Over the years, I have seen countless IT related worries come and go. These included Y2K, the end of mainframes, and the death of green screens. All have been viewed by many as big problems, ones that require a ‘drop everything’ style focus, because of their potential impact on the business. Unfortunately, as many of these worries have come to pass, they haven’t been as problematic as expected, which leads many to question the next time a ‘drop everything’ project arises. Many companies choose not to take the next event seriously, or worse yet, believe it’s just a way for consulting firms and hardware vendors to make more money. GDPR, the new General Data Protection Regulation is here; it’s real, it’s not going away. There will be a direct, financial hit if your company does not take the steps necessary to address GDPR properly across your organization. With the May 28, 2018 deadline approaching, now is the time to start planning and take action, your bottom line depends on it.
Who is Affected?
Let’s break down what you and your company need to know, so you can begin planning and executing immediately. First, though GDPR is a European Union regulation, this is not only an EU issue. Many companies mistakenly believe GDPR only applies if your company is based in the EU. While it is true, the EU is driving the requirements for GDPR, if your company, regardless of location, does business or works with customers and individuals in the EU, you are impacted and fall under GDPR. Don’t assume your company is in the clear, check to see if your company has customers with operations in the EU, because if you do, and your organization stores information about these customers, GDPR does apply to your company.
Are My Current Audits Enough?
Next, don’t assume simply because your company is regularly audited or reviewed by regulators, that your internal controls are adequate to meet the GDPR requirements. GDPR has specific guidelines and control expectations that need to be in place around data privacy. Your company is expected to have processes in place to address the GDPR requirements. This means you need to design a program to assess your company’s compliance in each of these areas, design controls to address where changes are needed, and then put processes and procedures in place to ensure each of these five areas of GDPR Data Privacy are a part of your operations going forward. GDPR is not a “fix once and ignore” exercise. Ongoing monitoring of controls is important to avoid significant penalties.
What If I Don't Comply?
That brings me to the third point, the one that gets the attention of CXOs. If your company is not in compliance with GDPR, the EU can assess fines, up to €20 million or 4% of a company or group’s annual turnover. Those are big numbers no CFO wants to absorb or explain. For past ‘drop everything’ projects, like Y2K, the financial impact was an estimate where sometimes outrageous costs wouldn’t materialize. With GDPR, the penalties for non-compliance are well known.
What Does It Mean to Comply?
Finally, there is one other extremely important point when it comes to planning and executing a program for GDPR around data privacy. GDPR is focused on specific information about individuals, EUII (end user identifiable information), and how that information is securely maintained and controlled in your organization. The controls focus required for GDPR provides the perfect opportunity to review controls around your financial system. When your CFO is telling their peers why GDPR is critical, they should also be confident in the controls currently in place to generate financial statements. Don’t miss this chance to sell the importance of internal controls across your company. The focus on GDPR can be used as a reminder of the importance of having strong internal controls in place, regardless of regulation requirements. For companies that already emphasize strong internal controls, complying with GDPR is much easier. Many companies already stress the importance of internal controls, but GDPR provides an opportunity to make sure that point is driven home in your company.
The next blog will address the five areas around data privacy in GDPR and what your company needs to be doing. If your company has already started planning for GDPR, congratulations! If not, there is still time, but you need to move quickly. Move fast, like your bottom line depends on it, because it does!