Providing Board Assurance on GDPR compliance

If you are a Director of a Limited Company, however large or small, you have certain legal responsibilities and a fiduciary duty to your stakeholders. You may be an executive with specific functional responsibilities, but your role as a Director means that you need to have an awareness of, and duty to control, the complete spectrum of activities across the organisation. Saying you didn’t know, or weren’t aware of something that contravenes legislation or that harms the organisation significantly, is not a defence.

Most companies build a Board Assurance Framework (BAF) designed to highlight the key risks to the business, the controls that are in place to provide mitigation against those risks and the specific actions that are being taken to reduce the likelihood and impact of a risk actually occurring. A BAF is a series of operational risk registers that tree up to a top level Corporate, or Board Risk Register.

A key part of the Percipience GDPR compliance solution involves adding key non-compliance risks into the relevant parts of the risk register. At Board level the risk, or risks, will be high level in nature. For example, this might be “the risk of significant financial penalties through non-compliance with GDPR regulations”. However, there will be operational areas of the business, such as marketing, HR and IT where the risks will be much more specific. In IT this might include a risk around “the lack of procedures for the storage and handling of data in 3rd party providers.”

There is a common misconception that assessing risk is very subjective. In fact, only one part of the risk assessment process is in any way subjective. That is the risk appetite of the organisation, which can only be agreed on a collective decision of the Board. There are a growing number of approaches to defining risk appetite and reducing subjectivity, as demonstrated in this Deloitte’s article. However, for our purposes, in a GDPR project the risk appetite of the organisation will act simply to regulate the scores at which a risk goes from green, to amber, to red.

Generally, risks will be scored on a scale of 1-25. This is arrived at by rating the likelihood of the identified risk occurring on a scale of 1, very low, to 5, very high and, the impact of that risk occurring also on a scale of 1 to 5. The two numbers are then multiplied together to get an overall risk score. You can then set the scores at which risks turn from green to amber to red. A note of caution however: a likelihood of 1 and an impact of 5 achieves the same overall risk score as a likelihood of 5 and an impact of 1. You cannot afford to ignore any risk, however infrequently it is likely to happen, where the potential impact is very high. On the other hand, you might well choose to ignore a risk that is a very common occurrence, but that has little or no impact.

All this will be taken into account as you ASSESS your existing state of preparedness for GDPR, ASSEMBLE a plan, APPLY the policies and procedures designed to deliver compliance and APPRAISE the control functions that provide the assurance the Board needs. This may be in some on-line dashboard, but a simple spreadsheet is often perfectly adequate for the task.

If this all seems a little daunting why not contact us? Percipience does this as a matter of course in any GDPR project. We can give you the tools to provide the assurance your Board needs around GDPR compliance. The risk is, you fall foul of the new regulations and could face fines of up to €20 million or 4% of turnover, whichever is the greater. On a scale of 1 to 5, how would you rate the impact of that risk to your business?


Leave a Reply

Be the First to Comment!

Notify of