The Role of the Board in Data Protection Compliance
Data Protection compliance is a buzz word right now. What is it? Who is responsible? What is the cost of non-compliance? If you are in a leadership position in a company that handles personal data, you may be wondering about these and other related questions. More so, as a board member, you may share similar concerns or you may be wondering what the board’s role should be in compliance.
Why should boards care about privacy compliance?
Data protection compliance should take priority in the boardroom for several reasons. First, the Data Protection Act has a broad application spectrum. In particular, it applies to companies processing personal data of persons based in Kenya. It also applies to companies that do not have a presence in Kenya but process data belonging to individuals located in Kenya. In other words, so long as you handle data relating to individuals based in Kenya, the Act applies to you. In addition to the extra-territorial application, the Act applies to personal data processing by automated or manual means.
Secondly, compliance should be prioritised because of the risk of imposition of sanctions. Under the Act, the Data Commissioner has power to impose an administrative fine of up to Kes. 5 Million or 1% of gross annual turn over of the company. The company may also face a further general penalty or fine of Kes. 3 Million. In addition to fines, any individual affected by the company’s breach, may sue the company for damages. The Act has not quantified the damages payable meaning that courts have leeway in setting the quantum of damages. The imposition of such fines or damages will undoubtedly impact the company’s financial position. Finally, the board should be concerned about the criminal sanction risk as members may face criminal sanctions of up to 10 years imprisonment.
Whilst financial loss and regulatory sanctions are a primary driver for compliance, it is also necessary to consider compliance from a brand image and reputation perspective. Data breaches or non-compliance attract negative press that may dent the company’s image and erode consumer confidence.
This compliance landscape shows that boards cannot afford to ignore the importance of privacy compliance. Outlined below, are some of the roles that a board can play in privacy compliance.
1. Determine the appropriate governance model for privacy
Owing to the inherent risks posed by mishandling data, Boards should put in place an appropriate governance model which gives the Board insight into an organisation’s compliance posture. As a first step, the Board should consider appointing a Data Protection Officer (“DPO”), which is a requirement under the Data Protection Act. The DPO should be responsible for compliance and act as the company’s liaison with the Data Commissioner (the regulator). The DPO should take stock of the company’s data inventory, conduct a privacy gaps assessment and propose a compliance implementation roadmap.
Ideally, the DPO should be senior enough to influence change and compliance required within the organisation. For visibility, the position should report directly to the board committee responsible for privacy governance. The Board should also determine the appropriate committee to handle privacy governance. It may elect to either set up a separate committee or include it in the Audit Committee’s scope.
2. Ensure privacy reporting metrics are well defined
For effective decision making, the board must ensure that the reporting metrics are well defined. In 2018, IAPP and EY commissioned a privacy governance report to understand, among other things, the nature matters reported to the board. According to the report, most boards received reports on the company’s status of compliance with privacy laws.
Currently, organisations handling personal data in Kenya are putting in place privacy compliance programs. The Board needs to be apprised regularly of the core components of the company’s privacy program and the implementation roadmap. In addition the Board should device ways of measuring the program’s effectiveness. One way to do this is through use of measurable indicators such as Key Performance Indicators. Developing accurate measures to represent the performance of the program can be challenging. However, a few useful ones may include:-
- compliance issues remediated within a specified period
- number of privacy complaints (data subjects, regulators)
- number of privacy incidents/ breaches and average time taken to resolve a breach
- results of privacy internal audits
- number of data protection trainings attended
With the right metrics, the board can ask the right questions and take corrective actions. For example metrics on data breaches can lead to questions such as: Do we respond appropriately to a data breach and within the stipulated timelines? Does the company need data breach insurance? How can future incidents be prevented? Who is keeping track?
3. Build a privacy culture
Under the Data Protection Act, personal data must be processed in accordance with an individual’s right to privacy. To achieve this, an organisation must inculcate a privacy culture. Such an initiative can only succeed with the sponsorship and leadership of the board.
As a first step, the board should understand the connection between a strong privacy culture and the organisation’s ability to deliver on its objectives. The DPO and other officials should carry out relevant awareness session for the Board. Next, management should define the privacy program’s vision and implementation strategy. In essence the vision communicates to staff the organisation’s stand on privacy. It paints a picture of how the privacy program strives to comply with data protection laws in delivery of products and services.
The board should charge the CEO, DPO and the senior management team with the responsibility of crafting the vision and communicating strategy. Communicating the vision involves selling it and obtaining buy-in from staff. Explain to staff the value of embracing privacy and the consequences of failing to do so. In addition, give staff an opportunity to contribute to the vision. For example, they can give ideas on ways to achieve the vision – which can be integrated to the program. The more staff are involved the easier it will be to roll out the program.
4. Prioritise Data Security
The Board should understand the data security risks and challenges that the company faces and provide proper oversight on prevention of those risks. Most essential business functions performed today leverage on technology. Although a computer device or software application can help facilitate new business opportunities, those technologies can also be used to infiltrate and harm a business. For example, a company may need to rely on mobile devices such as laptops and phones to facilitate remote work. However, this set up increases the risk of data loss and malicious attacks on the company’s network and data. Insider threats also pose as much risk as external threats. Additionally, an employee may facilitate loss of data or information through deliberate or accidental actions.
Therefore, the Board should demand the inclusion of cybersecurity governance into the overall privacy program. Privacy compliance reports should include strategic and technical information about the company’s cyber risks and mitigation measures. One best practice measure to implement is the development of a data security technology roadmap with a corresponding budget. The roadmap helps the board to plan and obtain the best value from the identified tech resources.
In as much as cyber-risk is important, Boards should also not ignore security relating to manual records. Since data protection encompasses automated and manual processing, the Board should also have oversight on the security measures implemented for manual records.Disclaimer: The information on this blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no advocate-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional advocate, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation. The information on the blog may be changed without notice and is not guaranteed to be complete, correct or up-to-date. While the blog is revised on a regular basis, it may not reflect the most current legal developments.