On May 25, 2018, a major new piece of data protection regulation will come into effect across the European Union (EU), and with it comes the potential for hefty fines or penalties for your organization. Even if you do not directly operate in the EU, chances are that the General Data Protection Regulation (GDPR) still pertains to your company.
The regulation covers any entity that processes the personal data of EU citizens (referred to as “data subjects”), even if the organization does not provide goods or services to EU citizens and only handles or processes their data. Unless you are categorically sure that your organization does not and will not process EU citizens’ personal data, compliance is not optional.
The fine for an infringement can be €20 million (approximately $23 million at today’s exchange rate), or 4 percent of your worldwide annual turnover, depending on which is the higher amount. It is essential for directors to pay attention to the data and information security practices in place to ensure that the organization is prepared and compliant.
The Policy Details of GDPR
The GDPR was written to ensure that organizations:
protect the personal data of ‘EU Natural Persons’ (i.e. living people);
are transparent, fair, and lawful about the processing of personal data;
only request and process necessary personal data;
do not share data with third parties or countries unless the correct legal agreements and processes are implemented; and
gain consent from data subjects to process their data.
Personal data is defined in the policy as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
There are six principles that apply to the processing of personal data. According to the policy, personal data shall be:
processed lawfully, fairly, and in a transparent manner;
collected for specified, explicit, and legitimate purposes;
adequate, relevant, and limited to what is necessary;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
processed in a manner that ensures appropriate security of the personal data.
Data subjects are provided with a set of legal rights under GDPR, including the right:
Each EU member state has a designated supervisory authority. These regulatory bodies are responsible for monitoring the application of GDPR, and have the power to audit organizations and determine relevant warnings, reprimands, and fines for violations of the organization. When breaches of personal data occur, companies will be subject to a high level of scrutiny, and will have only a 72-hour window to report on the breach. A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
There is a requirement for some organizations to appoint a data protection officer (DPO), whose responsibility it is to advise and inform on GDPR and to monitor compliance within the organization. The DPO acts as the main contact for both data subjects and the supervisory authority, must report to the highest level of management within the organization, and cannot perform any tasks or duties which result in a conflict of interest.
You need to ensure your organization has fully investigated the nuances of the requirements to ascertain whether you need to appoint such a role or prepare to meet other personnel or technical demands.
Where do we start?
Your organization first needs to define the team that will drive GDPR compliance and management. Within the C-suite this should include the chief information officer and the chief information security officer, in addition to representatives from legal counsel, human resources, risk and compliance, and privacy. Determine if you need to appoint a DPO. Once your team is assembled, assess your current state, so that you can plan next steps accordingly. This team should present results at least to your board’s audit committee, if not the full board, given the financial and reputational risks involved.
Understand your personal data retention
You should ask your GDPR team the following questions to determine what categories of personal data your organization is dealing with:
To whom does data you collect and retain pertain?
Is it necessary to collect and keep this data?
If so, how long do you need to keep it?
Do you have permission from the data subject to process the data?
How is consent obtained from data subjects for each method of personal data collection?
Encourage your team to follow others’ personal data on its journey through and beyond the organization. Doing so will help the GDPR team understand how the data is collected, stored, transmitted, accessed, and secured, and understand where and how it is passed on to any third parties.
Review how your organization collects consent from individuals to process their personal data
EU citizens must be able to give and rescind consent for their personal data to be processed. Consent means any “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In a contractual situation, the provision of a service may require personal data to be processed in order for the service to function correctly. In this case, this has to be made clear to the data subject when they register for the service.
Identify partner and supplier risk
Review third party legal agreements to ensure the EU citizen’s personal data provided to a third party is handled in a compliant manner. Otherwise, your organization will be held accountable for vendors’ data breaches or a data loss scenario. If you process personal data on behalf of another organization, you will need to demonstrate your compliance with GDPR, and ensure your legal agreements reflect this accordingly.
Ensure your cybersecurity programs are up to par
Your security posture and processes impact the journey and security of personal data, and should be assessed accordingly. GDPR Article 32 stipulates that you must ensure a level of security appropriate to the risk involved with the data. This might require adjustments to your security program, especially if you have weighted your security setup to focus primarily on prevention and are lighter in the areas of detection and correction. Visibility across your ecosystem is vital for determining risk. Knowing your weak points will help you understand where to bolster your security, and testing out your processes will determine whether they are fit for purpose.
Get regular updates on progress and status
As individual reviews are completed, have each leader report back to the core and leadership teams with a set of prioritized actions and milestones. Set up a frequent cycle of reporting to understand the progress of your GDPR compliance status. The spring of 2018 is clearly too late to be finding problems.
If your organization employs, partners with, or serves people who are citizens of the European Union, you are subject to GDPR. Given the detailed stipulations of the regulation, along with the threatening risk of steep fines, it’s not something you can get away with ignoring or procrastinating. As a board member, you’ll want to ensure the organizations you serve are prepared to meet the challenge and reduce the risk.
Corey E. Thomas is president and CEO of Rapid7. He is director of Blue Cross Blue Shield of Massachusetts and the Greater Boston Chamber of Commerce.
It has become clear that Britain’s vote to leave the European Union (EU) is a major disruption to global business plans, and its consequences clearly rise to the board level. Ongoing political chaos in the United Kingdom (UK) is having seismic economic effects and has already amplified downside political risks across Europe.
“Wait and see” is a dangerous response to a highly uncertain situation. Proactive board leaders can undertake several immediate initiatives that will minimize the damage to 2016 results in Europe and improve the resiliency of your company’s plans for 2017 and beyond.
What we know today: The UK’s economy will contract next year. Frontier Strategy Group’s (FSG) Europe, the Middle East, and Africa (EMEA) Team forecasts a sharp slowdown in UK growth in the second half of 2016, deepening into a recession of -0.5 percent in 2017. Regardless of the pace and the aim of its exit negotiations with the EU, deep splits within the UK’s major political parties and energized independence movements in Scotland and Northern Ireland guarantee governmental dysfunction and depressed sentiment among consumers and businesses.
Beyond the UK, certain economies are especially vulnerable. Ireland, Norway, and the Netherlands will be hurt quickly as UK demand shrinks. Around the world, UK and European economic woes are likely to hit Poland, South Africa, Algeria, Azerbaijan, Bangladesh, and Costa Rica especially hard in their respective regions.
What we won’t know anytime soon: As of yet, it is impossible to predict (1) whether the European Union will change fundamentally or lose additional members, (2) the political and economic effects of energized populist parties in many European countries, (3) the downside risk to the UK from regional separatism, or (4) the new destinations for foreign investment that may leave the UK. Scenarios and contingency plans are essential tools to manage risk and identify targeted opportunities in this environment.
Bolster Commercial Execution in the Second Half of 2016
Boards should expect to receive a rapid-response sales strategy review from UK executives and risk assessments for Europe overall. Is management being sufficiently proactive in managing new risks?
Prioritize risks to 2016 sales targets—In the UK, business investment is most likely to see near-term declines as companies worried about growth move to limit expenditures (hiring is sharply down in London), while consumer sentiment will be dragged down by housing-price shocks. Sterling and euro depreciation will hit specific customer segments hard. Expect management to proactively engage customers about changes to their expected spending, and redeploy sales and marketing resources to the least vulnerable territories.
Target contingency plans on talent and finance—Uncertainty about visa requirements for Europeans in the UK (and for non-UK citizens generally) is a serious engagement and retention risk. Currency effects are wiping out margins for some UK subsidiaries and should force a near-term rethink of hedging and payment terms. Expect management to document contingency plans with signposts and priority actions by function, especially for finance and human resources (HR).
Track leading indicators of changes in demand—Volatility in currency markets and commodities markets will have global ripple effects on business and consumer sentiment, and on government finances—especially in emerging markets. Ask if European management teams are adjusting their dashboards and monthly/quarterly agendas accordingly.
Stress-Test Strategic Plans for 2017 and Beyond
The next planning cycle will be more demanding than usual. Updating forecast data is a small part of the needed response. So much will remain uncertain that plans for Europe (and for markets with links to Europe) should be stress-tested for resiliency against downside scenarios. Contingency plans should be put in place for big bets.
Use scenarios to model UK and EU demand—FSG’s benchmarking found that simple scenarios are key to organizational alignment and resilience; the companies that do this best grow market share 2.1 times faster than their competition in volatile markets. My pre-Brexit vote NACD post highlights a range of risks worthy of incorporating into scenario plans.
Evaluate risk exposure in European operations and the supply chain—Profitability and pricing power for imported products will diminish if barriers to trade with the UK increase and European currencies weaken further. Scenario analysis can help evaluate potentially improved returns from localized production and supply-chain structure.
Rethink Europe/EMEA hub locations—Potential changes that affect HR, legal, regulatory, and finance teams may tip the scales in favor of revisiting the UK as a hub for EMEA, Europe, or Western Europe leadership and operations. Balance financial and political/reputational considerations along with change-management costs. Retention of European nationals currently based in the UK is becoming a factor as well.
Reassess global market-portfolio prioritization—Long-term investment plans for Europe must be rebalanced given the likelihood of a UK recession in 2017 and ripple effects varying among other European countries. Moreover, investment cases for Europe are likely to face sharply skeptical review even as EMEA leaders strive to make up the gap that UK underperformance will create. At the global level, Asia-Pacific and Latin America leaders have an opportunity to put forward more aggressive plans for 2017 and beyond. India in particular is a substantial market that remains under-penetrated by foreign companies; higher-risk big bets there may be more warmly received when Europe looks so uncertain.
When uncertainty is high, boards have a valuable role in helping management bring focus to the most important decisions rather than falling victim to firefighting and analysis paralysis. Companies that set a proactive agenda now for a mid-year course correction and forward planning will be well positioned despite market volatility in the year ahead.
Joel Whitaker is Senior Vice President of Global Research at Frontier Strategy Group (FSG), an information and advisory services firm supporting senior executives in emerging markets.
For more on the Brexit fallout and what it means for your board, join us for:
This Thursday, the United Kingdom (UK) will vote in a referendum on whether to leave the European Union (EU)—referred to as the “Brexit.” Opinion polls have shifted sharply over the past two weeks to indicate that the likelihood of Brexit has increased substantially, but Frontier Strategy Group continues to believe that the UK will vote to remain in the EU, albeit by a very small margin. Opinion polls have been extremely inaccurate in the past two UK elections and we believe some hesitant voters will choose to remain in the EU in a conservative bias that we saw in both the parliamentary elections last year and in the Scottish referendum. Markets are also interpreting the murder of pro-EU Labour MP Jo Cox as likely to damage the Leave campaign.
A narrow win for the Remain campaign—our baseline scenario—is unlikely to alleviate the grievances of those supporting Brexit and would cause deeper tensions within the UK’s Conservative Party, raising the likelihood of early elections and another referendum in the next couple of years. While the economic impact of these trends would be relatively modest, lingering uncertainty would cause investments to underperform.
Should Brexit happen, however, multinational businesses would be affected in several key ways. Besides the initial financial volatility and somewhat weaker growth in Europe, most of the broader effects of Brexit outside the UK would be slow-moving, although their long-term implications could be significant enough to reshape the European Union. Companies need to be prepared for short-term volatility—particularly of currencies—but should Brexit occur companies can expect to be gradually adapting to its effects for at least the next two to three years.
Financial-market volatility and currency depreciation
The possibility of Brexit has already rattled currency, bond, and equity markets and this volatility will increase in the immediate aftermath of the event should Brexit occur. The British pound could depreciate by as much as another 10–20% against the United States’ dollar (USD) in the aftermath of Brexit, and the euro would also likely lose value, possibly as much as 5–10% against the USD. The scale of the losses would likely be temporary, but neither currency would be likely to recover to pre-Brexit levels. Brexit would also dampen investment confidence, softening commodity prices and causing overall financial market uncertainty. Added to a backdrop of weak global growth and deep concerns about China’s slowdown, Brexit would prompt another bout of volatility that would cloud corporate expectations and complicate 2017 planning for emerging markets generally.
Growth in Europe
Brexit would cause a slowdown in UK investment and business activity. A similar, though smaller, effect would be likely in the EU as a whole. Markets strongly linked to demand from the EU—such as North Africa, Eastern Europe, and parts of Asia—would see a softening of demand for the next 12 months that would affect industrial performance but would not disrupt growth trajectories. The demand effect for other parts of the world would likely be negligible. As corporate leaders gear up for 2017 planning, they would have to dedicate more analytical energy to identifying sources of growth in Asia, the Middle East, Africa, and the Americas to compensate for weaker performance in Europe.
Brexit would raise a host of trade issues from the future of the Schengen Area to the outlook for the Transatlantic Trade and Investment Partnership, all of which would increase uncertainty over the cost and structure of supply chains that involve the EU. Any tangible effect on supply chains, however, would likely materialize over a period of several years, giving companies ample time to respond. It would, however, raise fundamental organizational issues such as where companies’ European headquarters will be located, tax rates, distribution-chain structure, and other concerns that should be factored into 2017 and longer-range planning as well as profitability targets. Making changes earlier could yield valuable competitive differentiation for cost and talent.
Brexit’s most dangerous effect could be to galvanize anti-EU sentiment and populist parties across the EU, setting into effect a series of policy disruptions in the region that could weaken the EU, slow down EU integration, or even lead to other EU members exiting the union. All of this would undermine the EU’s economic outlook, and force multinational corporations to manage political risk in this usually stable region much more closely. While that would be unlikely to have ripple effects globally, it could contribute to greater instability in the Middle East and Eastern Europe if it coincided with increasingly isolationist foreign policy from the United States.
Overall, Brexit would put greater pressure on regions outside of Europe to deliver strong results that can compensate for years of underperformance by the UK and the EU in corporate portfolios. This may be a big challenge in the current global growth environment, requiring an even greater focus on agile strategies that emphasize strong competitive positioning, careful risk management, and a reshaping of how companies plan to win in emerging markets.
In case the UK votes next week to leave the EU, boards and executive teams should ask themselves several urgent questions to effectively prepare their response:
What is our company’s exposure to short-term currency volatility of both the British pound and the euro? How would significant depreciation against the dollar affect our overall revenue and profit targets for this year?
Have we developed alternative international growth strategies that rely less on demand in Europe?
What production and distribution disruptions are we likely to face in our European operations?
How should we adjust our long-term outlook for doing business in Europe? What economic and political risks are now more likely and more significant to our company?
Joel Whitaker is Senior Vice President of Global Research at Frontier Strategy Group (FSG), an information and advisory services firm supporting senior executives in emerging markets.