On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) – a massive piece of legislation that will have the effect of becoming a de facto global data protection law — goes into effect. While chief privacy officers are already reaching for the anti-anxiety medication, hopefully they will leave enough for the chief financial officers, who will soon be reviewing GDPR budgets and will need to decide how to allocate huge amounts of money toward this critical law that is much more than a compliance obligation.
The GDPR’s primary goal is to give control over personal data back to the individual, in this case the European Union citizen, through a series of new codified individual rights and the corporate obligations — certainly a noble policy aim but which will require a sea-change in operations and internal oversight. That means a whole lot of money is going to be spent to implement and maintain compliance.
Before the CFO breaks into a cold sweat, however, here are some basic things to know.
Geographic applicability. Within the EU, the GDPR is directly applicable, but it is important to note that even if your company is outside of the EU, if you offer goods or services to an EU citizen, or if you monitor someone’s behavior in the EU, e.g., online tracking, then the law applies. Guess what? If you are doing business within the digital world, offering anything online, or deploying tracking technologies like cookies to better understand your customer, then the GDPR kicks in.
Consent. The GDPR imposes new consent obligations on companies. Gone are the halcyon days when notice of your data practices can be buried in the Terms of Use Policy in the footer of your website. Instead, “consent,” as a legal notion, has new and specific requirements that must be met. In addition to the prohibition against burying notice and consent in the footer, you have to set up a mechanism that allows for it to be easily withdrawn at any time and it can’t be a “take it or leave it” situation.
New Rights. Companies will need to figure out how to be transparent — which is the foundation of the GDPR — about new individual rights. These include the right to access and take your personal data, the right to erasure, and the right not to be subject to profiling or tracking that use automated processes.
While the basics are operationally and legally focused, the CFO needs to be concerned about two important aspects to the GDPR.
First, the law requires companies to be accountable for their actions. When a CFO sees the word “accountability,” she usually sits up and takes notice. By accountability I mean that enterprise-wide new data protection policies need to be created and implemented. Further, companies are going to need keep scrupulous records documenting their new processes. They will also have to go through annual data protection impact assessments to determine what privacy risks exist to consumers. Crucially, companies will also be required to ensure that the vendors they work with are also in compliance with the GDPR. In other words, compliance with the GDPR goes all the way through the information lifecycle.
For those of you who were around in 1999, you may detect the echo of Y2K, where companies were required to undertake a full internal body scan to ensure the world didn’t end on New Year’s 2000. That is exactly on point, but with the added burden that if you don’t comply with the law as of May 25, 2018, penalties can be imposed by the relevant national data protection authority.
There are two tiers of potential fines, depending on the level of transgression, prior acts, and supervisory discretion. The lower tier provides for fines of up to 2% of a company’s gross global revenue or 10 million euros, whichever is more. The second tier, however, allows for fines up to 4% of a company’s annual gross revenue or 20 million euros, whichever is more.
While that is a massive downside risk for any CFO to consider, the good news is these fines are not compounded for the same incident, meaning you can’t get whacked multiple times for the same transgression. The big question, of course, is what triggers a fine under the different tiers. That’s somewhat subjective, but the GDPR at least provides guidance. Fines under the higher threshold generally are for violations of consent, improperly transferring personal data, and for violating the individual’s new rights.
Clearly there are lots of ways to get tripped up and inadvertently expose your company to extreme financial risk. So, how are companies beginning to think about the GDPR and its risk factors?
Already we are seeing cross-functional teams being formed that include the CFO, and 2017 budgets are being prepared. A significant component to the 2017 GDPR budget will be directed toward a gap analysis to baseline where a company presently is against where it needs to be and what workflows will be impacted by the GDPR. The CFO will need to be an active and vocal participant in this process because funding will be a crucial aspect.
Todd Ruback is chief privacy officer of global technology company Ghostery.