INT_COM_RD_1

This article was first published in the July 2018 International edition of Accounting and Business magazine.

The European Union’s General Data Protection Regulation (GDPR) came into force this May, affecting all companies doing business in the EU or processing personal data associated with EU residents, regardless of where they are physically located.  

This has had many a North American company scrambling to comply. GDPR has meant chaos on several fronts, but while many see it as a tech problem, in my view the finance function has a vested interest in ensuring compliance.

There is much at stake. For a start, the penalties for non-compliance can be as high as 4% of global revenue or €20m, whichever is greater.

As to the immediate impact on revenues, several US newspapers have closed their web access to EU residents. They were simply not ready for the new rules, despite a two-year heads-up. Indeed, according to some of the latest research, roughly half of US companies still won’t be GDPR-compliant by the end of the year.

Complaints have been filed against Facebook, Instagram, WhatsApp and Google by European consumer rights organisation Noyb, which is arguing they forced users to choose between agreeing new terms of service or having their accounts deactivated, in breach of the GDPR requirement that consent be freely given. Noyb is led by lawyer Max Schrems, who won the 2015 court ruling that the Safe Harbour EU/US data sharing agreement was invalid.

The introduction of GDPR has even stopped some internet gadgets in the EU from working. Companies have updated their terms of use, which need to be agreed before customers can continue to use smart doors, lights and various home appliances. Europe-based customers of Google-owned Nest, which sells internet-connected thermostats and security cameras, could not adjust their thermostats until they had agreed to its updated privacy policy.

For businesses, the problem is not just service disruption, but also the price tag. According to EY, the world’s 500 largest companies will be paying a total of US$7.8bn to revamp their systems, as well as hiring on average five full-time privacy employees.

For finance folks, this means a whole new headache and a lot more work – finance and accounting information can include personal data such as bank records and credit card information. Deloitte notes: ‘GDPR requires that organisations monitor the risks associated with sharing EU personal data, including mitigating those risks through contracts and security assessments.’ This is particularly daunting for SMEs, which don’t have the added resources to take on this task.

As Deloitte notes: ‘Large organisations can have hundreds if not thousands of third parties with which they share EU personal data. Remediating all identified contracts or assessing all newly identified third parties can be a significant effort in terms of time, resources and costs.’

Given the potential cost and risk impact on the business, the finance function clearly has the central role in getting the job done.

Ramona Dzinkowski, Canadian economist and president of RND Research Group