New data privacy laws demand more proactive board oversight