- Reducing data stores greatly reduces the risk of exposing sensitive information.
- Finance leaders should know what personal information they need to run the business, what they have and where it’s stored – then delete the rest.
- If you are part of a global business, you need to understand the legal obligations to protect private data in every relevant jurisdiction.
Data analytics and artificial intelligence (AI) save organisations a great deal of time and money. But when these technologies are powered by personal information, data can quickly move from being an asset to a risk.
In today’s data-driven world, privacy law should be on the agenda for every finance professional. CFOs must understand the risks, as well as the opportunities, that digital transformation brings.
EY research on how finance leaders see the role of the CFO found 57% of finance leaders believe risk management will be a critical capability in the future, while 71% believe stakeholder scrutiny and regulation is set to disrupt the CFO role.
If personal information isn’t treated appropriately, punishment from customers, regulators and the financial markets can be swift. Data breaches cost businesses billions in clean-up costs, security overhauls and legal fees – not to mention a devastating blow to brand reputation.
Data privacy breaches incur massive fines
Europe’s General Data Protection Regulation (GDPR) has been a game changer in the world of data and privacy – partly due to the staggering fines for organisations that fail to protect the data of their customers.
What CFO isn’t going to sit up and take notice when confronted with potential fines of up to €20 million (A$32 million) or 4% of their global annual turnover – whichever is greater? If 4% of your annual turnover is A$100 million, then that’s what you will have to pay.
And that’s without factoring in the reputational damage fostered by media channels hungry for news of the latest privacy breach.
As CFOs increasingly become the public faces of company performance, they need to pay far closer attention to the legal, reputational and ethical consequences of their organisations’ actions.
Understand legal obligations
While GDPR may be considered the ‘gold standard’ for privacy right now, privacy laws differ in every country. If you are part of a global business, you need to understand the legal obligations and key risks in every relevant jurisdiction – including your own. Australian and New Zealand privacy laws also differ from each other, so don’t assume that what works in one country will stand in the other.
Marie Kondo your data
By reducing data stores to include only what is essential, you can greatly reduce your risk of exposing sensitive information. Call it the Marie Kondo approach to data. (Like the decluttering superstar, keep only what sparks joy.)
Finance leaders should know what personal information they need to run the business, what they have and where it’s stored – then delete the rest.
You can then identify your key risks by doing a gap assessment against applicable laws. A risk-based approach to remediation will help minimise unnecessary spends.
Good privacy practices enhance trust
Privacy law is not about stopping the use of personal information – it’s about knowing how to use it in a responsible and trustworthy way.
“Privacy law is not about stopping the use of personal information – it’s about knowing how to use it in a responsible and trustworthy way.”
A key tool for driving customer and staff trust is to think about privacy risks upfront when you’re looking at new systems. This is known as “privacy by design”. If you can nail this, and complete privacy impact assessments on new deployments, you’ll be halfway there.
Ultimately, good privacy practices come from an organisation’s culture. Ensure there are clear policies and processes in place, training that works, and a culture where employees are encouraged to think about the implications of their actions, not just the process.
As UK Information Commissioner Elizabeth Denham said at an event in New Zealand in 2018: “Businesses that embrace a strong commitment to data protection will be the ones that flourish.”
Seven steps to comply with data laws
Organisations which do not comply with data protection laws in the EU and Australia can face tough penalties. Here’s a checklist to avoid falling foul of the new data rules.How to comply with GDPR