Data Privacy, Data Security, and Your Business
Why should American business and finance leaders pay attention to European GDPR? Penalties and perceptions.
Digital Exclusive - 2019
During Facebook CEO Mark Zuckerberg’s testimony to Congress in April 2018, he brought the acronym “GDPR” into the broad public consciousness for the first time. GDPR is the European Union Council and Parliament’s General Data Protection Regulation. It replaces 1990s-era regulations with new rules for the cloud-computing age. GDPR has sharp teeth: penalties range up to four percent of a firm’s global revenue. Enforcement began May 25, 2018.
GDPR rules and penalties generally apply to European companies and global companies doing business in Europe. However, American business leaders should be paying close attention.
The Members of Congress who grilled Mark Zuckerberg didn’t capture all the technical nuances of data handling, but they clearly captured U.S. society’s increasing unease with a Wild West approach to handling private information. Citizens’ attitudes are changing. So is the business climate.
CFOs and other financial leaders must now focus on data privacy practices in addition to the broader category of data security. For years now, data security has increasingly become a domain for CFO leadership, often through direct oversight over information technology and therefore business processes. CFOs are well positioned to ensure their IT departments avoid paralysis due to fear of pulling back the curtain to find out just how bad the risks are. CFOs can also protect their companies from the “analysis paralysis” that can keep the fundamentals from getting addressed while more advanced solutions are under development.
More generally, CFOs are protectors of shareholder value. Cyber risks are among the most severe financial risks facing many companies now. Because CFOs are familiar with addressing business risks in an enterprise risk management (ERM) framework, they are prepared to recognize data privacy as fundamental business risk — and to act.
It’s possible we’ll see a GDPR-like regulatory framework emerge here in the U.S. In that case, U.S. companies will face a scramble to comply just as European and global companies faced ahead of the GDPR enforcement date. Better to get started now, wouldn’t you say?
Even if we don’t see a top-down regulatory solution in the U.S., GDPR offers important perspective for CFOs and other business and finance leaders addressing privacy and data risks. GDPR’s six guiding principles are simply good business practices:
1. Transparency, fairness, and lawfulness in the handling and use of personal data.
2. Limiting the processing of personal data to specified, explicit, and legitimate purposes.
3. Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
4. Ensuring the accuracy of personal data and enabling it to be erased or rectified.
5. Limiting the storage of personal data — ensuring that personal data is retained only as long as necessary to achieve the purposes for which the data was collected.
6. Ensuring security, integrity, and confidentiality of personal data.
Further, even if CFOs have determined their companies don’t collect personal information from EU citizens — and therefore aren’t affected directly by GDPR — they may nonetheless be indirectly affected by GDPR in the form of supply-chain certifications.
Our firm, for example, is a vendor-partner to Microsoft. As part of Microsoft’s intensive effort to certify its own compliance with GDPR regulations, we received a 76-question document requiring formal attestation regarding how we handle personal data. The questions are based on a new reporting guide from the American Association of CPAs (AICPA), which addresses cybersecurity in a supply-chain/vendor-risk management context.
Based on our experience supporting clients’ progress in data security, we are certain that most businesses in all industries will struggle when faced with supply-chain certifications as intensive as these — and they are likely to come, not just from tech companies but also from multi-nationals as a normal part of doing business.
The AICPA reporting guide, on which this specific supply chain certification was based, follows the publication of new AICPA reporting standards at the entity-level. In the U.S., the AICPA is leading the way toward a market-based approach to data privacy and security standards and reporting — not unlike U.S. GAAP for accounting — publishing standards for management attestation and CPA-conducted System and Organization Controls (SOC) examinations.
The supply-chain certification we mentioned is notable as a point of intersection between a European, top-down approach (GDPR) and an emerging American, market-based approach (AICPA reporting standards). Simply, business leaders need to expect more of these intersections. Whether the standards are driven by government or industry, they are intensifying.
Complacency may lead to fines or reputational damage or both. The potential for huge fines under GDPR has now been well-publicized. But even if the U.S. continues a more market-based approach — without government-levied fines for non-compliance — there’s the risk of reputational damage.
For example, under the AICPA approach, management teams would attest to cybersecurity and privacy practices. If they fail to maintain those standards, as evidenced by formal audits, shareholders might punish the company similarly to how companies are punished for accounting irregularities or earnings misses.
And, of course, there’s the example of Facebook to consider. The data-privacy scandal knocked billions off its market value.
For CFOs seeking a path forward on data privacy and security, one of the most practical frameworks comes from the National Institute of Standards and Testing (NIST), which is part of the U.S. Department of Commerce. The NIST Cybersecurity Framework (CSF) is not a technical standard but rather a holistic risk-management tool. Gartner Research and other observers have identified the CSF as the most mature framework. Its use is growing rapidly, with projected use by 50 percent of U.S. organizations by 2020.
The NIST CSF provides organizations with a useful tool to evaluate their maturity on a wide range of security and privacy topics. However, it doesn’t go as far as the European GDPR in addressing topics relevant for this age of cloud computing and devices that have turned non-tech companies into tech companies. Consider the personal data collected by a smart thermostat, for example. Competition is requiring companies both large and small, and both in the U.S. and throughout developed economies, to digitally transform their businesses. That means more data — much more — and more data vulnerabilities.
Future revisions of the NIST CSF may start to look more and more like GDPR. It could one day form the basis for a compulsory, regulatory-driven approach to privacy standards in the U.S. Or, perhaps a market-based standard such as the AICPA’s will come to the forefront. That’s not known. What is known is that public consciousness has changed. Data privacy is a business risk to embrace in a formal enterprise risk management framework.
Financial executives — CFOs through corporate leadership and CPAs through cybersecurity audits — are rightly leading the way.
James Savage is founder and president and Dan Weise, CPA is vice president-Finance at the Chicago-based Microsoft-focused technology consulting firm Concurrency.