As of 25th May 2018 a new piece of EU legislation comes into effect which will determine Do’s and Don’t in relation to collecting, transferring and sharing of personal consumer data irrespective of industry. Businesses need to assess their current situation on consumer data holding, implement GDPR guidelines to minimise legal risks, data breaches and the impact on children. GDPR regulations becoming law means CFO’s now have to find more money and allocate budgets to ensure proper governance of data and maintain compliance. Below are some crucial points to consider before spending a huge amount of cash as follows;
Geographic Impact
Businesses trading in goods and services of consumer goods operating in Europe now have to think about how they collect and share data where EU citizens are concerned especially when buying online. For example online tracking technologies of consumer data, trends, patterns, consumer demographics and buyer behaviour including cookies disclaimers will fall within the GDPR framework of data governance and management beyond May 2018
Consumer Consent
Data practices can no longer be buried in the terms of use policy in the footer of the Company website or business terms. Instead, ‘consent’ needs to be a legal notion where specific requirements need to be met and adhered. Specific mechanisms need to be implemented enabling EU consumers to withdraw their data at any given time. Failure to notify a breach of data can mean fines of up to 10 million euros or 2% of global turnover.
New Rights
Businesses operating in this arena have to be transparent which is at the heart of GDPR foundation enforcing individual rights. This includes access to personal data, online profiling and tracking in the use of automated processes. CFO’s need to be concerned with 2 important aspects of GDPR as follows;
Accountability
This means businesses will not only review their data policies but also revise their data for inclusion of GDPR guidelines. Furthermore Companies will have to also monitor their recording of data to ensure traceable audits and clear evidence that GDPR frameworks have been implemented to avoid penalties and financial risk
Annual Data Impact Assessments
Companies will be obligated to go through an annual data protection impact assessments to determine privacy risks to consumers. This trend is not only applicable to the end consumer but also includes Vendor agreements businesses have in place. Companies have to exercise their GDPR practices with their Vendor partners to ensure full compliance. In short the GDPR legislative action runs right through the information lifecycle across the business. The financial risk in failure to comply with GDPR will mean heavy fines and penalties costing a business millions. There are 2 tiers of potential fines which are inclusive of enforcing the law, prior acts and supervisory discretion. The lower tier can result in fines up to 2% of global turnover or 10 million euros otherwise 4% of global turnover or 20 million euros whichever is more. Many Businesses are already under way and seeing cross functional teams including the CFO to mitigate such huge financial risks by including these measures in the 2017 budgets. Forward action in the 2017 budget will include a gap analysis of where businesses are against where they need to be in relation to their data workflows once GDPR kicks in. CFO’s will be at the forefront of GDPR implementations as funding will need to be allocated here in the coming budgets.