The countdown has started. From 25 May, 2018, any company that holds personal data on EU residents will be required to comply with the General Data Protection Regulation (GDPR).
The GDPR updates the 1995 EU Data Protection Directive for the digital age, and is designed to give EU citizens more control over their personal data by governing the way organisations handle data. It also expands the definition of personal data from names and addresses to include any data that can be used to identify an individual, such as IP addresses and internet aliases.
“Any information that has the potential to identify a specific individual must ensure it is compliant with the GDPR legislation,” Nathan Snyder, partner at Brickendon Consulting, told bobsguide.
The penalties for non-compliance are high: any breaches incur a maximum penalty of 4% of the organisation’s global annual turnover, or €20m, whichever is more. But many studies have shown that many organisations are not aware of the fines they could face after GDPR comes into effect, or lack the technology to allow for compliance.
So, with less than a year to go, how can financial professionals ensure they do not fall foul of the regulation? How might banking treasury systems, or corporate management systems, help treasurers comply with GDPR?
What does GDPR obligate financial professionals to?
“All companies, including corporate treasurers, that handle client data now have clearly defined obligations, including appointing a Data Protection Officer and notifying the authorities should a data security breach occur,” explains Snyder.
GDPR also requires that organisations can locate, control and dispose of information should they need to. Individuals will be entitled to know how organisations are using their personal data, why they are using it and with whom they might be sharing it.
While the penalties for breaches are high, GDPR doesn’t have to be a purely compliance exercise for financial organisations, as there are benefits to be had from good data management. According to Elizabeth Denham, information commissioner at the UK Information Commissioner’s Office, by getting data protection right, organisations can see a “real business benefit”.
“The benefit for organisations is not just compliance but also providing an opportunity to develop the trust of its consumers in a sustained way… Because I think it’s clear that a lot of people feel they’ve lost control of their data,” she said in January.
As Catherine Moore, European president and MD for JP Morgan Merchant Services told bobsguide last week, complying with the GDPR requirements will help merchants get to a more standard operating procedure.
Are organisations ready for GDPR?
Despite GDPR being such a wide-reaching piece of legislation, affecting any business that handles personal data, and carrying hefty penalties for non-compliance, many organisations aren’t entirely prepared for it.
According to research by YouGov and UK law firm Irwin Mitchell, less than one-third (29%) of the more than 2,000 businesses surveyed have started preparing for the GDPR, and just 38% of senior decision makers of those businesses are aware of the new GDPR rules.
The research also found that more than two-thirds weren’t aware of the penalties for non-compliance, and, perhaps most worryingly, four in 10 businesses would have to let staff go or fold if they suffered the maximum fine.
Research by data management company Veritas, published in April 2017, also highlighted concern about the reputational cost of non-compliance, and the impact it might have on the brand image if a breach is made public.
The Veritas survey also found that 32% of respondents are concerned that their organisation lacks the technology to manage data effectively, which is crucial for GDPR compliance.
How should treasurers be preparing for compliance with GDPR?
In an April 2017 report, PwC explains that instead of a “add-on” or “afterthought within business operations”, protections for personal data should now be designed “into the very fabric of data processing systems, meaning that entities will need to re-examine how they approach the use of technology in their organisations”.
The report continues: “Technology is… the principal problem that data protection law is trying to solve. As such, it is obvious that, as well as being the problem, technology must provide the solution.”
While technology is an important component in ensuring GDPR compliance, it makes sense for organisations to take a wide view of how the legislation will affect their business, and engage different teams.
“Firms will need to embed a mindset where data privacy is at the heart of the company culture and not seen as a regulatory-imposed burden that slows down the business,” Snyder says.
“The key, as with any upcoming legislative changes, is to ensure you know where your business is now, decide what areas will be affected, what needs to be changed and how you are going to facilitate the changes,” he continues.
“The important thing with GDPR will be to think ahead when building IT systems and at an early stage address questions such as what data do we need, why do we need it, how long will we need it for and who will process it for us?
“If you can answer these questions, you are part of the way towards compliance.”
It will also be important to remember any third parties that might have access to any personal data held by the business. Snyder adds: “Corporate treasurers should also ensure that all partner contracts have a clearly defined minimum set of data protection requirements and a clear outline of roles and responsibilities.”
Do I need a treasury management system?
A flexible TMS will help an organisation comply with GDPR by providing access to the data and helping implement business rules, Snyder says, adding: “A good TMS will make the task of accessing the customer data to action the data privacy rules that GDPR has set forth (e.g., removing or obfuscating personal data upon request) easier without relying on upstream systems.”
Organisations don’t specifically need treasury management software to comply with GDPR. But “if the TMS does not allow an organisation to be compliant with GDPR, that system needs to be either updated or replaced”.
While the right technology has the potential to help organisations comply with GDPR, good data management will require efforts from throughout the organisation.
Kuan Hon, a consultant lawyer for Pinsent Masons in London, wrote in Out-Law.com: “While it is important for organisations to be able to identify and map or track the personal data that they process at a more granular level, GDPR compliance is not just a technology issue.
“It will be essential to involve not just IT but also legal, risk and compliance functions, and compliance will involve people, policies and processes, not just technology.”
With all hands on deck, 12 months may indeed be enough time to prepare for GDPR. And with a greater understanding of the potential benefits compliance offers, perhaps organisations will be open to the change of mindset needed to realise these benefits. By next May, we’ll know.