Whether from a conformance (compliance) or performance perspective, 2 enterprise governance tasks of particular interest are:
- Knowing what questions to ask in the process of performing due diligence
- Knowing what data and information to request to support the due diligence process
In the case of compliance, the extent of the information required to support due diligence is proportional to the impact of the risk of noncompliance to the organization. In the case of the EU General Data Protection Regulation (GDPR), the risk factors associated with noncompliance are extraordinary. At a minimum, the risk poses challenges not only in terms of the considerable maximum penalties for noncompliance, but, perhaps more importantly, also in terms of the reputation impact of noncompliance.
The latter issue is an outcome of the likelihood that any financial penalties imposed due to noncompliance are certain to make headline news, communicating to everyone that the organization has not yet met its obligations to protect the privacy of EU natural persons in spite of the fact that the regulation has been in effect since May 2018.
A board director recently suggested that the only information the board required for GDPR compliance progress monitoring is:
- What is the exposure to the risk of noncompliance?
- What is the progress toward achieving compliance?
In this case, the director’s argument was that sufficient reporting would merely contain a statement to the effect that the exposure was up to €2 million (US $2.3 million) or 4% of global revenues, coupled with an overview of the compliance project’s progress to plan.
However, a director on the same board specifically overseeing enterprise risk management (ERM) instead suggested that the board required more detail than what was proposed previously in the interests of appropriate due diligence. In particular, the board not only required better knowledge of the regulation, but also greater insight with respect to the extent of the organization’s efforts toward achieving compliance with the different components of this complex regulation.
Becoming knowledgeable of the regulation enabled the board to ask better questions in its obligation to perform oversight and to better understand the different components of the regulation that applied to the organization. In further response to the ERM director’s recommendation, a reporting framework was structured to provide more detail than would have been presented at a project overview level, to enable more directors to understand the nature of the work being performed for compliance and what parts of the operating model (people, process or technology) were impacted. At a glance, the framework enabled insights into the progress of achieving compliance against plan for identified components of GDPR and also of the relative progress of these activities relative to the activity of the prior reporting period.
Given this background, my recent Journal article documents high-level aspects of the approach taken—perhaps useful for organizations that have not yet fulfilled their GDPR obligations—to leverage for their own purposes.
Read Guy Pearce’s recent Journal article:
“Reporting on GDPR Compliance to the Board,” ISACA Journal, volume 1, 2019.