... for the new General Data Protection Regulation?
The new EU General Data Protection Regulation has been in force since 25 May 2018. It affects not only large company groups, but also family firms and micro-companies. Various companies and associations have doubtless written to you already to inform you about different changes.
But why is this necessary? What changes will the new regulation bring about, what are the consequences for treasury and what should companies do now?
The new General Data Protection Regulation GDPR intends to standardise data protection within the EU and modernise data protection for the internet age. It replaces the EU directive from 1995 (Directive 95/46/EC) and deals mainly with the issue of protecting how personal data is processed. According to Article 4 of the regulation, personal data means any information relating to an identifiable natural person. A person can be identifiable directly or indirectly through their name, (online) ID, number, location information and other specific characteristics. This includes a person's telephone number, credit card or personnel number, account number, a car registration, their appearance, their customer number, their address or even their IP address.
As companies such as Facebook and Google are increasingly privatising the processing of such data, and with the rise of cloud computing, an update of these security standards was overdue. At the same time, this update aims to create cross-border security for data exchange of personal data throughout the EU.The GDPR contains 99 Articles and numerous Recitals that govern how companies, authorities and associations deal with personal data. It is based on principles stemming from the German Data Protection Act and the EU Charter of Fundamental Rights, among others.
The new directive was adopted two years ago, though the provisions have applied only since 25 May 2018. The GDPR applies in all EU member states equally. If a company fails to observe the requirements, the company faces fines of up to EUR 20 million or 4% of its total revenue.
It is to be applauded that an EU-wide regulation has been created that is binding for all 28 member states. It should result in data protection being taken seriously and implemented uniformly in companies, organisations and associations. The new regulation also takes account of the new internet age, and will provide better protection, for example concerning EU citizens' personal data that is frequently published and visible on web platforms. Furthermore, the obligation to have a data protection officer in the company is certainly correct and necessary, although this will already have been established in most companies.
In practical terms, however, difficulties arise in that there is considerable leeway regarding actions and interpretation, and the regulation is often not specific enough. For example, Recital 10 states that member states can further detail and specify the regulation through so-called escape clauses in national regulations, thus aligning it with other laws. But how this will look in individual cases remains to be seen.
Due to the complexity of the rules and the potential for different interpretations, it may be that ambiguities and disputes are ironed out only through amendments or court rulings. It can also be expected that companies will be inundated with information and deletion requests, which will have to be managed.
Given the complexity of the rules and the threat of penalties, we would like to look at what effects the new regulation will have on treasury specifically and what still might have to be reviewed or done.
As well as the dramatically increased penalties, rising from EUR 300,000 as per Section 43 of the German Federal Data Protection Act [BDSG] to EUR 20 million or 4% of global revenue in the GDPR, companies will in future have to comply with considerably more extensive documentation and information obligations in relation to stored user data. This will be especially relevant if violations of data protection have to be reported within a set period. In this regard, Article 33 GDPR stipulates an obligation to report to regulatory authorities within 72 hours. Reporting of a violation must include the corresponding data of the data subject, the details of the violation and the consequences and intended measures to be taken. Those who cannot access clearly structured documentation will quickly come unstuck.
Specifically for treasurers, the new regulation will affect payment transactions, i.e. which personal customer and employee data can be stored, processed and communicated, and how this can be done. There must be satisfactory documentation of who can access payment transaction data and which authorised signatories are involved. In this context, a specific factor is salary payments (identification of salary and salary increases) to some employees of the company. Access to this should be governed by a higher security level (through specific encryption and only HR personnel having access to detailed information) than for supplier payments, for example.
In this regard, the GDPR makes it more difficult to evaluate data in terms of payment behaviour and big data analyses. Companies must inform customers that their data will be used for purposes of analysis (e.g. Google Analytics), and the data subject can refuse this. An internal creditworthiness ranking would also be affected by this, and requires customer approval. The obligations regarding providing information to the data subject are governed in Articles 13 and 14, the right to information in Article 15.
Moreover, Article 7 (2) states that the request for consent (Article 6 (1a)) must be in clear, plain language and clearly distinguishable from other matters. Depending on each matter, this should also be targeted and addressed individually to the respective data subject. Consent is always voluntary and may always be withdrawn.
A subsidiaries management system (acquisitions and mergers of companies) for larger companies also contains personal data, such as information on management and other legal representatives.
As most companies use business partners, providers, service offices or similar for payment transactions, payment factory or to operate their treasury management system, cooperation with other business partners is a key matter that is regulated by the GDPR.
According to Recital 22, any processing of personal data carried out by non-central locations (branches or subsidiaries) or 'processors' must be aligned with the GDPR, irrespective of whether this party is in the EU or not. What qualifies as a processor in this context? Processors are engaged by the companies responsible to process data qualifying for protection. In this regard, it is important for the processor to 'implement appropriate technical and organisational measures' so as to ensure data protection. Cooperation (subject-matter, duration, type, purpose, etc.) must be documented in a suitable contract.
According to Article 30, controllers and processors – if the company employs more than 250 people – must also maintain a directory of processing activities that are performed for the controller. In addition to the respective controller's contact data, the directory must also contain data subjects, recipients and purpose of processing, and any transfer of personal data to third countries.
In Article 32, the regulation specifies the suitable measures to protect personal data. Specific mention is made of data encryption. Suitable encryption should already be standard nowadays, though the requirements have been tightened compared to earlier texts. Suitable encryption mechanisms increase the security of data protection, while proof of effective encryption impacts favourably on the amount of any penalties imposed by the supervisory authorities (according to Article 83 (2)). This means that the GDPR also addresses the increasing threat of cyber criminality.
Overall, it is clear that treasury must take care of implementation of the GDPR in its domain. The treasury is the process owner as regards the obligation for documentation, duty to supply information and to provide proof, but must also ensure that the technical measures are taken to ensure right of information, erasure or rectification of data and also to avoid risks associated with data protection.
Not least, suitable monitoring methods should be employed to ensure compliance with the regulations.
Source: KPMG Corporate Treasury News, Edition 81, June 2018
Author: Tobias Riehle, Manager, Finance Advisory, firstname.lastname@example.org
© 2019 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative (“KPMG International”), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten.