When considering the financial implications of the General Data Protection Regulation (GDPR), most headlines focus on the severe penalties for noncompliance. They are certainly worthy of the CFO’s attention: violations could incur fines of up to €20 million or four percent of a company’s annual global revenue (whichever is greater). There could also be legal claims from affected individuals or groups, as well as the hidden costs of a damaged corporate reputation.
Dig a little deeper, however, and the outlook for CFOs and their teams is more positive. The finance organization also plays a key role in the orchestration of enterprise governance, risk management, compliance, and control activities. In today’s data-driven world, this far-reaching new regulation also represents a wider opportunity to transform the way you handle data and manage the related risk and compliance implications across the organization. In other words, you can help accelerate your organization’s digital evolution journey – and address GDPR compliance requirements along the way.
Here are some of the key things a CFO needs to bear in mind about the GDPR.
What is the GDPR?
Let’s start by reminding ourselves what the GDPR is, and why it’s so important. The regulation is designed to protect the data and fundamental privacy of all EU citizens, and replaces existing local data protection laws in EU member countries. The GDPR was approved and adopted by the EU Parliament in April 2016 and takes effect beginning May 25, 2018. The regulation is over 200 pages long, so we can’t cover all the details here. What we do need to recognize is that its reach is global, and will potentially affect every commercial and public sector organization that processes EU citizen data – irrespective of where in the world that processing is done.
And what does it mean for your organization?
The implications are equally far-reaching and could be felt across your entire organization. At one end of the scale, this could be simply how HR handles internal employee data; at the other end, it could have dramatic effects on how sales, marketing, and service teams process and store large volumes of customer data across multiple markets. Either way, your organization needs to be ready to show compliance in three key areas by the enforcement date and beyond:
- The ability to deal effectively with individuals’ rights, such as data protection, rectification, and erasure
- That the required organization, policies, and controls are in place to govern on a daily basis
- The ability to conform to the new principle of accountability by demonstrating how compliance is achieved on an ongoing basis through documentary evidence
What does this mean for the CFO?
So while data tends to grab the headlines, governance is an equally essential element of the overall GDPR compliance program. Nearly half of the articles in the regulation are related to business procedures associated with policies, controls, record keeping, and accountabilities of different roles and entities. To avoid costly penalties, governance of policies, processes, and people must be clearly defined and documented.
The finance organization therefore has a crucial role to play – and its compliance and risk teams, in particular – in collaborating closely with other stakeholders such as IT, security, internal audit, and legal departments. Achieving and sustaining governance excellence requires a robust, consistent, and holistic approach across the enterprise. It can be executed as part of a “three lines of defense” program, for example, with a technology platform incorporating a range of governance, risk, and compliance (GRC) solutions. This allows different parts of the organization to work together cohesively within an integrated framework. These solutions enable you to automate your risk, compliance, and audit management processes and to monitor the enforcement of policies and effectiveness of controls. This can greatly assist in addressing GDPR requirements as part of your day-to-day business operations moving forward.
How to channel your resources
Every organization today needs to be fit for digital business. The requirements of the GDPR can therefore serve as a useful accelerator by helping to channel resources into the right areas. Instead of thinking of GDPR compliance as an unavoidable cost, consider it as a valuable investment in your digital future.
While your organization is ultimately responsible for adopting the measures you deem appropriate to achieve compliance, you can take advantage of digital tools and capabilities to help accelerate your journey, automate compliance processes, and become a more agile digital business in better shape for long-term success.
In addressing its own GDPR compliance obligations, SAP has road-tested its software and services and is prepared to help other organizations meet their GDPR requirements. Join our Webinar at 3 p.m. GMT/10 a.m. EST on November 9 to hear EY and SAP discuss the challenges and opportunities arising from the GDPR and how they can positively be addressed by GRC teams and the wider organization. Register here.