This article was produced by ELITE Connect and originally published on the ELITE Connect platform
With the May 2018 introduction of the EU General Data Protection Regulation (GDPR) less than 10 months away, IROs need to be considering the impact its focus on the processing of personal data and its free movement will have on their IR activity.
Not only does non-compliance risk a significant fine of 4 percent of a company’s annual turnover, but reputation and share value are also on the line.
Mark Seifert, partner and cyber-security expert at Brunswick Group, has been researching and providing insight into the regulation since the announcement of its introduction four years ago and agrees the consequences of falling foul of GDPR have the potential to be far-reaching.
‘Those companies not yet making preparations for GDPR are risking failure on a number of levels and, as an IRO, you need to be asking whether your firm is ready for its introduction,’ he says. ‘The UK and Europe will soon be thrust into a new data protection regime, and companies there really need to have already started taking a holistic view and assessing what moves they need to make to become compliant.
‘Falling foul of GDPR will be a real game-changer in terms of reputation and investor perception for any company – I predict the first major company to do this will be the subject of intense media and industry scrutiny that will be highly damaging.’
Provisions for the introduction of GDPR are already under way at Subsea 7, the offshore energy services company, which is taking a multi-department approach to ensuring the introduction of the regulation runs smoothly.
‘In preparation for the introduction of GDPR, Subsea 7’s IR team has been working with in-house teams from HR and legal to understand the impact of the new regulation and the possible changes that might need to be made,’ says Isabel Green, head of IR at the firm. ‘By working in collaboration with these departments, our IR program will allow for the additional regulatory requirements with minimal impact on day-to-day activity.’
For those companies already taking GDPR seriously, such as Subsea 7, there are additional rewards to be reaped. ‘If you’re already geared up for dealing with GDPR, you’re sitting pretty compared with many other companies, and you should be letting investors know that this is the case, either by sending subtle messages to the market, or by making more noise about your preparation to create a competitive advantage,’ says Seifert.
‘It’s our view that investors will place a premium value on companies that demonstrate a strong adherence to the new regulation, similar to how investors view companies with strong corporate governance practices and CSR programs. Companies that haven’t started planning need to get their ducks in a row quickly and start to understand and implement their responses to GDPR; that way, they’ll [mitigate] the risk factor.’
So what first steps can IROs take to ensure they’ll be compliant by next May? ‘We’re looking at how we record and retain information relating to employees working in the IR team, the suppliers we use and the investors and analysts we meet with,’ says Green.
‘We use a third-party customer relationship management database to source basic information on funds and fund managers, and add our own notes to this as we get to know certain investors better. We will be working with our external suppliers of this database to understand how this tool may change in response to the changes GDPR will bring. Managing this data responsibly is something we have always taken seriously.’
