When our CEO, Ed, wrote the first blog post in this series he detailed the all consuming nature of the upcoming General Data Protection Regulation. Since then, some time has passed and the hysteria surrounding that May deadline has heightened even further. After all, we’re now well into the final full quarter of preparation time before GDPR, and all it entails, is upon us.
And it’s true, there are several concerns tied into the regulation that are hard to ignore, no matter which company you work for or what department you’re based in.
As CensorNet’s CFO, there are many GDPR-related things that I’ve had to consider over the last few months.
Let’s start with the obvious…. those dreaded fines. Of course, it’s part of my role to be aware of any possible financial risks to the organisation, especially when they carry a price tag which has the potential to exceed €20 million. It’s the stuff of nightmares for CFOs everywhere!
But, realistically and perhaps reassuringly, there is likely to be a bit of leeway come deadline day; 25th May 2018 isn’t a cut off point, it’s the starting line and those enforcing the regulation will recognise that.
So the fines themselves aren’t keeping me or my team up at night- GDPR is all about educating companies, not hanging them out to dry.
That said, the new regulation is not simply an inconvenience that we can sweep aside to be ignored or forgotten about. A common misconception when it comes to the preparation for and implementation of GDPR is that it is a matter to be delegated to the legal department, whilst the rest of the company forgets about it. That’s simply not the case. GDPR is something that needs to be treated as a priority by everyone. There are no exceptions.
Each department has a role to play, including finance…
Like the other departments within the company, in recent months, any policies and procedures we have been implementing internally have very much taken GDPR into account.
By its very nature, the majority of the data that we hold within the finance department is sensitive. When the new regulation comes into force, we need to be able to carry out audit trails to prove exactly what personal data we have, where we’re keeping it and whether we should have it at all. These trails will act as evidence of our cooperation and compliance.
So an extensive audit, analysing all our current data is an essential part of our preparations at this stage and something that is already underway. This is something that is not just exclusive to the finance department- it’s a company-wide policy.
A dual task…
In the finance department we have two different types of personal data to consider within our preparations; the data belonging to our customers and the data belonging to our employees.
We’re responsible for dealing directly with our customers in terms of their financial data. But the way that companies can legally gather customer data is about to change.
During the last few months, consent and the way that companies are able to obtain it has become a bigger talking point than ever and, as such, one of our key focuses. This is because under the regulation, individuals will be able to elect their ‘right to be forgotten’.
It’s one of the biggest changes within the regulation, so we’ve been working hard to analyse and minimise our existing customer databases. All of our current data must have been obtained with the relevant consent, as outlined within the new regulation, and we need to ensure we have the procedures in place to accommodate any future issues that might arise.
As for employee data, my team is responsible for paying the company’s entire staff. We hold all sorts of sensitive information about every employee within the organisation, from bank details to sickness records. Like with our customer databases, we’re currently in the midst of an ongoing process to analyse and minimise any employee data.
One of our main focuses in this area has been to make sure that, as a department, we’re not holding onto any personal data that we don’t need to hold onto. For example, when it comes to ex-employees, we need to keep their payment records for as long as is required for tax purposes but then ensure that all of their data is deleted.
Given the volume of scaremongering occurring both in the media and in many sales pitches at the moment, it’s easy for GDPR to become quite an overwhelming topic of conversation. But it’s important to remember that everyone is in the same boat; all we can do is begin or continue to interpret the legislation as it stands to the best of our ability. That way we can make tweaks to our policies and procedures as and when further guidance is released.
In fact, in finance we’re choosing to view the upcoming regulation in a positive light. Lots of the things highlighted within it aren’t new; instead, they’re things that companies should be doing already. And, the sections that are new simply go a bit further in terms of putting effective rules in place to protect personal data which can’t be a bad thing. Rather than the never ending headache often depicted in the media, we see GDPR preparation as an ongoing opportunity to better ourselves and our processes.
By Lisa Davis, Chief Financial Officer, CensorNet
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/