How does GDPR Compliance Impact Today's Finance Teams?

GDPR is a strict EU data privacy law, with penalties, that requires compliance to protect personal data processed by companies in non-EU locations that do business with European Union Member States residents. Financial services companies, including financial institutions, and payment service providers (PSPs), must also comply with GDPR. GDPR is General Data Protection Regulation. 

The free movement of personal data is allowed within the EU, without restrictions imposed by the GDPR. For organizations in EU Member States in Europe, Regulation (EC) No 45/2001, an EU law, applies instead of GDPR. But the GDPR requires that other Union legal acts be consistent with GDPR on personal data protection within the EU. 

In GDPR Article 4 definitions, personal data is “any information relating to an identified or identifiable natural person,” referred to as a data subject. A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

According to the GDPR definition, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

For personal data with personally identifiable information to apply to GDPR, it meets the following test. The personal data is processed by a data controller or data processor either automatically or manually if part of a filing system. 

Data subjects, according to the General Data Protection Regulation (GDPR), are citizens or “habitual residents” of EU Member States (countries). 

The data controller needs to give their regulator, the supervisory authority, a personal data breach notification within 72 hours of becoming aware of the personal data breach (or the reason for a delayed notification). The data processor informs the data controller about breaches that it observes. Article 33 of the GDPR describes what to include in a personal data breach notification. 

If the sensitive data breach is “likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” If the data controller meets certain conditions described in Article 34 of the GDPR, then the data subject doesn’t need to be informed of the personal data breach.  

Regulatory penalties for non-compliance with GDPR include damages incurred by the data subject, supervisory authority’s administrative fines, and possibly reprimands. Legal obligations for non-compliance with the EU’s General Data Protection Regulation can be substantial amounts. 

Data subjects can seek compensation from the data controller(s) or data processor(s) if they incur material or non-material damages connected with GDPR. To be liable for damages, the data controllers or data processors must cause the event.

Supervisory authorities can impose penalties, including administrative fines for infringements of specific provisions of the GDPR privacy law and non-compliance with a supervisory authority’s order, according to Article 83. The administrative fines are “up to 20 million EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover [sales] of the preceding financial year, whichever is higher.” 

For minor infringements of GDPR or if it would result in a “disproportionate burden to a natural person,” a reprimand may be issued instead of an administrative fine. 

Enterprises engaged in economic commerce that do systematic and large-scale data processing need to appoint a data protection officer (DPO) to strategize and enforce the GDPR compliance. The requirement for a DPO  is not dependent on business size or employee headcount. 

In general, according to Recital 13, micro, small and medium-sized enterprises must still comply with the GDPR. But GDPR makes it easier for these SMEs to apply some GDPR requirements, including record-keeping. Regulators are “encouraged to take account of specific needs of micro, small and medium-sized enterprises in the application of this Regulation.”

The GDPR exempts or relaxes rules (applies “derogation”) for some micro, small, and medium-sized enterprises engaged in economic commerce. These SMEs have fewer than a stated number of employees combined with an “annual turnover” (sales) ceiling and/or an annual balance sheet total ceiling in euros. 

To gain compliance with the GDPR data protection law, businesses must have adequate systems to capture, track, manage, and secure the personal data of  EU citizens, inform them, and handle their requests for personal data captured by the system. The finance team should be aware that financial data includes identifiable personal data applicable to GDPR. 

Is it possible to track the time period for which the sensitive personal data is held to inform data subjects and comply with GDPR? Is the company’s data retention period adequate to fulfill future requests for protected personal data and in compliance with GDPR time limits?

The finance team is responsible for managing finance, financial implications, cash flow, and company-wide risk management. For finance, personal data can be included in customer data files handled by the accounting and CRM systems and in storing credit card details. 

Does a company policy exist regarding the handling and data security of personal data?

Does any personal data need encryption, anonymization, or pseudonymization to make sensitive data not personally identifiable?

Can customer data or other personal data be transferred at the data subject’s request to ensure that your business meets GDPR data portability and information security requirements?

Does your company know how to accept credit card payments over the phone correctly to comply with the GDPR and PCI-DSS requirements, not recording personal data and payment details? 

When considering how GDPR applies to your business, consider the  IAPP’s suggested risk mitigation strategy for complying with GDPR and protecting data subject rights and freedoms. The IAPP(International Association of Privacy Professionals) article includes locating and complying with any existing guidance on high-risk and large-scale data processing. 

When planning to undertake a new project putting data subjects personal data at high risk, the GDPR requires that entities conduct a Data Protection Impact Assessment (DPIA), for which a template prepared by the UK’s Information Commissioner’s Office is linked. (The UK is a former EU Member State).  

Finance should ensure that their entity collecting personal data from a data subject informs the data subject in clear and plain language on all of the points required by Article 13 of the GDPR. If the data controller decides to further process the personal data for another purpose later, the company needs to inform the data subject again before further data processing. 

A data controller or processor company’s requirement includes letting the data subject know they have the right to request having access to their personal data or have it transferred to a different data controller for data portability, request correction or erasure, object to processing now, or withdraw explicit consent later. The data subject must be informed they can make a complaint with a supervisory authority. 

Finance needs to ensure that their business has a data processing agreement (DPA) with all third-party data processors, as required by GDPR.