3 things finance professionals need to know about the GDPR

by Nicholas King on June 18, 2019

Are you part of an in-house finance team? Or do you work for a finance provider – an accountancy firm, perhaps, or a financial advisory company? Like professionals in any other sector, you are subject to the EU’s GDPR (General Data Protection Regulation) – but there are some nuances for the finance industry that you need to bear in mind.

Here are three things finance professionals need to think about in relation to the GDPR.

Document archiving

Archiving is, of course, a key concern for finance departments, which need to ensure they store invoices, receipts and other financial documents for a certain number of years in line with various laws and regulations. For some such documents, the GDPR places even stricter demands on these processes. Any document containing personal information – say, an email address, an IP address, a social media profile, an individual’s unique taxpayer reference – must be archived securely.

The consequences of poor data management are far reaching. Earlier this year, Natwest and RBS were forced to issue new debit cards to customers after bank details of more than 40,000 people were stolen in a Ticketmaster phishing attack. This security breach had significant consequences for both the banks and the customers, many of whom went on to suffer further inconvenience as a knock on effect of service disruption.

Sponsorships Available

An open filing cabinet in a corner of the office will no longer cut it; these units need to be secured under lock and key. Archived documents may be held in one location or across multiple different sites – regardless, you must have a clear rationale and process in place explaining how these storage locations are secure, and how that security is maintained. GDPR compliance is not just about undertaking the right actions – it is also about being able to demonstrate those actions and the rationale behind them, through clearly defined and regularly reviewed and updated policies and processes.

Right of access

Customers, clients, suppliers, contractors and other individuals have the right to request copies of any document or information that is held on them. This is why it is so important for finance professionals to create clear and consistent processes for managing personal data. If you receive a DSAR (data subject access request), you need to be able to respond to it thoroughly and efficiently.

This right links to other rights, in particular the right to erasure (also called the ‘right to be forgotten’). Under some conditions, individuals can ask you to remove any and all data and documents held on them or about them (subject, of course, to the statutory financial rules and laws you need to follow). Once again, this is made much easier when you have a clear and consistent set of processes regarding how you manage said data. You also need an accessible privacy policy that states how long you will hold personal data before it is destroyed.

Incident response

Finance departments are among the most likely targets of cybercrime because the data they carry is so valuable. There is added pressure from the GDPR stipulation that data controllers must report any data breach or incident to the Data Protection Authority within 72 hours unless it is unlikely to present a risk to anyone’s rights and freedoms.

This means that all finance professionals need to have a comprehensive awareness of who the data controller is in relation to the data they process, and what signs of a data breach they need to look out for, so that they can play their part in this escalation process as necessary. More senior finance professionals might take on responsibility for contacting individuals outside the organisation in the event of a breach.

These are by no means the only areas of the GDPR that finance professionals need to be aware of, but by addressing them you are one step closer to better security, legal compliance and improved relations with your customers.

For more guidance on how your finance department or business can achieve, maintain and demonstrate GDPR compliance, get in touch with Vigilant Software today for a no obligation demonstration of our single solution CyberComply.