Data Protection

Data protection is a Board-level responsibility, not an IT or legal function issue. UK GDPR and the Data Protection Act 2018 place accountability squarely on the organisation as Data Controller, with the Board ultimately answerable for how personal data is collected, used, protected, and retained. The starting point is knowing what data the organisation holds and why — a data mapping exercise that identifies processing activities, legal bases, and third-party processors is the essential foundation. Without it, the Board cannot make informed decisions about risk, and the organisation cannot demonstrate the accountability that regulators expect.

Capability must then be assessed against a clear standard. The ICO's Accountability Framework and ISO 27701 both provide structured approaches, but for a Board audience the key questions are straightforward: Does the organisation have a tested breach response plan? Are staff aware of their obligations? Are suppliers and processors held to appropriate contractual standards? Are Privacy Impact Assessments carried out before new projects go live? Gaps in any of these areas represent not just regulatory risk but reputational and commercial exposure — the ICO's fining powers extend to £17.5 million or 4% of global annual turnover under UK GDPR.

Effective data protection capability is a continuous programme, not a one-time audit. The Board should receive regular reporting on data protection performance — including breach incidents, subject access requests, and the status of remediation actions — and should satisfy itself that there is a named executive owner with clear accountability. Organisations that treat data protection as a strategic asset rather than a compliance obligation are better placed to retain customer trust, respond proportionately when incidents occur, and demonstrate to regulators a culture of accountability that goes beyond the minimum the law requires.