When considering the financial implications of the General Data Protection Regulation (GDPR), most headlines focus on the severe penalties for noncompliance. They are certainly worthy of the financiers’ attention: Violations could incur fines of up to €20 million or 4% of a company’s annual global revenue (whichever is the greater). There could also be legal claims from affected individuals or groups, along with the hidden costs of a damaged corporate reputation.
Dig a little deeper, however, and the outlook for CFOs and their teams is more positive. The finance and risk organization plays a key role in the orchestration of enterprise governance, risk management, compliance, and control activities. And in today’s data-driven world, this far-reaching new regulation also represents a wider opportunity to transform the way data is handled data and to govern the related risk and compliance implications across the organization. As a result, the finance team can help accelerate the organization’s digital evolution journey – and address GDPR compliance requirements along the way.
Here are some of the key things the finance and risk team needs to bear in mind about the GDPR.
What is the GDPR?
Let’s start by reminding ourselves what the GDPR is, and why it’s so important. The regulation is designed to protect the data and fundamental privacy of all EU citizens, and replaces existing local data protection laws in EU member countries. The GDPR was approved and adopted by the EU Parliament in April 2016 and will be enforced from 25 May 2018. The regulation is over 200 pages long, so we can’t cover all the details here. What we do need to recognize is that its reach is global, and will potentially affect every commercial and public sector organization that processes EU citizen data – irrespective of where in the world that processing is done.
And what does it mean for the organization?
The implications are equally far-reaching and could be felt across the entire organization. At one end of the scale, this could be simply how HR handles internal employee data; at the other end, it could have dramatic effects on how sales, marketing, and service teams process and store large volumes of customer data across multiple markets. Either way, the organization needs to be ready to show compliance in three key areas by the enforcement date and beyond:
- The ability to deal effectively with individuals’ rights such as data protection, rectification, and erasure
- That the required organization, policies, and controls are in place to govern on a daily basis
- The ability to conform to the new principle of accountability by demonstrating how compliance is achieved on an ongoing basis through documentary evidence
What does this mean for the finance and risk team?
So while data tends to grab the headlines, governance is an equally essential element of the overall GDPR compliance program. Nearly half of the articles in the regulation are related to business procedures associated with policies, controls, record-keeping, and the accountabilities of different roles and entities. To avoid costly penalties, governance of policies, processes, and people must be clearly defined and documented.
The finance and risk organization therefore has a crucial role to play – and its compliance and risk officers in particular – in collaborating closely with other stakeholders such as IT, security, internal audit, and crucially, legal departments. These teams are often putting in place a data protection office, whether or not the function is attributed full time to a person (data protection officer).
Achieving and sustaining governance excellence requires a robust, consistent, and holistic approach across the enterprise. It can be executed as part of a “three lines of defense” program, for example, with a technology platform incorporating a range of governance, risk, and compliance (GRC) solutions. This allows different parts of the organization to work together cohesively within an integrated framework. These solutions enable the organization to automate its risk, compliance, and audit management processes and to monitor the enforcement of policies and the effectiveness of controls. This can greatly assist in addressing GDPR requirements as part of the day-to-day business operations moving forward.
What can technology further bring?
Every organization today needs to be fit for digital business. The requirements of the GDPR can therefore serve as a useful accelerator by helping to channel resources into the right areas. Instead of thinking of GDPR compliance as an unavoidable cost, companies can consider it as a valuable investment in their digital future.
As an example, we at SAP, as a large multinational organization with extensive EU business interests, have been required to address our own GDPR compliance obligations as well as those of our customers. Our software and practices have therefore been thoroughly road-tested, and we’ve built up excellent knowledge and experience not just to meet our GDPR requirements, but to help our customers through this journey.
Technologies and associated services cannot guarantee GDPR compliance, of course, as it is the user-organization that is ultimately responsible for adopting the measures it deems appropriate to achieve compliance. However, there are really interesting propositions to look into, to help accelerate the journey, automate compliance processes, and become a more agile digital business in better shape for long-term success.
Read all the GRC Tuesday series blogs on GDPR to learn more.