Directors’ Liability, Perspective, and joining dots
I have been presenting a lot recently on the overlap between Data Protection, Data Security, Data/ Quality, and Data/ Governance and how it is important to have a holistic perspective on these topics and how they inter-relate in the strategy and execution of your business.
The last thing you want to have is a series of functional buckets trying to sort out bucket-loads of dysfunction in your organisation’s data management.
I spotted a good example of why this holistic view is important over the past weekend in the Sunday Business Post, one of Ireland’s weekly business newspapers. In an article in the News section, a leading security expert was warning that Company Directors could face prosecution if they failed to properly secure data that was subsequently stolen, once Ireland implements the International Convention on Cybercrime.
This puzzled me.
Because Section 29 of the Data Protection Acts 1988 & 2003 clearly states:
29. Offences by directors, etc., of bodies corporate
29.(1)Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any ne-glect on the part of a person, being a director, manager, secretary or other officer of that body corporate, or a person who was purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and be liable to be proceeded against and punished accordingly.
(2)Where the affairs of a body corporate are managed by its members, subsection (1) of this section shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he was a director or manager of the body corporate.
In other words, Ccompany Directors are already liable for prosecution for breaches of the Data Protection Acts. Section 2(1)(d) of the Irish Data Protection Acts creates the duty to keep personal data “Safe and Secure”. If company directors fail to ensure that adequate policies, procedures and protocols are in place to protect personal data they are liable for prosecution. Furthermore, if an employee or contracted Data Processor goes “rogue” and ignores all the protocols and procedures, the liability for the breach passes to them.
So. We don’t need to wait for new legislation to come onto the Statute books. The liability on Company Directors for security breaches is already enshrined in the Data Protection Acts.