Transcription
Better Governance, Better Boards, Better Meetings: Better BusinessThe perfect storm: GDPR, BREXITand corporate governance in the UKeShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78291
“The time is coming for organisations to step up theirgovernance game and embrace the coming changes.”-Alister Esam, CEO, eShareIntroductionAs the amount of data we create increases, so does the amountof regulations enforced to deal with data handling and security.The personal nature of most of the data that is collected relieson these regulations and laws being enforced for our ownsecurity and the reputational and financial damages that canoccur as a result of not meeting these regulations can besubstantial.This is certainly the case with the EU General Data ProtectionRegulation (GDPR) that is coming into force as of the 25th May2018, and will remain law, even after we leave the EuropeanUnion in 2019 (at the time of writing).Under current UK data protection laws, whilst the threat ofpublic scrutiny and damage to the brand’s reputation is heavyenough to deter most, the Information Commissioners Office hashad very little success in imposing fines, which were limited to 400,000. Under the new GDPR, non-compliance has seriousconsequences of up to 20,000,000 or 4% of annual globalturnover, whichever is greater.Organisations have enough to deal with, ensuring compliancewith the GDPR, along with other compliance regulations, withoutthe added complications of BREXIT thrown into the mix. Theclimate of uncertainty caused by BREXIT is not the backdrop youwant to have for the forthcoming year.In this whitepaper, we will look in-depth at the new regulationscoming into place for organisations in the UK as well as the GDPRand the tools to help you set up a compliance framework foroperating in this shifting sand.eShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78292
A three-pronged attackThe current geo-political and financial climate means thatmost organisations are finding it tough to do business, butthen add on top of that the impending compliancedeadlines for GDPR, the UK Corporate Governance Codeand Brexit, not even knowing what this one will look like,and you will find most businesses struggling under theweight.View PDF: Under pressure: Thecompany secretary andthe growing need foreffective governanceThe timing of these three new regulatory codes could notbe worse for Company Secretaries. The role was already ahigh-pressure job, a senior role traditionally responsiblefor filing of annual returns and maintaining the company’sexistence as a legal entity, the focus on the role hasintensified in the last decade or so with the responsibilityof the organisation’s corporate governance thrusting therole into spotlight.This increase in focus on governance has also spread tothe public consciousness, and news of corporate scandalsand failings are now commonplace across the media,meaning that the awareness of any failing is now muchgreater than it ever has been. The governance scandalsthat gather the most attention from the press are usuallyconcerned with executive pay. This is a contentious subjectfor all concerned as it is one of the key areas covered inthe new Corporate Governance reform introduced by theUK government in August 2017.Government responseA greater worldwide focus on governance came at theright time for the UK government, as it gave them anopportunity to consolidate and update its already robuststance on good corporate governance and re-confirm theUK as a prime destination for business in the light of theleave vote following the EU referendum held in 2016.Whilst it is unclear exactly what the exit bill will contain,the UK needed to reaffirm its position as a global force foreShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78293
business to ensure against a mass exodus, financiallycrippling the country. The governance code already inplace, the Companies Act 2006, was already one of themost thorough in the world, defining fiduciary duties fordirectors, along with the ‘Combined Code’ which providedgeneral principles for organisations to follow under the‘comply or explain’ basis. This principle allows companiesto not comply with the code, so long as they can providean adequate reason as to not following it.The decision to make major changes to the corporategovernance system shortly before the release of its greenpaper on the subject in November 2016, taking much thatis in the voluntary code and putting it into enforceablelaws and regulations.A survey by accounting and consulting firm GrantThornton in December 2015 showed that only 57percent of the FTSE 350 companies fully complied withthe Code. This, along with the increase in public interestin executive pay and employee rights has prompted thischange.Compliance with the code has always been limited topublic companies, whilst private companies canvoluntarily choose to adhere if they wish, but that ischanging with large privately held companies now beingrequired to comply with the new code as part of itsreform.The government’s response to the green paper focuses onthree main areas; executive pay, employee rights andengagement and corporate governance in large privatelyheld businesses. The highest-profile item here for sure isexecutive pay, which attracts controversy from both sidesof the fence.When the reforms were announced, all of the headlineswere grabbed by the inclusion of the required legislationthat companies are to report annually on the ratio of CEOpay to the average pay of its UK workforce along with anarrative explaining changes to that ratio from year toyear as well as putting it in context with pay andconditions across the organisation.eShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78294
There are other reforms to executive pay outlined in thereport, but the other main change lies in handing broaderresponsibility to remuneration committee to oversee payand incentives across the whole company and requiringthem to engage with the wider workforce to explain howexecutive remuneration aligns with wider company paypolicies, creating greater transparency over pay ratiosacross the organisation.Section 2 of the report outlines ways in which the code canbe used to strengthen the employee voice and creategreater engagement with stakeholders. The main changehere is the introduction of secondary legislature thatrequires all large companies, both private and public, toexplain how their directors regard their responsibilitiestowards their employees, shareholders, customers andwider society. The increase in accountability andtransparency here is something that the general public hasbeen crying out for since the financial crisis of 2008, but itwill be interesting to see how willing some organisationsare to make this change.Overall, the response and new reforms refocuses thedirector’s attention to prove that the salary and incentivesthey are receiving are commensurate with theirperformance and in turn, placing extra responsibilities onthem to help ensure this. This is certainly the case with theGDPR, under which Directors have extensiveresponsibilities with potentially life changingconsequences.Keeping organisations in check with theadvancement of technologyThe advancement of technology since the turn of thecentury is nothing short of remarkable, and whilst it hasrevolutionised every aspect of our day-to-day lives,however the amount that we rely on technology tofacilitate our business decisions and communications, thelikeliness of a data breach is greatly increased. This has ledeShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78295
-Monetary penalty noticesThe ICO continues to clampdown on non-compliantorganisations, as demonstratedby the number and value of finesissued for DPA-related offencesover the last few years:-2010: 2 fines totaling 160,000- 2011: 7 fines totaling 541,100- 2012: 17 fines totaling 2,143,000- 2013: 14 fines totaling 1,520,000- 2014: 9 fines totaling 668,500- 2015: 18 fines totaling 2,031,250- 2016: 21 fines totaling 2,155,500- 2017 August: 44 finestotaling 3,107,500to some very high profile hacks, leaks and securitybreaches in recent years concerning a lot of personal data,and this is the purpose of the GDPR, to better protectpersonal data.The EU General Data Protection Regulation was adopted inApril 2016, and comes into full effect on 25 May 2018,when it supersedes the Data Protection Directive (DPD).The new regulation doesn’t fundamentally change any ofthe core rules in the DPD, rather it extends the directive’srequirements significantly by introducing a range of newobligations. The GDPR heralds the most significant changeto data protection law in the EU for some time.Introduced to keep pace with technological advancements,the regulation’s purpose is to improve consumerconfidence in organisations that hold personal data byreinforcing their privacy and security rights, and also tosimplify the free flow of personal data in the EU in acoherent framework across all member states.The UK has recognised the value that the new regulationbrings to protecting consumers rights, and has confirmedthat the GDPR will continue to apply to UK companies,even after the UK leaves the European Union.The biggest change comes in the way that records mustnow be kept and maintained detailing how the data is bothstored and used. Furthermore, under the new regulations,it is outlined that the onus is on the data controllers, or thecompany that will be using and manipulating the data, toensure that the data processors or collectors are fullycompliant with GDPR. This extra step will help to furtherprotect the consumer’s data, however will also addsignificantly to the burden of the IT department and theCIO when performing due diligence on any potential newcontractor.In a recent survey of 500 IT executives across differentindustries for Varonis Systems, 75% companies believethey face serious challenges in becoming compliant withGDPR. At financial services firms, executives seem to betaking these challenges more seriously than most. Only33% of IT executives in the financial services sector sayeShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78296
their company has not made it a priority to comply withthe law by the deadline. That compares with an average of42 per cent across all sectors. Over 25% of all ITexecutives surveyed agreed that banking would be thesector most likely to be made an example of.In an FT article of May 2017, highlighting theinsurmountable task that the banking sector faces, ChrisMcMillan, a partner at Oliver Wyman, a consultancyoutlined the problems faced by banks, “From ourdiscussions with chief technology officers at banks, theyare concerned the technical challenge may be impossiblegiven there is only a year to go.”“Banks are struggling with legacy systems,” says ChrisMcMillan, a partner at Oliver Wyman, a consultancy “Fromour discussions with chief technology officers at banks,they are concerned the technical challenge may beimpossible given there is only a year to go.” Banks mayhave up to 100 different systems with different piece ofdata for each client stored on each one, a joined upapproach is a huge task. However there are some othersmall ways which show that perhaps some of the biggestorganisations haven’t even started to make changes.RiskIQ reviewed the public websites of FTSE 30organisations and found that some of the most basicchanges haven’t been made. Most websites use datacapture forms, which fall within the scope of GDPR as theycollect personal data. The regulation emphasises thatprovisions should be in place to ensure that PII is securelycaptured and processed. In the UK, the InformationCommissioner has provided guidance that, in the case ofdata loss where encryption software has not been used toprotect the data, regulatory action may be pursued.The RiskIQ research on the public facing websites of FTSE30 organisations revealed that there are 99,467 livewebsites in total, an average of 3,315 websites perorganisation. Of these, 13,194 pages collect PII (personalinformation), an average of 440 pages per organisation.Crucially, 34% of pages that collect PII are doing soinsecurely, with 29% are not using encryption.eShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78297
Many organisations are beginning to panic over the shorttimeframe before they need to demonstrate GDPRcompliance particularly around the stringency ofcompliance standards and the recording of data processingin the event of an audit.The Regulation now places the onus on organisations anddata processors to keep their own records of dataprocessing activities and make these available to thesupervisory authority on request. This record needs tocontain a specific set of information so that it is clear what,where, how and why data is processed.Where the compliance standards are concerned, the GDPRactively encourages the adoption of certification schemesas a means to demonstrate compliance. Compliance with,or partnering data hosts that have complied with, theinternational information security standard ISO 27001 –the only independent, internationally recognised datasecurity standard – will help organisations demonstratethat they have endeavoured to comply with the datasecurity requirements of the GDPR.Breach of any of these duties, or failing to ensurecompliance, can lead to direct legal action being takenagainst the directors by prosecutors, or even shareholders.Even without this extra element of personal jeopardy, theincreased scrutiny that would come with any claims ofdata misuse or failings would draw significant attention tothe directors in question and their suitability.Further legislative change may also be on the horizon inthe UK. In a meeting to discuss the UK's draft DigitalEconomy Bill in October 2016, the InformationCommissioner recommended imposing personal liabilityand accountability on directors of companies that violatedata protection laws.What is clear is that accountability and transparency areagain key to the success of any organisation in dealing withthe new regulations coming into place. Clear and conciseplanning is needed to ensure that every aspect of thesenew regulations are complied with, or at least explainedwhy compliance is not an option as is the case with theeShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78298
new UK code, but how do you plan for something withoutknowing the exact details of what you’re planning for?That is the difficult position that organisations currentlyfind themselves regarding Brexit.The uncertainty around BREXIT“Most issues can be avoided bythe implementation of strict lawsand by rigorously enforcing thoselaws.This may sound scary, but is theonly way to ensure a smoothBrexit transition”– Barnabas Reynolds- Shearman& SterlingThere is a growing concern around what will be included inthe Exit Bill, if there will even be one agreed upon, and thelength of time this gives organisations to comply with the,as yet, unknown regulations.Chris Bates, Head of Financial Regulatory Practices forClifford Chance, speaking at the European Compliance andLegal Conference run by AFME earlier this month was keento press home just how little amount of time there isbefore the deadline of March 2019 for the exit bill, andhow tricky this is for businesses especially if you’re waitinguntil an exit bill is agreed upon before making any businesscritical decisions. “The uncertainty around Brexit canparalyse your organisation, you have to press forward withyour plans as the timeline is simply too short to wait andsee.”Panellists at the AFME conference all agreed that theamount of paperwork and admin that will be needed fordealing with clients the other side of the Brexit deadline inthe wake of the, as-yet, unknown new regulations that willcome into play was also a point of contention amongstmany of the delegates.The final part of this hellish jigsaw is what Scott Vincent,managing partner at consultancy Parker Fitzgerald,described at the AFME conference as the alphabet soup ofother financial regulations coming into force soon.Companies face “an enormous challenge” in complyingwith the EU’s General Data Protection Regulationalongside other new regulations — including Mifid 2, PSD2and IFRS 9 coming into play, both known and unknown. Hedescribes a growing sense of “industry panic” aroundcompliance.eShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 78299
The ramifications of Brexit do not just affect how we dealwith the EU as a third-party, but also has implications onthe UK’s trading with other countries as new trade deals,as well as yet more regulations, will have to come into playto enable and secure this after the deadline in 2019.The advice from all industry experts is to begin yourpreparations now, if you haven’t done already. In a recentsurvey at FundForum 2017, eShare discovered that 40% ofthe organisations in attendance had not yet begun settingaside resources, time money and people, to deal with thepotential fallout and repercussions of Brexit.Transparency at the forefrontA paper published by Deloitte said: “The sheer complexityof governance and the huge number of related proceduresand other mechanisms in a global financial institution mayindicate a need for a governance operating model. Theelements of such a model may exist within many large FSIcompanies. However, those elements may not have beenconnected, rationalized, and organized to provide theconsistent guidance and incentives that executives, riskmanagers, and business unit leaders require. A governanceoperating model has the potential to address this needand thus enhance management’s ability to implementgovernance and the board’s ability to exercise properoversight”View PDF: Choosing the rightgovernance softwarefor your boardWhilst this feature focuses on the financial servicesindustry, it rings true for all industries and businesses.One thing is certain though, it’s a big subject and youcannot tackle everything at once. By focusing your effortsinitially on improving your transparency when makingdecisions as well as proving accountability, you have put inplace the building blocks for addressing all of the threehurdles mentioned above.eShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 782910
Whilst many of the new regulations under the UKCorporate Governance reforms focus on the use oftechnology, it can also be the answer to achieving this firststep towards addressing these hurdles.By utilising a fully secure and compliant governanceplatform, your board of directors can be safe that theirmeetings are captured in a fully transparent way as well asallowing for a traceable and auditable actions anddecisions system to capture a complete picture of thebusiness critical meetings and discussions being held. Sinceultimate responsibility lies with the board of directors thistransparency around their meetings and the decisions theymake can help to foster a culture of transparency.Improved governanceFailure to comply with the new regulations, particularlyGDPR, could have disastrous personal and professionalconsequences, but there are tools available to help withthis. Online board portals are growing in use with manyorganisations, enabling enhanced board communicationand collaboration, document review and annotation, and ahost of other features that make board meetings moreefficient and effective.Visit website: Entity managementsolutionThere is also a real need to push the use of portals downinto the subsidiary governance layer, particularly forregulated entities. Traditionally, software has only beenused at the plc level, but risk is present in operatingentities throughout the entire corporate structure.Online board portals make it easier for board members todemonstrate accountability, compliance and transparency,supporting the information sharing, decision making andrisk management that comes with good governance. Theyprovide an overview of governance throughout theorganisation, helping identify issues and driveimprovement.eShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 782911
ConclusionThe spotlight of world media is now fully on organisationswhen it comes to compliance and the consumers havenever had a greater understanding or power when itcomes to where they take their business.Non-compliance with the new regulations coming intoplace is not an option, but it is clear that organisationsneed help when it comes to focussing the mind andknowing where to begin. Technology could be the key tounlocking this puzzle, and with the right tools in place, theburden of proof could be eased considerably.eShare works with hundreds of organisations and theircompany secretaries all over the world and we understandthe demands and challenges of the role. To hear moreabout how we can help address some of the issuesoutlined in this paper, please get in touch via email oninfo@eshare.net, or call us on 44 (0) 845 200 7829.eShare Ltd1 Oxford Road, Newbury, Berkshire. RG14 1PD UKCopyright eShare Ltd.eshare.netinfo@eshare.net0845 200 782912
the new Corporate Governance reform introduced by the UK government in August 2017. Government response A greater worldwide focus on governance came at the right time for the UK government, as it gave them an opportunity to consolidate and update its already robust stance on good corporate governance and re -confirm the
