The EU General Data Protection Regulation has been adopted. Companies have two years to comply or face punitive fines and huge reputation risk, which treasury departments should take seriously.

Last week, the EU adopted new legislation on data protection – the General Data Protection Regulation (GDPR). It was passed on 14 April and, when it comes into force in two years, it will give individuals more control over their personal online data, including “the right to be forgotten online”.

However, companies face huge fines for breaching this law and some say the law represents a “huge threat to business continuity for all financial services organisations in the UK”.

How financial service organisations collect, use, transfer and store the personal data of millions of EU customers and clients is due to change under the GDPR. Non-compliant companies will face punitive fines of up to 4 per cent of global turnover or €20 million, depending which is greater, making data protection errors far more expensive than before for companies.

The GDPR will introduce the following data protection requirements for corporates:

• they will need to obtain consent for processing personal data and special data (such as financial information relating to EU citizens);
• they must retain records of the consent that state the duration of the consent's validity;
• communication with customers must be age appropriate;
• companies must keep track of personal data in auditable ways;
• customers and authorities must be notified of data breaches within 72 hours.

There is a two-year transition period for compliance with the GDPR but some of its requirements are likely to be incorporated in guidelines much sooner.

“Financial services firms will now face a raft of guidance from the Information Commissioner’s Office that will be in alignment with these new data protection principles and this will effectively introduce the GDPR ‘through the back door’ well before the deadline of the two-year transition has expired,” warns Ardi Kolah, co-programme director at Henley Business School.

Research also suggests that the GDPR could actually save businesses €2.3bn a year but half of all companies, in November 2015, had never heard of it. Read more from CTMfile on the GDPR here.

---

CTMfile Take: Corporate treasury departments and CFOs shouldn't assume this is just an IT issue. It's a serious financial risk for companies, which needs to be understood and planned for. Companies now have two years to ensure their treatment of personal data meets the standards – or face damage to reputation and punitive fines.