Are you a Director or Manager or Member in an Organisation resisting the resourcing of GDPR Activities? Best read on then…
You will not often get an article from me about the ‘scary bits’ in the GDPR; I’m a glass-half-full kind of a person however, on this news, I’ve made an exception…
The GDPR (General Data Protection Regulation) comes into force on 25th May 2018 and all organisations must comply with the Regulation.
However, I have recently met with a couple of senior representatives of organisations who have openly stated that ‘they are not providing a budget for any GDPR compliance project’. I find it hard to believe that they will be able to demonstrate full compliance with the GDPR on at least two grounds, 1) it is not funded therefore, it will be difficult if not impossible to move towards compliance and 2) compliance is a ‘culture’ and culture is made up of actions and attitude in unison. That attitude will clearly not support demonstrable compliance with the GDPR.
I was then very interested today when my attention was drawn by a compliance colleague to a publication of the new Data Protection Bill going through the UK Parliament which is bringing the GDPR into UK Law. In addition to the GDPR, the UK Bill is adding and clarifying some data protection and information security issues.
Tucked down in the section on Offences is 191 Liability of Directors which reads as follows:
191 Liability of directors etc
(1) Subsection (2) applies where —
(a) an offence under this Act has been committed by a body corporate, and
(b) it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of —
(i) a director, manager, secretary or similar officer of the body corporate, or
(ii) a person who was purporting to act in such a capacity.
(2) The director, manager, secretary, officer or person, as well as the body corporate, is guilty of the offence and liable to be proceeded against and punished accordingly.
(3) Where the affairs of a body corporate are managed by its members, subsections (1) and (2) apply in relation to the acts and omissions of a member in connection with the member’s management functions in relation to the body as if the member were a director of the body corporate.
(4) Subsection (5) applies where —
(a) an offence under this Act has been committed by a Scottish partnership, and
(b) the contravention in question is proved to have occurred with the consent or connivance of, or to be attributable to any neglect on the part of, a partner.
(5) The partner, as well as the partnership, is guilty of the offence and liable to be proceeded against and punished accordingly.
Now read it again, slowly… Have you spotted it?
Yes, exactly. So if a Director or Manager or Company Secretary (or even a member managing personal data for a membership organisation), and are shown to ‘consent’ to blocking resources which means that the organisation is non-compliant, or they connive (plot, scheme, conspire, hatch…) with others or are deemed to neglect the duties of their office, then they may well have committed an offence and to quote 191 (2), The director, manager, secretary, officer or person, as well as the body corporate, is guilty of the offence and liable to be proceeded against and punished accordingly.
The biggest expenditure an organisation is likely to have in complying with the GDPR is people and time. The GDPR is coming into force and all organisations need to comply, simple as that.
Not sure what to do? Talk to us, talk is free.
External Link: Data Protection Bill