Zimmerman, a partner at EY and its Americas Assurance Innovation division said that each audit should result in “some type of meaningful insight.” Baumann suggested that such insights can “add to the total mix of information that investor use in making decisions,” and offered his view that the audit report could, for some investors, even become “the first place to go in a very big 10-K with a complex set of financial information.”
Differentiation via technology. As a digital expert, EY’s Zimmerman knows how technology can be a competitive differentiator for audit firms, particularly as use of data analytics and artificial intelligence grows. He noted that EY, like many firms across the profession, is examining how technology can be leveraged in the context of the CAMs that will be communicated in an expanded auditor’s report.
Future academic research. As each audit generates insights, academics can sift through the data to track broader patterns in financial reporting. Baumann noted that researchers might investigate possible correlations between CAMs and stock prices, for example, or financial disclosures.
While acknowledging the excitement around these and other opportunities, panelists also recognized challenges.
Boilerplate potential. In December 2017, US Securities and Exchange Commision Chair Jay Clayton quipped that it would be a “bummer” if CAMs devolved into boilerplate language of little or no use to investors. At the AAA meeting, panelist Dan Sunderland, chief auditor and national leader for Audit and Assurance Services at Deloitte & Touche LLP, noted that the nature of the disclosure in CAMs would be the “keys to the kingdom”—and that auditors are well aware of the importance of avoiding boilerplate.
Interference with audit committee communication. Panelist Phillip Austin, the national managing partner of Auditing at BDO USA, noted that, with the new disclosure of CAMs, some company executives might be tempted to “manage” communication between the auditors and the audit committee.
Disclosure tension. In the discussion, panelists contemplated scenarios where auditors may disclose in CAMs information that management is not obliged to disclose. “That’s going to be tricky,” said Austin. Baumann indicated this would be an area that the PCAOB would track carefully.
Strategies for Success
To make the most of the opportunities presented by the new report, panelists discussed strategies to address the challenges of implementing the new reporting models. Audit committee members should become familiar with the following strategies for success.
Maintain open dialogue between auditors and audit committees. As with many items related to the financial reporting process, strong and ongoing communication will be critical around the new auditor’s report. Baumann cited the importance of dialogue around challenging issues, such as revenue recognition or significant and unusual transactions that a company might have, that could be critical audit matters. To foster this dialogue, the Center for Audit Quality (CAQ) has produced a tool for audit committees regarding changes to the auditor’s report.
Pilot-testing. For auditors, “the critical thing is to try to pilot things in the short run,” said Sunderland. This pilot-testing should involve auditors talking through the process with the audit committee, he added.
Pay close attention to the post-implementation review. For regulators, it will be vital to monitor implementation of the standard, particularly given risks such as creeping boilerplate. Marty Baumann voiced the PCAOB’s strong commitment to robust post-implementation review, starting with the implementation of CAMs.
What challenges, opportunities, and necessities do you see regarding updating the auditor’s report? I welcome your thoughts in the comments. And be sure to visit the CAQ’s resource page on auditor reporting for more information.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.
What trends will heat up the next proxy season and beyond? That’s a burning question for the 80 percent of public companies that hold annual meetings during the first half of the year according to statistics from Broadridge, as well as for those that will wrap up the year later in the fall mini-season. Prognosticating what’s to come this season is no easy task, since proxy season is a complex process.
Sometimes the trends we predict are no more than wishful thinking. To make plausible predictions, we must find empirical clues from shareholder resolutions (hundreds each year), director elections (at thousands of companies each year), and then consider the activity that happens behind the scenes in private dialogue.
Bearing in mind our evidence, we can ask a number of questions:
What new rules will be effective? New requirements will raise expectations during this proxy season.
What proposals were mostsuccessful in 2017? Success (getting more than a 50 percent vote) emboldens proponents, so these issues are unlikely to go away.
What proposals were most frequent in 2017? Even if vote tallies are low, proponents may try again.
What proposals or other actions arebeing planned right nowfor the 2018 spring season—based on survey data and other sources?
After seeking answers, we will conclude with what we think will be hot in the 2018 proxy season.
Clue 1: What new rules or policies will be effective?
Proxy seasons can be shaped by new rules put in place by the Securities and Exchange Commission (SEC), as well as by new voting policies from proxy advisors such as Institutional Shareholder Services (ISS). This spring, a few major developments are notable. First, this is the first year that the pay ratio rule will require disclosure of the ratio between the total pay of a company’s median employee and its CEO (or, alternatively, the median total pay of all the company’s employees, minus the CEO). Despite new SEC guidance on calculation, the results, when disclosed prior to the annual meeting, are likely to spark some shareholder outcry at annual meetings.
A few additional issues stand out based on 2018 ISS Americas Proxy Voting Guidelines Updates. ISS has said that it will support shareholder proposals asking for more disclosure on environmental risk, and its updates point to recent policy changes from the Task Force on Climate-Related Financial Disclosures (TCFD). “The updates to ISS’ climate change risk policy better aligns it with the TCFD’s recommendations, which explicitly seek transparency around the board and management’s role in assessing and managing climate-related risks and opportunities,” the report says. Other proxy season trends may include more support for resolutions opposing excessive director pay and resolutions supporting gender pay equity, as predicted in this recent report from Gibson Dunn.
Clue 2: What proposals were successful last year?
Let’s look at the most successful proposals at the 250 largest companies by revenue throughout 2017 according to full-year data from Proxy Monitor. This source is representative of broader trends because, as noted in Proxy Monitor’s early 2017 overview, shareholder proposals are more common at the largest companies. Moreover, “the companies in the Proxy Monitor database encompass the majority of holdings for most diversified investors in the equity markets, making this analysis appropriate for the average shareholder.”
According to the report, governance proposals seem to take the prize. Fifteen of the 294 proposals at the top 250 public companies in 2017, or about 5 percent of the 294 proposals from investors, received a majority vote. Most of these winners can be called “corporate governance” proposals, rather than social issues. Three were for environmental impact reports (at Occidental Petroleum Corp., Exxon Mobil Corp., and PPL Corp.), but all the rest had to do with governance.
Five proposals were victories for proxy access (National Oilwell Varco, Humana, IBM, and Kinder Morgan, Inc.), five for simple majority voting (Cognizant Technology Solutions Corp., Marathon Petroleum Corp., L Brands, Paccar, and First Energy Corp.) and two were specific governance proposals. Shareholders at CVS Health Corp. voted to reduce required ownership to call a special meeting, and shareholders at ADP voted to repeal a bylaw provision that had been adopted without shareholder approval. That vote happened in November, in the so-called “mini-season” (the one experienced by the 20 percent of companies that hold their annual meeting in the second half of the year).
Clue 3: What proposals were most frequent last year?
Now let’s look at the resolutions proposed most frequently last year. Looking again at the 294 resolutions studied in the Proxy Monitor data, the trends are clear. Classifying the proposals generally into the three categories, we see that social policy, with 164 resolutions, was the most popular proposal category, followed by corporate governance issues at 107. Executive compensation did not draw shareholder ire; only 23 resolutions focused on it, down from higher levels in the past.
Within social policy, the double-digit issues raised across at least 10 companies were environmental (48 issues were proposed—or 52 if you count four “sustainability metrics” proposals), lobbying (38), political spending (13), employment rights (17), gender equality (12), and human rights (12).
Diversity proposals are also notable. Although they were relatively rare compared to other 2017 issues, they showed show signs of growth. There were only three such proposals at major companies the previous year, while there were five in 2017. Furthermore, although they did not propose board diversity resolutions, State Street Corp., a major institutional investor, voted against directors serving on nominating committees for boards without women, and BlackRock also voted no at some boards over the diversity issue.
Within corporate governance, the double-digit issues were chair independence (28 resolutions), proxy access (22), and special meetings (15). Remaining corporate governance issues were introduced at 9 or fewer companies. Although ISS flagged director overboarding as an issue for 2017 and revised its guidelines accordingly, there were no proposals about this last year.
Finally, within executive pay, no particular issue dominated. Various new requirements in pay approval and pay disclosure (say on pay, pay ratio, etc.) have largely resolved this issue.
Clue 4: What proposals or other actions are being planned for 2018?
As of early January 2018, we have little data on shareholder resolutions to be included in 2018 proxy statements. While some companies have already released their 2018 proxies, none of these contain shareholder resolutions. However, we do know what ISS is recommending with respect to shareholder resolutions in the newest revisions to its proxy voting guidelines for 2018.
As reported in the Wall Street Journal on December 22, companies preparing their 2018 proxy statements can expect “continuing pressure from investors to enhance disclosures regarding board composition, climate change risk, and cybersecurity.” The prediction is based on a survey conducted by executive search firm Russell Reynolds. Secondary trends included the usual mix of corporate governance, board composition, and executive compensation.
Of course, shareholder proposals are not the only way to change a company. Instead of submitting a shareholder resolution on an issue, a shareholder can wage a so-called proxy fight by sending investors a separate proxy voting card with an alternative slate of directors, or, in the case of companies with proxy access, by including a dissident slate in the company’s proxy. (There is still no such thing as a universal proxy card that allows investors to mix and match candidates from the nominating committee and dissidents, despite an SEC proposal in that regard.) According to FactSet, 2017 saw 75 proxy fights for board seats. While this is fewer than in 2016—which at 101 proxy fights was a banner year—the battles were waged upon household names: ADP, General Motors Co., and Procter & Gamble Co., among others.
What’s Hot and Why
Here is our short-list of five proxy issues that are likely to appear in 2018.
Pay Ratio. Shareholders will be reading these disclosures for the first time.
Environmental proposals. They have been both frequent and successful in recent times, and because ISS is drawing attention to them again this year.
Governance mechanics. Why? Because they matter. They are rarely discussed by bloggers due to their dry and technical nature, but governance issues continue to be popular proxy issues, with more than 100 last year, and with the highest rate of success (12 wins last year—a strong result since majority votes on resolutions remain extremely rare).
Activism. As Douglas Chia, head of corporate governance at the Conference Board, stated in a recent Equilar report, “public company boards will have their work cut out for them in 2018 with activism continuing to dominate the governance landscape.”