A question was recently asked about how we could simplify GDPR compliance reporting to the board, given that not all board directors are familiar with GDPR. It is an important question, because ensuring that the risks associated with GDPR non-compliance are appropriately controlled, is a corporate governance accountability.
Now if a paradigm could be created that would facilitate the ability of most directors to ask the appropriate questions of management, that would be great. Now the depth of GDPR makes simplifying it a complex matter, but we suggested that management provide feedback to the board along three categories; data subjects, data controllers and data processors – A, B and C in the image respectively. These are the primary subjects that GDPR addresses.
Furthermore, it was suggested that reporting aspects of the GDPR that the organization complies with be contrasted against aspects of the GDPR that the organization does not yet comply with, for each of the three categories A, B and C.
Without releasing board directors of their obligations to be informed about important matters such as GDPR, the hope is that it makes a complex regulatory requirement easier to digest for board directors that might not be as close to the regulation as some other directors may be. Hopefully this makes it easier for the board to pursue various directions of questioning in a structured manner.