Blog article
See all stories »

What do you need to know? EU data protection law for CFOs

New EU data protection laws are coming closer following the vote in the European Parliament. The impact of the likely changes will be greater legal restrictions on the control organisations have on their data, in terms of its location, security, anonymity and privacy.

For organisations working to manage the risk exposure of their digital data, this may bring certain issues to the fore. If your business IT applications or sensitive data make use of public or ‘hybrid’ cloud resources, drawing on resources not under your direct management, you’ll need to assess if and how you’re exposed, and whether or not you have the controls you need to achieve compliance with whatever the final law ends up looking like.

Here are six discussion points for CFOs and business leaders to consider about their Enterprise’s data:

1. What is your data?
Defining what your corporate data actually “is” can be more challenging than ever before. It is no longer defined by location, as data frequently leaves company premises on legitimate grounds. Even when still under your direct control, as cloud services become more pervasive, data is likely to be hosted off-site. It already often leaves the premises at the end of each day on employee laptops, tablets and smart phones, which in many cases no longer belong to the company given the increase in BYOD policies (bring-your-own-device).

As it becomes harder to protect all types of data, it becomes essential to classify company data and to decide what level of protection is appropriate to each type. Understanding that not all data is created equal and that some will be more sensitive or used more frequently is a requirement to make informed decisions about investments in internal IT infrastructure.

2. Where is your data?
Cloud services and cloud infrastructure may be on-premise, delivered from within an organisation’s real-estate, or off-premise, hosted in other locations on behalf of the company. In both cases the data may sit in one or many places, and it may move.

Location matters, particularly in the wake of the proposed legislation, therefore CXOs need to be clear on the legal implications of where data is stored, even if only fleetingly. Where data is stored may bring a company into another regulatory regime, for data privacy or financial regulation for example, or put it in breach of local laws.

3. How is data protected?
Protecting data stored on or accessed from tablets, smartphones and USB memory sticks, as well as via traditional computing devices, is a fast-shifting challenge. Protecting data here involves two things. First, ensuring it is secured against malicious attack and accidental loss and, second, delivering resilience and recovery in the event of an incident. In both cases there are contractual and regulatory implications which are set to tighten further with this legislation.

4. How is data stored?
The rise of compact, high capacity data storage devices and the growth of cloud storage services creates the risk of “guerrilla IT” – where employees circumvent technical restrictions either to drive productivity or to deliberately and maliciously gain access to data. This routinely results in confidential data moving beyond the corporate firewall, violating corporate governance as well as, potentially, regulation and local law. Educating employees on the personal and corporate risks that may flow from this is a key compliance obligation.

5. What about Big data?
Big data, from one perspective, involves the integration of multiple data sets to create new insights. These data sets may be innocuous separately – and properly created or obtained – but in combination they may allow “net-new” data to be developed which is unexpected and potentially sensitive. The legal position of this sort of activity is not always clear and CFOs need to keep an eye on how the proposed legislation addresses this, as big data will play an increasing role in how businesses strive for growth in future.

6. Are organisations equipped to meet e-disclosure requirements in all markets?
Cloud changes the context for e-disclosure; in other words the production of information to opposing counsel and a court over the course of a dispute. Discovery and disclosure laws currently vary across different countries, and the physical location of your data could have significant implications for the jurisdiction that your data may be discoverable in.


As technology continues to evolve and disrupt traditional ways of doing business, both EU legislation and country specific regulations will continue to evolve to keep pace and the CFO, alongside the C-Suite has a responsibility to ensure businesses have a holistic view of their exposure to different categories of risk.

The risk of exposing customer data unduly, and falling foul of these regulations, is not one any business will want to take.



Comments: (0)