Governance Watch - Issue 56

GDPR Bites

Investors might consider this to be a good time to invest in cyber security and cyber insurance, as it is clear that data breaches are about to become real and painful for business under the punitive powers of the EU’s General Data Protection Regulation. (GDPR). The Information Commissioner’s Office (ICO) has signalled its intent to use the new law in force from May 25, 2018 which takes the previous maximum fine of £500,000 under the Data Protection Act 1998 into a new realm altogether – a maximum of 4% of a company’s annual global revenue.  

Earlier this month, the ICO issued notice of its intention to fine British Airways £183.39 million for infringements of GDPR, a fine relating to a cyber incident notified to it by British Airways in September 2018. The ICO said its investigation had found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

 “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights” Information Commissioner Elizabeth Denham said.

Just a day after the ICO’s first proposed fine under GDPR, Marriott Hotels was the next one to hit the headlines . The ICO intends to fine the company almost £100 million after hackers stole the records of 339 million guests “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset” Ms Denham said in an ICO statement.

Anyone watching the trends around corporate governance concerns might wonder if legal advice around GDPR obligation will soon be a renewed and buzzing sector of corporate activity.

Regulatory fines only have teeth if they are substantial enough to concentrate minds and change behaviour. In each of the cases mentioned, the ICO has said it “will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”

It only publicised its intent on the fines after British Airways (through its parent IAG Group) and Marriott International issued their own announcements for investors – suggesting once again that regulatory fines are a potent ingredient in a simmering pot of corporate governance issues. The final penalty notices following appeals are expected in the next few months.

Data protection complaints received by the ICO increased from 21,019 in 2017/18 to 41,661 in 2018/19 and it is currently investigating further significant corporate cases of data breach. “2018 will be remembered as one of the most prolific in data security history, with everything from names and ages, to payment cards and passport details leaked” wrote one media site at the end of the year, pointing to some of the biggest names involved including Ticketmaster, Dixons Carphone and Cathay Pacific.

Ethics + The Supply Chain

 While companies are being urged to think of the personal data they hold as an asset with a legal duty to ensure its security, they might also take a moment to consider their ethical and economic duties to the smaller participants in their supply chain. In a social media world, no amount of CSR material in prominent view on a website makes up for careless treatment when it comes to human capital. A supply chain is not merely a chain of supply but a chain of human capital that needs to flow along an agreed stream of codes and values to be most efficient.

“We want the UK to be the best place in the world to start and grow a business, but the UK’s small-to-medium-sized businesses are currently owed over £26 billion in overdue payments. Such unfair payment practices hamper a business’s ability to invest in growth, and have no place in an economy that works for everyone” said Margot James, Small Business Minister two years ago. (She moved from that role to become Minister for Digital in January last year and just resigned from the government as part of efforts to stop parliament being suspended over decisions made about Brexit.)

The Department of Business, Energy and Industrial Strategy (BEIS) was marking the extension of its prompt payment code, with 32 of the biggest suppliers to the government voluntarily committing to pay 95% of invoices within 60 days - and to work towards adopting 30 days as the norm. These are major strategic suppliers who typically have contracts across government of more than £100 million. Together they account for around 40% of government procurement spend.

But earlier this week 18 companies – including BT Plc, British American Tobacco, and Centrica –were suspended from the prompt payment code for failing to pay suppliers on time, the Chartered Institute of Credit Management (CICM) announced.

Screwfix, Prudential, and various businesses of BAE Systems are also among those that have failed to honour their Code commitment to pay 95% of all supplier invoices within 60 days. There’s literally no excuse, and as always, transparency is key when it comes to changing corporate behaviour on this important issue.

Diversity and Inclusion

After almost a decade of debating the need for real diversity and representation in the senior ranks of British business, we are in danger of progress stalling at a time when we need clear direction.

Cranfield University’s latest report on the drive for diversity in the FTSE 350 has sparked more debate. Helen Pitcher, who is leading a drive to appoint more women in to the Chair role in the interests of more diversity – and whose consultancy sponsors this column, is featured in media coverage . "The real issue is the pipeline of women and the myopic view of some with regard to accelerating women into the chair role. The excuse given by some chairs and headhunters is that the pool of women for this role doesn’t exist, which is clearly nonsensical given the number of female chairs of committees and the skillset – both soft and hard, but particularly soft – needed to be a chair, which women usually have in abundance" she is quoted as saying.

When it comes to the low number of BAME women currently sitting on FTSE 100 boards, Femi Otitoju, founder and managing director of Challenge Consultancy quoted in the same piece said: “women from ethnic minority backgrounds are judged against the cultural standards of boards that are frequently entirely made up of white men and ‘seen as unsuitable for promotion if they don’t conform.’” You can also read my thoughts on the Cranfield Report on my independent blog Board Talk. 

Follow us on Twitter @ABExcellence

You can find us at Advanced Boardroom Excellence on LinkedIn