Governance Watch - Issue 38

by Dina Medland in London


There is irony in the timing of a £500,000 fine levied on Facebook today by the UK Information Commissioner’s Office (ICO) for two breaches of the Data Protection Act in the scandal involving Cambridge Analytica. The breaches occurred before the latest European General Data Protection (GDPR) came into effect in May, therefore the £500,000 cap is one set by the UK’s Data Protection Act 1998.

The burdensome nature of EU regulation for business is often given as a strong reason to back Britain’s exit from Europe. GDPR caps fines at €20m (17m), reflecting 4% of global turnover which the media reports would be $1.9 billion (£1.4 billion) in the case of Facebook.

As this report by Sky News states, this fine is tiny compared to the firm’s value (£445 billion).  “It’s not all about fines…any company is worried about its reputation, because people want to feel that their data is safe” Elizabeth Denham the Information Commissioner told the BBC’s Radio 4 programme today.

But as implications of the data breaches and the use of personal data by political parties without personal consent reverberates, the ICO has sent warning letters to political parties and notices demanding agreement on data protection audits. Facebook has 28 days to decide whether to contest the ICO’s fine, and businesses should be watching to see what happens next.

In the United States, earlier this month the SEC joined the FBI, the Justice Department and the Federal Trade Commission in probing Facebook more closely. The need for regulation, burdensome or not, on matters of data privacy in business is likely to resonate loudly with citizens across Europe including the United Kingdom at a time when the issue of trust with consumers is acute.

The Fair Vote Project @FairVoteUK, formed after whistleblower evidence came to light regarding alleged cheating in the vote to leave the EU, has another solution. (Here is its Director, Kyle Taylor’s interview on that with the BBC).

Fair Vote UK is now preparing a class action against Facebook and already has 84 claimants signed up. “All 1.1million British citizens impacted by the Cambridge Analytica breach can join the claim” it suggests, and can do so via its website.

The possibility of US-style class actions was first introduced in the UK in 2015, with the Consumer Rights Act. Regardless of whether it is applicable to this specific case involving Facebook, Simmons & Simmons published an interesting piece on opt-out class actions in the UK in January, in which it said: “We predict that a suitable case will be found and certified in 2018.”



“Getting to grips with big data is something we are just beginning to do” said Charles Randell, in his first speech as the new Chair of the Financial Conduct Authority (FCA) and the Payment Systems Regulator. Artificial Intelligence (AI) means that businesses can harvest more information about us and our behaviour, and as they understand more about human behaviour, use ‘nudges’ that affect our decisions – so there is potential for both good use, and misuse, he added.

“We need to anticipate the fundamental questions which Big Data, artificial intelligence and behavioural science present, and make sure that we innovate ethically to shape the answers” said Mr Randell – and new initiatives in the UK to do just that were mentioned in the last Governance Watch.

In my blog Board Talk this week I looked at the potential for better corporate governance using those algorithms mentioned by the FCA Chair in his speech. Board Talk looks at the launch of the world’s first “business integrity rating agency” by an MIT-backed start-up comprised of business leaders and engineers. 

Elsewhere in regulation, the Financial Reporting Council (FRC) is about to reveal the revised UK corporate governance code next week (July 16). In keynote addresses at the ICSA Conference this week, both Andrew Griffiths, small business minister at the Department for Business, Energy and Industrial strategy (BEIS) and the FRC CEO Stephen Haddrill made it clear that gender diversity in the boardroom was still very high on the UK’s agenda.

The UK government remains intent on continuing to berate the remaining all-male boards in the FTSE 250 for being out of step with the times. Mr Haddrill, on behalf of the regulator, said it was clear that even when women were on boards they were often not in more senior positions of chairing committees and he suggested that the nine-year rule on boardroom appointments may also be revisited in the revised Code.

The timing of the launch of this revised code is curious, coming as it does in the middle of a fundamental review on the functioning of the FRC, and its remit both to regulate audit and be the overall watchdog for corporate governance, a dual role that some are questioning.

Stephen Haddrill, CEO of the FRC, speaking at #ICSACONF July 10, London

Stephen Haddrill, CEO of the FRC, speaking at #ICSACONF July 10, London

While saying that he welcomed the Kingman Review, Mr Haddrill pointed out that public expectation of regulation has changed considerably in recent years.

British business also has a great deal else on its mind at the moment. Martin Wolf, Economics Commentator at the Financial Times, painted an alarming picture of the state of the UK economy in his keynote address at the conference. If Brexit were not dominating the conversation, he said, these are some of the things that should be talked about more.

“There has been a profound failure of corporate governance in this country” said Mr Wolf, saying we pay far too much attention to shareholders, rather than the longer term.

Follow us on Twitter @ABExcellence

You can find us at Advanced Boardroom Excellence on LinkedIn