Data breach liabilities of company directors
Abstract
This paper shows that data protection falls under the fiduciary duties of board members, albeit they may not be expected to take an active part in the implementation phase; they must assure that employees are equipped with data protection and security awareness and their roles are allocated properly. It discusses how companies need to know how compliance management can be ‘reasonable, adequate, appropriate’ in practice. The first step is to know the needs of the organisation and address the risks. A simple oversight can cause material benefits, and therefore, data protection and privacy must be treated as a corporate governance issue.
The full article is available to subscribers to the journal.
Author's Biography
Steve Wright In November 2018, Steve Wright took up an interim position of data protection officer (DPO) at the Bank of England. When the DPO returned in January, he continued to provide General Data Protection Regulation (GDPR) assurance and privacy leadership, also supporting the chief information security officer (CISO) in designing a new target operating model. At John Lewis, Steve set the strategy, policy, direction and the tone (rate) of change necessary to take John Lewis into its optimal position of leveraging the data it collects, while at the same time protecting the rights of customers and partners, by ensuring legal and regulatory compliance, delivering and enhancing privacy and security capabilities, and making sure trust and transparency remain at the heart of John Lewis’ brands. Steve has spent more than 25 years learning in information technology (IT; the last eight years in legal and finance), but all the time designing, developing, managing (mainly people) and delivering transformational data governance, privacy and security programmes.
Ezgi Pilavci is a privacy lawyer, currently working at Boston Consulting Group (BCG), London. Ezgi completed her second master’s degree in computer and communications law at Queen Mary London University, London, UK and is certified by International Association of Privacy Professionals (IAPP) as CIPP/E. She has double masters’ degrees in information technology law having six years of experience as an associate in a global law firm in Istanbul, Turkey. Ezgi has been involved in corporate and commercial matters, especially those focused on technology and privacy. She has much experience in drafting and revising different types of commercial contracts: Data Processing Agreement (DPA), nondisclosure agreement (NDA), information technology (IT) services agreements and negotiations with the third parties. Ezgi advised multinational clients on the data protection compliance process. This includes preparing and delivering presentations on data protection principles and requirements as well as drafting necessary legal texts including, but not limited to, consent, privacy policies, privacy statements, privacy authority notifications and supported privacy impact assessment schemes.
