Share with your friends

GDPR – is your treasury fit...

GDPR – is your treasury fit...

... for the new General Data Protection Regulation?


Related content

FTM Bildwelt: Haus im Schnee

The new EU General Data Protection Regulation has been in force since 25 May 2018. It affects not only large company groups, but also family firms and micro-companies. Various companies and associations have doubtless written to you already to inform you about different changes.

But why is this necessary? What changes will the new regulation bring about, what are the consequences for treasury and what should companies do now?

What is the GDPR?

The new General Data Protection Regulation GDPR intends to standardise data protection within the EU and modernise data protection for the internet age. It replaces the EU directive from 1995 (Directive 95/46/EC) and deals mainly with the issue of protecting how personal data is processed. According to Article 4 of the regulation, personal data means any information relating to an identifiable natural person. A person can be identifiable directly or indirectly through their name, (online) ID, number, location information and other specific characteristics. This includes a person's telephone number, credit card or personnel number, account number, a car registration, their appearance, their customer number, their address or even their IP address.

As companies such as Facebook and Google are increasingly privatising the processing of such data, and with the rise of cloud computing, an update of these security standards was overdue. At the same time, this update aims to create cross-border security for data exchange of personal data throughout the EU.The GDPR contains 99 Articles and numerous Recitals that govern how companies, authorities and associations deal with personal data. It is based on principles stemming from the German Data Protection Act and the EU Charter of Fundamental Rights, among others.

The new directive was adopted two years ago, though the provisions have applied only since 25 May 2018. The GDPR applies in all EU member states equally. If a company fails to observe the requirements, the company faces fines of up to EUR 20 million or 4% of its total revenue.

It is to be applauded that an EU-wide regulation has been created that is binding for all 28 member states. It should result in data protection being taken seriously and implemented uniformly in companies, organisations and associations. The new regulation also takes account of the new internet age, and will provide better protection, for example concerning EU citizens' personal data that is frequently published and visible on web platforms. Furthermore, the obligation to have a data protection officer in the company is certainly correct and necessary, although this will already have been established in most companies.

In practical terms, however, difficulties arise in that there is considerable leeway regarding actions and interpretation, and the regulation is often not specific enough. For example, Recital 10 states that member states can further detail and specify the regulation through so-called escape clauses in national regulations, thus aligning it with other laws. But how this will look in individual cases remains to be seen. 

Due to the complexity of the rules and the potential for different interpretations, it may be that ambiguities and disputes are ironed out only through amendments or court rulings. It can also be expected that companies will be inundated with information and deletion requests, which will have to be managed.

Given the complexity of the rules and the threat of penalties, we would like to look at what effects the new regulation will have on treasury specifically and what still might have to be reviewed or done.

What has changed for treasurers?

As well as the dramatically increased penalties, rising from EUR 300,000 as per Section 43 of the German Federal Data Protection Act [BDSG] to EUR 20 million or 4% of global revenue in the GDPR, companies will in future have to comply with considerably more extensive documentation and information obligations in relation to stored user data. This will be especially relevant if violations of data protection have to be reported within a set period. In this regard, Article 33 GDPR stipulates an obligation to report to regulatory authorities within 72 hours. Reporting of a violation must include the corresponding data of the data subject, the details of the violation and the consequences and intended measures to be taken. Those who cannot access clearly structured documentation will quickly come unstuck.

Specifically for treasurers, the new regulation will affect payment transactions, i.e. which personal customer and employee data can be stored, processed and communicated, and how this can be done. There must be satisfactory documentation of who can access payment transaction data and which authorised signatories are involved. In this context, a specific factor is salary payments (identification of salary and salary increases) to some employees of the company. Access to this should be governed by a higher security level (through specific encryption and only HR personnel having access to detailed information) than for supplier payments, for example.

In this regard, the GDPR makes it more difficult to evaluate data in terms of payment behaviour and big data analyses. Companies must inform customers that their data will be used for purposes of analysis (e.g. Google Analytics), and the data subject can refuse this. An internal creditworthiness ranking would also be affected by this, and requires customer approval. The obligations regarding providing information to the data subject are governed in Articles 13 and 14, the right to information in Article 15.

Moreover, Article 7 (2) states that the request for consent (Article 6 (1a)) must be in clear, plain language and clearly distinguishable from other matters. Depending on each matter, this should also be targeted and addressed individually to the respective data subject. Consent is always voluntary and may always be withdrawn.

A subsidiaries management system (acquisitions and mergers of companies) for larger companies also contains personal data, such as information on management and other legal representatives.

As most companies use business partners, providers, service offices or similar for payment transactions, payment factory or to operate their treasury management system, cooperation with other business partners is a key matter that is regulated by the GDPR.

According to Recital 22, any processing of personal data carried out by non-central locations (branches or subsidiaries) or 'processors' must be aligned with the GDPR, irrespective of whether this party is in the EU or not. What qualifies as a processor in this context? Processors are engaged by the companies responsible to process data qualifying for protection. In this regard, it is important for the processor to 'implement appropriate technical and organisational measures' so as to ensure data protection. Cooperation (subject-matter, duration, type, purpose, etc.) must be documented in a suitable contract. 

According to Article 30, controllers and processors – if the company employs more than 250 people – must also maintain a directory of processing activities that are performed for the controller. In addition to the respective controller's contact data, the directory must also contain data subjects, recipients and purpose of processing, and any transfer of personal data to third countries.

In Article 32, the regulation specifies the suitable measures to protect personal data. Specific mention is made of data encryption. Suitable encryption should already be standard nowadays, though the requirements have been tightened compared to earlier texts. Suitable encryption mechanisms increase the security of data protection, while proof of effective encryption impacts favourably on the amount of any penalties imposed by the supervisory authorities (according to Article 83 (2)). This means that the GDPR also addresses the increasing threat of cyber criminality.

What must be borne in mind? What are the next steps?

  • Transparency of all data processing operations

    First, the extent of compliance with the heightened information and reporting obligations must be assessed, along with how proof of compliance with the GDPR can be provided as regards accountability.Are all processes transparent, can the obligations be fulfilled on time and is there a central directory of all processing activities?

    In this regard, treasury is the process owner for its domain and must comply with documentation obligations and burden of proof. Processing of personal data and the related processes should therefore be comprehensively documented and be able to retrieved quickly. This is to ensure both that information can be provided to the data subject and the supervisory authorities, and also that risks and consequences can be assessed. The outlay for this should not be underestimated, but it is a precondition of being able to have an overview, avoid violations and penalties and, not least, prevent attempts at fraud and abuse. Of course, the employees concerned should receive regular training on data protection and have clear instructions for their job.

  • Checking and concluding contracts to process orders

    In light of the changes and requirements described, companies should check their agreements with service providers and business partners. If there is no other legal basis to disclose personal data, it's worth considering drawing up a contract for processing with your business partners.

    If your treasury system has a cloud solution, you should be informed about the server operation (it may be outside of the EU) and the manner in which sensitive data is stored and transferred. It is advisable to also include the IT and legal departments to look through the contracts, to establish a dialogue with the business partners and make any necessary alterations to contracts. 

  • Review consent of customers

    It must be ensured that the current processes to obtain consent of the data subject satisfy the heighted requirements of the GDPR in terms of clear language, differentiation and right of revocation.

  • Review technical and organisational measures

    A further essential step is the technical implementation of the requirements. This means taking suitable technical and organisational measures to ensure data protection. This must take into account the state of the art, the implementation costs and also the probability of occurrence and the severity of the risks associated with processing (Article 25).Encryption and pseudonymisation are key factors in this context, as well as accessibility and storage periods. Furthermore, always bear in mind that data is required to be deleted immediately as soon as it no longer serves its original purpose or if it has been revoked. The right to be forgotten (Article 17 (2)) should also be mentioned, which states that all other controllers must be informed without undue delay about the erasure so that related links to this data or any copies can be deleted.

    If a processor is engaged, for example in the shape of business partners, providers, treasury management system providers etc., the controller (e.g. the treasury) is responsible for ensuring that the contracted party is able to observe data protection within the meaning of the GDPR to a satisfactory extent. This can be proven by a suitable certification process (e.g. ISO 27001), which the processor must complete (see also Recital 81).

    Some processing operations also require a data protection impact assessment (Article 35); this applies in every case if the processing is likely to result in a high risk to the rights and freedoms of natural persons. This concerns things such as scoring/profiling, automatic decisions that lead to legal consequences for the data subjects, systematic monitoring or even specific reporting through compilation and combination of data. In such cases, a data protection impact assessment should be carried out and regularly repeated.

Overall, it is clear that treasury must take care of implementation of the GDPR in its domain. The treasury is the process owner as regards the obligation for documentation, duty to supply information and to provide proof, but must also ensure that the technical measures are taken to ensure right of information, erasure or rectification of data and also to avoid risks associated with data protection.

Not least, suitable monitoring methods should be employed to ensure compliance with the regulations. 

Source: KPMG Corporate Treasury News, Edition 81, June 2018
Author: Tobias Riehle, Manager, Finance Advisory,

© 2020 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative (“KPMG International”), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten.

Connect with us


Want to do business with KPMG?


loading image Request for proposal