In Bob Garratt’s book, The Fish Rots From The Head: The Crisis in our Boardrooms: Developing the Crucial Skills of the Competent Director, he extrapolates the onerous responsibilities that directors have to undertake in carrying out their roles within organisations. He further argues that, “most directors are directors in title only” in that they actually direct companies as expected. The book shines a light on what directors should be doing, how their actions affect the general strategic vision of the company and what’s more, he points to the consequential effect when directors or board of directors are ineffective. Yet, in this modern data driven age, most directors shirk responsibilities or fail to understand the importance of their responsibilities when it comes to organisational data privacy expectations.
I’d argue, to use Garratt’s words, that the fish truly rots from the head. Whether one agrees with the literal sense of those words is not the exact matter for this piece. In this piece, I argue that for privacy to work within any organisation there must be a top-to-bottom approach. Privacy should not be looked at from a managerial point of view but from the board level and input from the board room is as important as any other day-to-day business activity that might be on the agenda of the board meeting.
Therefore, it is critical that data privacy and its attending workflows, processes, and other accountability work should be reported to the board. There are good reasons for this. First, it gives the board members a clear status of where the company is with regards to their data privacy journeys. Second, it shines a light on the existing gaps that might affect the company from both a revenue perspective and a reputation perspective. Third, their influence or input as directors would drive the culture and ensure that various departments within the organisation are aligning to the data privacy visions and missions of the organisation.
The success and failure of any data privacy programme or the lack thereof would tell a story about the board.
Executive responsibility in data privacy expectations is critical. When one carries out a cost analysis of what happens when there is a data privacy breach or when a particular process tilts towards damaging the reputation of a company, the outcomes are gargantuan. In fact, in a data privacy strategy presented by the privacy professional, they should be tying these responsibilities to executives within the board. In other words, there must be a board member within an organisation who should be held responsible when there is a gap in the whole data privacy framework. This would make executive members step up to the data privacy missions of their organisation.
It is quite hard to attain this as most board members shy away from what some call a “new” burden. But, for the purposes of maintaining promoting privacy culture, a board influence will as a positive push. Failing to have this injection from the boardroom might present barriers towards achieving any holistic organisational data privacy strategy.
