Data strategy and directors' duties: key considerations for boards

Boards are under mounting pressure to better manage data risk while driving value from this increasingly complex and regulated digital asset. A focus on unlocking opportunities, rather than defining an organisation's data strategy, has given rise to greater data-related risk that has the potential to compromise effective corporate governance, as well as cause reputational harm and impact the bottom line.

Current discussions about data strategy exclude a critical component - the legal link. That link is not only relevant to good corporate governance and compliance with the law but fulfilment of directors' duties.

While there is growing appreciation of the need to consider privacy and the risks associated with collecting and using personal information, data strategies, where they do exist, often fail to consider an organisation's broader legal obligations, which play a vital role in effective data strategy design and execution.

Critical to the development of an effective data strategy is defining the who, how and what that, when properly considered, will unlock new opportunities while protecting organisations, directors and consumers from exposure to harm and liability.

Data strategy: who is responsible?

Despite the importance of data to businesses, regulators and consumers alike, there is currently no user manual, data code or prescriptive regulation to govern the assignment of roles and responsibilities for an organisation's data or data strategy.

Like many other duties, responsibility for the role of data and technology within an organisation ultimately resides with directors as part of their directors' duties and the evolving dimensions of ESG.

The role of directors' duties

Under the Corporations Act 2001 (Cth), directors are required to exercise their powers and perform their functions:

• in good faith including acting in the best interests of the company,
• with care and diligence, and
• without using their position or information to gain personal advantage (ss 180, 183, 601FD).

These statutory duties derive from long-standing common law fiduciary duties and the essential duty of due care and skill. While "due care and skill" is not defined under the Act, the expectation on directors to be technology and data literate is increasing alongside the growing dependency upon technology and the data that drives it.

Why are directors' duties relevant to data strategy?

Directors' duties are not static duties and evolve over time due to changes in risk landscape, technological advances, and shareholder expectations. While requirements for a director's digital literacy may not extend to mastering what many would compare to a foreign language (in the form of artificial intelligence; algorithms; data sets, hygiene and transfer; biometrics; behavioural data; the latest ransomware or dark web activities), being properly advised is a key requirement for directors.

A director is entitled to rely on the advice of one or more employees of the company, legal counsel, accountants or other professionals, or a separate committee of the board of which the director is not a member. While this does not transfer a director's liability, nor can a director rely absolutely on the advice of employees or advisors, being properly advised on data risk in a technological environment is indispensable to dispensing directors' duties.

It stands to reason that a board or equivalent structure should oversee an organisation's data strategy development, and be aware of the associated benefits and risks, including legal risk.

Case study: the relevance of data to directors' duties

Enforcement action in 2022 brought by the Australian Securities & Investments Commission (ASIC) and the Federal Court's ruling in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, has also made clear that the Corporations Act 2001 (Cth) can and will be invoked where cyber risk measures are deemed to be inadequate.

While cyber risk is likely to be a central pillar in most businesses' data strategies due to risks of business interruption posed by threat actors, the approach fails to capture a full appreciation of:

i. the role of data in delivering on an organisation's purpose, and subsequently reporting to the CEO and board to support evidence-based decision-making that can inform overall business strategy; and ii. the full range of legal obligations that may apply to data, extending beyond business interruption concerns, and potentially giving rise to multiple sources of legal liability and a diversion of internal resourcing to deal with a multi-liability environment.

The rise of Chief Data Officers

Organisations often default to IT helpdesk, a head of cyber security or chief technology officer, or risk and compliance, for support and advice relating to data. However, these roles often lack the necessary capabilities to advise directors on legal and other relevant dimensions of data risk and value.

Instead, organisations should consider investing in specialised resources to unlock new opportunities while simultaneously actively managing the increasing risks associated with data collection, storage and use. Cross-disciplinary teams of data analysts, technologists, systems architects, legal specialists, marketers and other specialised disciplines operating under a Chief Data Officer can ensure a more effective enterprise-wide data strategy design, execution and reporting to the board.

Data strategy: how to design a more effective approach

Designing an effective strategy involves several considerations common to most businesses, such as identifying:

• the structured and unstructured data you collect, hold, use and transfer to others;
• the criticality of this data to achieving your business objectives or strategy;
• the risk to your business if data is compromised;
• mitigation methods to lower risk of data compromise; and
• applicable contractual and non-contractual legal obligations.

While the answer to these questions will differ depending on the organisation and sector within which a business operates, limitations to resourcing to deliver a data strategy is not uncommon. Almost by necessity, therefore, designing a commercially viable and proportionate data strategy involves targeting certain data sets and ensuring they are prioritised within the strategy.

A tailored and proportionate data strategy should not overlook fundamental legal considerations such as privacy laws, sector specific regulations, cybersecurity laws and contractual obligations, and should be supported by strong legal foundations to ensure the strategy realises its full potential and value.

Classifying priority data: what data is included in a data strategy?

Financial data and personal information (whether belonging to your customers, contractors, consultants or suppliers) are likely to be central to most data strategies and are obvious priorities for the purposes of reporting to the board. However, consideration may also be warranted for other data sets representing key value or liabilities. This may be a qualitative assessment undertaken by an expert in privacy, intellectual property, contracts and other specialised areas of law.

These other data sets might include:

• Personal information broken down into sensitive and non-sensitive categories,
• Privileged legal advice,
• Intellectual property (whether copyright materials or trade secrets),
• Rate cards and preferential pricing arrangements,
• Supplier or customer lists,
• Contracts, and
• Confidential information of your own and others.

The saying "data is the new oil" recognises the value data brings to a business when it is properly ordered, analysed and refined, like oil. A data strategy provides a framework for an organisation to support overall business strategy by increasing certainty and reducing risk through evidence-based decision making.

A data strategy should be a source of value not liability to your business, working to strengthen your security posture, data quality, data governance, and, in turn, corporate governance. Assessing and understanding the legal risks of your data strategy may prove crucial to the success of the program. To date, this is the missing piece of the puzzle in data strategy design.

Photo by CHUTTERSNAP on Unsplash.