For CFOs, the European Union’s sweeping new data protection law, the General Data Protection Regulation (GDPR), represents both a huge threat and an enormous opportunity.
The threat, of course, is the measure’s punitive teeth. After May 25, 2018, companies found in violation of GDPR are subject to fines of up to 4% of a company’s annual worldwide revenue or €20 million, whichever is greater. That’s a stiff blow to a company’s bottom line, and it’s a safe bet the EU won’t wait long to make an example of a scofflaw.
GDPR will also potentially have an impact on U.S. companies, as any company that stores or processes information about EU citizens with EU states must comply with the regulations, even if they do not have business operations within the EU.
The opportunity lies in the fact that CFOs are in a natural position to play a key role in the complex, cross-organization GDPR compliance effort and even to help lead it.
Think about it. While several different functions — marketing, legal, and IT, as well as finance, for instance — have skin in the GDPR game, no one group is a natural candidate to take charge of the company’s response. So why not the CFO, whose procurement oversight responsibilities, strategic business savvy, and growing cross-organizational role all play well in the GDPR strategy?
At a time when the CFO role is evolving beyond finance to, as Forrester has put it, “a performance leader with strategy in mind, a catalyst of action, a steward of control and an operator of efficiency,” GDPR seems tailor-made for CFOs to influence one of the organization’s broadest and most important endeavors of 2018.
To be sure, a small number of executives surveyed by McKinsey believed their companies still had a long way to go on the road to compliance. Meanwhile, a PwC study found that some companies “see their GDPR programs as a potential differentiator in the market,” hoping “to highlight early compliance to help drive a competitive advantage.”
In either type of company, the CFO’s sharp business lens can be a major asset in making sure the company is tackling GDPR intelligently and cohesively and that the right resources are being made available.
GDPR has been called the most sweeping change to data protection in decades, with 99 provisions instituting new rules on matters such as data use consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers.
Companies that collect personal data must proactively demonstrate they understand the data they have access to and how they use that data and safeguard it. They must also have rigorous processes to ensure appropriate controls are in place before sharing data with vendors. If an individual requests access to their data or that the data be removed from a company’s servers (known as the “right to be forgotten”), the organization must comply within one month.
GDPR’s impact reaches beyond Europe because it applies to any company with data about European Union citizens on its servers. It covers any information that can be used to directly or indirectly identify a person — a name, a photo, an email address, financial details, posts on social networking sites, medical information, or a computer IP address.
Companies worldwide are investing millions of dollars in GDPR compliance, according to the PwC study, and the figures will only rise as new hires, legal fees, and ongoing compliance are included.
CFOs have a critical role to play working closely with such departments as IT, security, marketing, legal. and auditing to ensure a comprehensive and holistic GDPR strategy across the organization.
Here are a few priorities the CFO can help drive:
Understand the risks of non-compliance. It is critical to understand the risks and determine the resource allocation to effectively mitigate the risks. How do we determine the resources and budgets that are appropriate to address the potential risks and non-compliance?
Establish focus areas. GDPR has a lot of moving parts, so the CFO can help break it all down into digestible segments. Working with the chief information security officer and other leaders, the CFO can ensure the company has a clear statement of security standards and the risk associated with the data the company is handling.
Buy the right stuff. Technology that purportedly can help with GDPR compliance will only be useful if the CFO and the rest of the company understand how it specifically manages privacy and data risk. The CFO can demand that this be the guideline for every purchase.
Create an in-depth plan for third-party risk. GDPR makes organizations essentially responsible for what their vendors do with the organization’s customer data. The CFO can drive the vendor vetting process that the new regulation makes necessary.
Use quality metrics to support decisions and demonstrate progress. Since CFOs are, by nature, numbers people, they can easily understand the need for metrics gauging the use of data and make sure the organization has instituted them.
Many aspects of GDPR compliance play to a CFO’s strengths, and companies will be stronger if CFO’s take an active leadership role.
Brian Cohen is CFO of BitSight, which provides companies with security ratings.