The Board's Role in Data Protection

AUTHORS
Amy Rojik, Corporate Governance | Karen Schuler, Data Governance, Privacy | Greg Schu, Cybersecurity, Compliance & Assessments | Jeff Ward, SOC, WebTrust, Cybersecurity 

Data Protection

Data is increasingly considered the highest valued asset an organization may hold and maintain. Due to global regulatory and financial scrutiny, compliance, data management, and data privacy risks are rising in priority on boardroom agendas, no matter where the organization is domiciled. Boards are being continually reminded how compliance violations and data breaches can negatively impact brand, reputation and financial stability. In this framework, directors are responsible for establishing appropriate governance oversight of management’s efforts in these areas, ensuring that information and metrics are well defined and monitored, prioritizing cybersecurity, and building a culture of data privacy protection. This includes the adoption and oversight of documented policies, standards and controls within the following, often intersecting areas:

Laws and Regulations

Organizations face a barrage of disparate data-related compliance requirements including financial regulations, environmental health and safety reporting rules, domestic and international data protection regulations, as well as other industry-specific guidelines. Some specific examples include:

SEC Reporting and Disclosure
Industry Specific Disclosure (HIPAA, Homeland Security Act, Gramm-Leach-Bliley)
Domestic Privacy and Data Protection Regulations (California – CCPA/CPRA, Virginia – VCDPA, Colorado – CPA; Utah – UCPA; Connecticut – CTDPA)
Breach Notification Requirements

Board Responsibility

Board oversight of enterprise information governance includes:

Board Best Practices

  • Require frequent CIO/CISO reporting to the board
  • Use a reporting dashboard to drive prioritization and status of follow-up of actions
  • Consider level of cyber knowledge and experience needed on board and of those who are advising the board
  • Perform review of cybersecurity management plan at least annually
  • Set the tone for immediate communication of suspected/known breaches/incidents
  • Be mindful of changes in regulations (domestic and global) that would impact current policies, protocols and compliance
  • Identify key relationships/contacts in advance of cyber breaches (e.g. regulators, enforcement)
  • Conduct periodic mock cyber event responses
  • Ensure the robustness and timeliness of communications
  • Engage in continuing education and change management

  • Require the development, implementation and maintenance of a comprehensive data governance framework that considers people, processes and technology
  • Consider level of knowledge and experience needed on the board and of those advising the board
  • Ensure corporate strategy and plans for growth include analysis and consideration of data governance
  • Require high-quality data (content, accuracy and timeliness)
  • Ensure collection and retention of only relevant data
  • Ensure the robustness and timeliness of communications
  • Engage in continuing education and change management

  • Require a Chief Privacy Officer (or assign that responsibility) to oversee data privacy compliance and operations; require reporting to the board
  • Appoint or outsource a Data Protection Officer as required under GDPR
  • Consider level of knowledge and experience needed on the board and of those advising the board
  • Require regulatory monitoring aligned with operational jurisdictions to address regulatory changes (domestic and global) that would impact current policies, protocols and compliance
  • Perform review of notices, policies and procedures for relevance and alignment with risk at least annually
  • Ensure the robustness and timeliness of communications
  • Engage in continuing education and change management