Blog / Purchase-to-pay
GPDR for Finance Departments
The chances are that you’re already preparing for the EU’s new General Data Protection Regulation (GDPR), as after May 25th 2018, regulators can impose hefty fines for noncompliance. And if you’re not, now is the time to start getting ready.
The GDPR seeks to protect the personally identifiable information of EU citizens – so if a company wants to sell to or interact with those citizens, the GDPR applies to them. The idea will be to set a consistent standard for data protection, to protect EU citizens’ data privacy and modernize the way businesses with customers in the EU approach data protection.
Responsibilities under GDPR range from specific technical instructions like ensuring that all subjects have given informed consent, and encrypting sensitive data on mobile devices and on the cloud, to more general principles like ensuring ‘privacy by design’, creating a ‘culture of accountability’ and ‘establishing clear policies and procedures’.
The key changes include:
- Penalties for noncompliance (which will become harsher than previous legislation)
- Geographical scope (which will become wider)
- Customer rights (which will become more robust)
- Privacy by design (in other words, data protection should be thoroughly embedded into business-as-usual practices)
GDPR will ultimately set stricter standards and impose more serious sanctions on organizations for non-compliance. Organizations will face fines of up to € 20million or 4% of their annual turnover (whichever is greater).
GDPR for finance departments
So what will GDPR mean for finance departments? Dealing with some of the most sensitive information an organization is likely to handle is a huge responsibility. If the department suffered a breach, it is possible that there would be enough information for a criminal to take over customers’ accounts, steal funds and potentially to commit identity fraud. Finance departments should be particularly vigilant in their approach to compliance.
Preparing for GDPR is a company-wide responsibility. The finance department shouldn’t be left to protect itself independently, and no area of the business should operate a siloed approach. If you’re not aware of your responsibilities, it’s time to change that.
For finance departments, the following specific responsibilities will come into play:
Organizations must keep a well-managed archive of invoices. Although this is a simple principle, paper records may be kept in different locations, and electronic records may be saved in various different places. Meanwhile, organizations will be required to make sure that archived records are unchanged and untampered, and that records are destroyed after a set retention period.
Organizations must provide customers or suppliers with records of their personal data on request. This must be provided quickly and presented in a format that the customer can read and reuse.
Organizations will be required to keep internal records of data processing, and record management systems must be able to extract raw data and providing a full audit history of records kept.
On request, organizations must remove data held on a customer or supplier who withdraws consent for it to be kept. Ensuring every piece of relevant data is removed, and doing so in a way that doesn’t impact other records may be the key challenge here.
In the event of a breach…
Customers must be informed without undue delay once a breach has been identified. In order to ensure this happens, organizations must be prepared to identify breaches as soon as possible, to assess what data was taken, and to contact all affected customers or suppliers within 72 hours.
There are also some simple questions that you will need to be able to answer:
- Do you know what personal information you’re working with?
- Do you know where it is kept and how it’s managed?
- Do you know who is responsible for securing and managing the data?
- At present, there may be complex answers to these, or no clear answer at all.
Crucially you must work with your organization’s IT and compliance teams to ensure data is secured and that your department meets the criteria set out by GDPR. Open communication between departments is a cornerstone of the principles introduced by GDPR and speaking up now may save your organization serious reputational damage and a large fine.
Keep things simple
Complying with GDPR will help ensure that finance and accounting departments are adhering to stringent data protection standards and may completely alter the way in which the finance department operates within an organization. The finance department is where high volumes of sensitive data will be handled, and consequently it will be the department most susceptible to the largest fines being enforced. Even so, current processes may only require simple updates rather than a complete overhaul.
Reporting and notification systems must be implemented to report issues as soon as they arise. Security risks may be managed with automated systems and processes, which eliminate one of the most significant security risks out there – human error. Automating key processes such as invoicing and procure-to-pay will help to lighten the load, putting place repeatable, automated systems with audit trails of processes that can help you remain compliant.