Dawn of the Data Controller: What Finance Needs To Know About GDPR
On May 25, 2018, a sweeping new privacy law will go into effect in Europe, carrying with it implications for companies around the world. The General Data Protection Regulation (GDPR) will require any company that collects personal information from consumers in the European Union to conform to a complex set of rules intended to protect that data. The law will apply not only to businesses located in the 27 EU member states, but to any company in the world that collects or processes data from European consumers. Violators will be subjected to multi-million dollar fines, legal injunctions, and other sanctions.
For businesses that have never invested heavily in data security, the GDPR poses an expensive compliance challenge. It also portends a type of data regulation that will likely become commonplace in the near future. US-based finance professionals need to familiarize themselves with the law both to understand its impact on the bottom line and to begin imagining life under a strict regulatory regime for data.
What is the GDPR?
It’s a big, powerful law designed to help European consumers retain control of their personal data. Think Sarbanes-Oxley for data. We’ll get to what’s inside the law in a second, but the underlying philosophy is that personal information belongs to the consumer and should only be used under the purview of the consumer. Companies should only collect and hold the data they need, and must carefully protect whatever data they have.
For context, the GDPR continues a long tradition of European law taking data protection more seriously than we do in the US. In 1980, the Organization for Economic Co-operation and Development (OECD) published a resolution that established data privacy as a human right and recommended a set of principles for the processing of personal data. These guidelines were endorsed by both the US and Europe, but only the latter did much to enforce it.
In 1995 the EU passed Directive 95/46/EC, which required member states to create their own national laws to protect consumer data. Each government was permitted to interpret the directive differently, so the result was a tangle of different privacy laws across Europe. Notably, the directive’s rules did not necessarily apply to non-European entities.
To streamline Europe’s various privacy laws into one modern regulation, the EU voted in 2016 to replace all those national laws with the GDPR. The new law is stronger, and it addresses the export of data outside the continent. Now companies anywhere in the world can face sanctions, if they don’t protect the data of EU citizens. The largest impact of the GDPR, in fact, will arguably be not to European companies, many of which already comply with their national regulations, but to companies outside the continent that have never contended with a data law so strict.
What are the rules of the GDPR?
Ever fill out a form online and wonder if they really need your Social Security number? Or how one site knows what you did on another site? Moments like these are what the law is designed to prevent.
The GDPR codifies many of the data privacy principles advised by the OECD almost forty years ago. Some of the noteworthy concepts include:
A broad definition of personal data.
“Personal data” pertains to any data that could identify an individual: photos, email addresses, social media posts, IP addresses, bank details, etc. It even includes data that could not itself identify an individual. If a vendor has anonymous consumer information that a different vendor could link back to an individual, that counts as having personal data. Some data is deemed “high risk” and requires additional compliance.
Specification and limitation principles.
Personal data must only be collected for specific purposes and consumers need to know what those purposes are. When data is collected, it needs to be accurate, only the information that’s necessary, and not held for longer than necessary. If a company no longer has a specific use for data, it needs to erase the data. They call this “the right to be forgotten.”
Data controllers and processors.
The law defines the “data controller” as the entity that collects information directly from consumers and is responsible for ensuring its proper processing. The “data processor” is the entity that processes data on behalf of the controller. It is the data controller’s responsibility to ensure that any processor complies with regulations, but data processors can also be held liable for violations.
Processing has to be lawful.
Personal data may only be processed in one of six lawful circumstances, such as when processing is required for the performance of a contract, to protect the vital interests of the subject, to discharge an official duty, and so on. Companies can’t hang on to customer data interminably just to have it.
Consent really means consent.
One lawful basis for processing personal data—and probably the most common—is that the subject has consented to it for a specific purpose. In that case, consent applies only to that specific purpose. Crucially, the subject must also be able to withdraw consent as easily as they gave it. Finally, the stated purpose has to be intelligible; no more Terms of Service gibberish.
The establishment of various data protection authorities.
The GDPR requires each EU member state to set up a national data protection authority (DPA) and empowers those authorities to penalize offending companies. The penalties are tiered based on the infraction, but they are steep: up to €20 million or 4% of global revenue, whichever is higher.
At the organizational level, the law requires entities that encounter a large volume of sensitive data to appoint Data Protection Officers (DPOs). Microsoft estimates that 75,000 of these executives will be needed by the end of 2018 worldwide.
Data breaches must be reported quickly.
In the event of any data breach, even a small one, the data controller must report the breach to the DPA within 72 hours. Rules vary about whether consumers must be notified, but there has to be a remediation plan underway in all cases.
How much is all this going to cost?
According to PwC, 77% of US executives said that GDPR compliance will cost firms over $1 million. Two-thirds of firms plan to spend between $1–10 million.
It’s an expensive regulation for sure, but the fines are more expensive. The Netherlands’ DPA plans to more than double the law’s recommended penalty, fining up to 10% of global revenues instead of 4%. Sanctions of this magnitude present a stark choice to multinational companies: either pay to comply or leave the European market. Indeed, some businesses are choosing that option. Per PwC, 32% of US execs plan to reduce their presence in Europe as a response to this regulation. 26% plan to leave the EU entirely.
Your organization’s cost of compliance will depend on what kind of European data you collect, how much infrastructure you need to build out, how prepared you are to monitor your systems, and many other factors. Of course, if you don’t process or collect data from European consumers at all, you’re not affected. For now.
What should my finance team do?
Whether or not your company needs to comply with the GDPR immediately, you can be sure that US data regulations are on their way. When that time comes, there’s a good chance the finance team will take a leadership role.
Controlling personal data is as much about audit preparation as it is about IT. Data Protection Officers will be responsible for maintaining detailed records, establishing procedures to govern the flow of data, cooperating with supervisory authorities, and other responsibilities similar to those already undertaken by accounting & finance officers.
It makes sense for Finance to be heavily involved in data regulation planning given the team’s long-term shift towards data-focused performance management. GDPR-type compliance requires companies to comprehensively monitor their data in a single, fluid system. You’ll need to be able to inventory and classify data; to understand where data is created, processed, managed, and stored. The project will involve IT, Legal, Security, and HR, but it could very well result in a team molded to the competencies of Finance.
The age of data law
Given that this massive, expensive law is coming into effect in Europe, it’s fair to ask if the data privacy movement is a good thing—if it will help consumers participate in the market and help businesses compete.
Here’s what’s for certain: we live in a world in which personal data has become currency. In the absence of regulation, that currency is as vulnerable as an unguarded wallet. The closer our data gets to our selves—the further we shift from addresses and bank numbers to biometric data—the harder it is to remediate the damage when personal data is used maliciously.
When Equifax announced that it had lost 140 million individuals’ personal data in September 2017, the blowback should have been monumental. It should have changed everything. A company whose government contract allowed it to determine the financial eligibility of every American citizen was exposed as having held—and lost—our most sensitive data behind worse-than-careless protections. In a sane world, the incident would have led to sweeping changes designed to rebuild trust in credit reporting agencies and wean us off of outdated practices. In our world, all we got were golden parachutes.
The reason for this lack of accountability is simple: the US legal framework for data protection is a patchwork of industry-specific laws and self-enforced directives that wholly fail to reflect the importance of personal information in the modern economy. As companies and governments prepare to navigate the uncharted waters of GDPR enforcement, it’s clear that sooner rather than later, the essential role of personal data is going to be reflected in the laws of every nation that wants to be part of the digital economy.