I recently sat down with Dan French, CEO at Consider Solutions, to understand a little more about GDPR and its impact on shared services. You can read the full interview below:
What is GDPR and how will it affect shared services?
GDPR is an EU regulation about personal data that comes into effect in May 2018. It’s worth noting here that it’s nothing fundamentally new and is merely an evolution of existing regulations. As a law it’s important, but it’s not a doomsday scenario for any well managed business. As always with a new regulatory shift, there is some scare mongering and panic inducing marketing campaigns from technology companies in particular. There really is nothing to panic about but it’s worth noting its relevance to shared services. Shared services aggregate transactions and data for the organisation, that’s a major part of their strategy. With aggregated data comes a key responsibility of how we then manage it. But we knew that already!
With regard to ‘Doomsday Marketing’ campaigns, I always remember the claims when Sarbanes-Oxley (SOX) came into effect, that ‘your CFO will go to jail if you fail your SOX testing’!. Many people panicked but the only CFOs that went to jail were those who were found guilty of fraud, not a failure to automate their SOX testing! So what I would say here is that it’s worth remembering the GDPR has teeth (potential fines for flouting the law) but don’t let this drive your thinking. You need a practical assessment and a practical action plan.
GDPR is a European Regulation, but will it have an impact on global businesses?
You do not have to operate in Europe to be affected by GDPR. The key criterion is that you have to have personal data on European citizens. Even when we look at Brexit, the UK is still part of the EU currently and therefore the same regulations apply, and the law will automatically move onto the UK Statute Book at time of Brexit, so UK companies won’t be getting off easy.
If you process or store data to do with individuals who reside in Europe then GDPR applies, it doesn’t matter where the business is. A good comparison is to that of the US Foreign Corrupt Practices Act (FCPA) or SOX which both apply subject to specific criteria, regardless of location. GDPR is nothing unique when it comes to location of the business, it’s to do with the scope of the business you run and the data you keep and/or process.
Will GDPR influence existing governance frameworks?
What GDPR brings is nothing fundamentally new as it’s an evolution of existing rules. Any well managed business is already dealing with the issue. If you don’t have a data governance framework then now is a good time to think about it and take action. Data is the important piece here and data has always been an issue. You just need to think about how you manage it. If you have never had a case for action, you have one now!
Do you see IT playing a pivotal role in GDPR strategies?
I don’t see IT becoming more pivotal because of GDPR. GDPR is not about IT. It is about business processes and the business model you have, as well as the information you have about individuals. Delegating an information governance issue to IT can be dangerous as it’s typically not their remit. It is a Global Process Owner (GPO) issue for sure! iT has a role in some of the detail once you have taken the important steps of assessment and building a plan. Once you have thought about the key components then you can get IT involved. You need to remember that your GDPR response is not an IT strategy it’s a business strategy.
Many organizations have appointed a Data Owner or Data Protection Officer. What are your views on how data within shared services should and is being managed currently and do you see them changing after May?
Data Protection Officers (DPO) under GDPR is a must. Any organisation that manages or processes data needs a DPO unless they represent a very small organisation of >250FTE. In theory you should already have a DPO in place.
Data ownership is something different but is certainly interesting. We and sharedserviceslink look a lot at Global Process Owners (GPO) and there has been some debate around whether they should be owning master data. If you are and S2P GPO, by definition you own the data and processes about your vendors. Yet, whether you take the view about having a specific master data owner or believe (as I do) that relevant data comes under the governance of the GPO, you need to make a decision about who owns that data and what data should be stored and processed. It’s worth noting that GPOs or Master Data owners don’t have to sit in shared services because shared services isn’t an island, The
Shared Services organisation is a mechanism to manage certain processes more effectively. You just need to be clear and sure who owns the data.
If you could offer 3 pieces of advice to shared services organizations that are prepping for GDPR what would they be?
1) If you haven’t audited or assessed your processes and data for GDPR, then do it now.
2) Do it yourself and don’t delegate to a third party. In this context, delegation can become abdication and the results aren’t always positive. By appointing a senior leader internally to manage this project you learn more about your own business and accountabilities, which is a major advantage.
3) Define an action plan on what needs to be improved or changed. The very simple thing is that for every individual you process or store data on they have the right to;
- Be informed about their data
- Have access to their data
- To rectify their data
- To have their data erased
- To object with what you are using their data for
- To know about the movement of their data
- Object bout your storing of the data
- Know about any automated profiling using their data
Under GDPR you need to be able to respond to all of the above.
This is all common sense but organisations need to understand what data they really need and what data they store and/or process. This is the challenge. But its not the end of the world! Just take action.
If you currently own a GDPR project and want to have your say then start a discussion on socialspace, alternatively you can email me at amy@sharedserviceslink.com
To read this article you have to be registered.
Become a member to access all content and / or download it