OK, we all saw Mark Zuckerberg (not) answer the questions posed to him by the US Senate. After two awkward days (on both sides) the overriding concern was, was it matter of Mark Zuckerberg outwitting the senate and not wanting to answer the questions or did he actually not know the answers. Our office was split down the middle with half saying “how could he be expected to know and be responsible for the ins and outs of Facebooks daily operations?” and the other half saying “As CEO it’s his responsibility!”. The discussions raged on for days with the inevitable statement being said “we will just have to agree to disagree”.

Our office was by no means the only place this discussion was being had, obviously on social media it loomed large, but I also experienced it in bars, overheard dinner conversations between first daters, in supermarket queues, between my relatives that don’t even have Facebook accounts! Simply put, one chain of events led the world to get passionate about personal data and start to ask “Where else has this happened that we don’t know about, are executives really protecting my personal data or do they still treat it as a commodity?”

The EU’s GDPR looming deadline couldn’t have been more perfectly timed to step in and become centre stage at board level. I witnessed one board grill its C Suite executives on GDPR preparedness, security breaches, who and what is protecting their personal data…essentially what is in place so it doesn’t happen to them. The surprising thing, for both me and the board, was that there were executives at the table who didn’t think it was their responsibility to know the answers, instead passed the questions to the CISO and DPO.

In this instance the CISO and DPO knew all the answers and proudly stated that the company was already GDPR ready. But how can that be if they have executives that seemingly don’t know the first thing about personal data, incident reporting, lawful collection and processing of personal data? Not reporting a serious breach to the relevant supervisory authority could result in a significant fine of up to €10 million or 2% of global turnover. A well informed board member chastised the CISO, DPO and all other C-Suite executives which thankfully led to a coming together of the executives who have all since undertaken in house training and an external audit to satisfy the board at the next meeting.