Director FAQ: What Boards Should Know About the GDPR

In brief: The European Union’s new General Data Protection Regulation (GDPR) requires—with some exceptions—affirmative opt-in and usage notices for data collection in the European Union (EU) by any organization with 250 or more employees. It applies not only to European organizations collecting data within the EU, but also to non-European companies with data subjects based anywhere in the region. Any person located within the EU is considered to be a “data subject” under the regulation. The regulation mandates in detail the proper procedures related to required data collection and usage, including cybersecurity measures, making compliance a challenge, especially for smaller firms.

This resource can help your board to

Become familiar with the basic provisions of the GDPR.
Determine whether your company needs to appoint a data protection officer.
Understand what the board can do to strengthen its oversight of GDPR compliance.
Engage in dialogue with management about data protection.

Most relevant audiences: audit, risk, and compliance committee members; general counsel; chief compliance officers, chief information security officers, and chief privacy officers