The deadline for compliance with the European Union’s (EU’s) General Data Protection Regulation (the GDPR) is Friday 25th May 2018. It will affect all businesses and as finance professionals, you need to know what it means for you and your company.
The focus is on personal data, or data about individuals, and is a significant shake-up that affects any sole trader, partnership, corporation, public authority, agency or other body that processes the personal data of individuals who are based in the EU. This includes suppliers and other third parties a company might use to process personal data on their behalf.
Businesses in all industries work with personal data such as contact details, bank account information and National Insurance numbers. These belong to customers, suppliers, sub-contractors and employees, and must all be secured under the new regulation.
Let’s look at three examples of how the GDPR might affect finance professionals during their day-to-day work.
1. Don’t get caught out by international transfers
Regulatory compliance might be viewed by many as an administrative burden. However, ignoring the GDPR or getting it wrong could have costly repercussions.
A serious GDPR infringement is the failure to observe the requirements for international transfers – if the data is being transferred to a country outside the EU that isn’t deemed to have adequate security levels. It’s these things that can incur the really hefty fines under the GDPR.
The GDPR continues the general prohibition on sending personal data outside the European Economic Area to a country that does not provide adequate protection.
At the time of writing, the countries deemed by the European Commission to provide “adequate” protection are: US companies that self-certify to the European Union-US Privacy Shield arrangement (note: this does not mean the US as a country is considered to provide adequate protection), Andorra, Argentina, Canada (limited to PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Where no adequacy decision exists, transfers can only be made in limited circumstances, including on the basis of consent, the use of standard contractual clauses published by the European Commission or, in the case of inter-company transfers, the use of Binding Corporate Rules.
2. Do you need a data protection officer?
The supervisory authority can impose a fine of up to 4% of annual global turnover, or €20m, whichever is greater. However there’s a two-tier system in play.
The lower tier is half of that, so up to 2% of annual global turnover or €10m, whichever is greater. The lower tier is for breaches that aren’t considered to be as significant – so, for example, things like not appointing a data protection officer (DPO) when it is mandatory.
Among other things under the GDPR, companies and any third parties that process personal data on their behalf will need to appoint a DPO if the core activities of the business or third parties involve monitoring of individuals on a large scale, or if the core activities consist of processing on a large scale of special categories of personal data, including data relating to criminal convictions and offences.
The DPO needs to have expert knowledge of data protection law, although they don’t necessarily need to be an employee and could instead be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to the supervisory authority, such as the ICO in the UK.
It will be the job of the DPO to inform the company and its staff about their obligations under the GDPR. They will also have to monitor compliance with the GDPR (and any other data protection laws or requirements).
This could include managing data protection impact assessments, conducting internal audits and organising staff training. The DPO will also be the first point of contact for data-protect-related enquiries from supervisory authorities such as the ICO, and the point of contact for any individuals whose data is processed by the company – including customers, clients and employees.
3. Finance professionals should use the opportunity to improve data quality
But it’s not all bad news. Finance departments should also think about the way the GDPR can result in better data quality, through initiatives like a centralised data depository where data is deduplicated and cleaned up.
Alongside compliance, businesses should think about adding analytics to the high-quality data that may result. Reliable information can result in a more accurate and enriched customer database, which chief financial officers can leverage to make better decisions.
Remember that most people won’t immediately demand that their data be deleted. If you’re providing a good service, many will be happy to allow your business to use their data if it benefits them.
For example, it allows you to better understand them and tailor your service for what they need. Customers will be happy if you present your product at the right time to them through your understanding and wise management of their personal data.