The biggest shake-up in data privacy regulation is upon us with the General Data Protection Regulation (GDPR) going live on 25th May this year. GDPR sets a new bar for global data protection rules by governing the way organisations collect, use and store personal data concerning EU citizens. At its core is the focus on unambiguous consent of the individual for their data to be held in some instances, and the granting of new rights to secure their protection. The objective is to better protect EU citizens from privacy and data breaches.
Some of the headline changes brought in by GDPR include:
Individuals will be given greater controls over their personal data.
The right to be forgotten is a central focus of the individual’s rights.
Organisations will be required to share information on their data processes in a clearer way.
Transfer of personal data between service providers will be easier for individuals.
Serious data breaches must be reported to authorities within 72 hours.
All companies regardless of location (even cloud-based) must adhere to the same rules when using EU residents’ data.
SMEs and larger firms will have to appoint a data protection officer: some smaller businesses will be exempt.
GDPR will have a significant impact on every business around the world holding data on EU residents and will have a bearing on how corporate treasury operates. “Treasuries hold a considerable amount of information related to the transactions they are involved in,” explains Nadya Hijazi, Global Head of Digital, Global Liquidity and Cash Management at HSBC. “At the minimum, this will include names, addresses, and bank details of the various parties involved in the transaction, alongside key information on their own organisation including in some cases employee data. As a result, treasury will be clear on their obligations under GDPR and what they need to do to ensure that they will meet these.”
To do this, Hijazi says that treasurers need to understand the flow of their data as various systems hold and manage it in different ways as it moves through their networks. Doing so will require them to work with a number of parties including IT system owners, IT security teams, and Data Protection Officers. Treasury must also ensure its data held offsite or with vendors is also GDPR compliant.
The risk of not doing so is severe. Mark Reynolds, Associate General Counsel for Data Privacy at HSBC explains that if a company falls foul of GDPR it could receive a €20m fine, or 4% of annual worldwide turnover, whichever is greater. “This is designed to capture board-level attention and ensure that businesses take GDPR seriously,” adds Reynolds.
Although GDPR is undoubtedly going to create a lot of work and risks for treasury teams, there are opportunities to be had. Hijazi notes that GDPR is providing treasury teams with a chance to cleanse, normalise and harmonise personal data sets within treasury. “It is also an opportunity to realign processes and systems,” she adds. “This will put treasury in a fantastic position to adopt technology more readily by future-proofing their treasury department.”