You may have seen the news that Arun Bhattacharya, a shareholder in the data analytics company Nielsen Holdings plc, is suing the company, its CEO and CFO for misleading shareholders and the public about its preparedness for the GDPR (General Data Protection Regulation).
All boards and senior managers should read this story with some considerable concern. While courts in the US are much more used to class action suits from individuals who feel they have suffered losses – financial or otherwise – the reality is that the GDPR and the UK’s Data Protection Act 2018 give individuals the right to bring actions in the UK and elsewhere in the EU where they feel that their rights have been affected.
How, if you are a board member, do you know whether or not your executive management team have actually properly implemented a privacy compliance framework that meets the accountability and other requirements of the GDPR?
How, if you are a manager or director of an organisation that has outsourced some data processing activities to a third party – and whose GDPR compliance activity you are now responsible for – do you ensure that your processors have properly complied with the GDPR?
Clearly, as this new legal action indicates, you cannot simply rely on the word of the management. (Our direct experience in the market is that many organisations are much less GDPR-compliant than they claim to be.)
The one logical step is to implement an integrated management system that is capable of external audit and certification to two key standards: ISO/IEC 27001, the information security management standard, and BS 10012, the personal information management system standard.
We have just done this for the GRC International Group of companies. We can help any organisation that wants to take this route toward providing genuine assurance to stakeholders, customers and the board that GDPR compliance risks are genuinely being properly managed.