What should CFOs be doing about new compliance rules?
If there’s one aspect of GDPR that is likely to grab the attention of any CFO it is the potentially eye-watering fines organizations could be hit with if they are found to have breached the new data protection regulation.
As the gatekeepers for the company finances, and often the boardroom owner of risk management, what CFO isn’t going to sit up and take notice when the sums involved could be up to €20 million or four per cent of annual revenue (whichever is larger).
However, CFOs shouldn’t just be sitting in fear, hoping the day never comes when they have to pay out such a fine. There is much they should be doing to ensure their organization is prepared, starting with participation in cross-organization planning and an audit to ensure they understand the types of personal data that is being processed within their organization, where it resides, who has and needs access to it, and how their processing activities are affected by GDPR.
For CFOs this process should include reviewing what data they hold, create, and preside over with finance. That could include employee information such as payroll or salary data, as well as data held by suppliers, contractors, and outsourcers who may report into the CFO. CFOs should be reviewing the contracts they have in place with those supplies to ensure they are fit for GDPR.
Another key role of the CFO is ensuring the organization’s compliance efforts are properly funded and resourced. In order to do that, the CFO must understand the cost of compliance and where investment needs to be made in order to ensure it. This may well involve additional budgets for teams such as IT, which will certainly be at the sharp end of GDPR compliance, ensuring data is protected and structured in such a way that the organization can respond to requests from data subjects to provide, modify or delete data.
However, to prevent the cost of compliance spiralling, CFOs will also need to ensure they understand which measures are essential and should maintain a cautious cynicism towards some of the requests for additional budget that may cross their desk. “This is needed for GDPR compliance” could be used to push through any number of purchases that may not be essential. This is all the more reason why the CFO needs to ensure they are on top of GDPR and what it means.
There is still some uncertainty surrounding what will happen after the GDPR deadline of 25 May. But whatever happens, the CFO needs to be prepared. There are clear opportunities which can arise in a data-driven economy for any organization that improves its data handling and usage practises. CFOs should therefore be weighing the potential upside of GDPR and the way it could help them unlock valuable insights, improve operations, know their customers better, and become more responsive to risks and opportunities.
However, as a final consideration, CFOs may also choose to plan for the potential downside. For all the planning there may be some organizations who are caught out and hit with fines—or potentially lawsuits. While they should of course do all they can to ensure that is not their organization, some CFOs may still choose to plan for the worst and put aside funding as an insurance policy against those eye-watering fines.