GDPR is coming, but CFOs are blind to potential financial nightmare

17 Nov 2016

While most CFOs are oblivious to new EU data regulations with stiff financial penalties, they are worried about the threat of shadow IT spending by employees. Image: RawPixel/Shutterstock

As 30pc of CFOs have the final say on IT spend versus 26pc of CIOs, it is not very comforting to learn that two-thirds of the former are oblivious to the new EU GDPR data regulations, which come with hefty fines.

Despite digital transformation becoming a sexy management mantra, CIOs still don’t have full control of their financial destiny and the buck still stops with CFOs in most cases.

According to a BT Ireland survey by Amárach Research into large domestic and multinational organisations with an average of 800 employees, only a minority of CFOs in these organisations are aware of the upcoming EU regulations on data.

‘The question you have to ask is: are boardroom decision-makers aware of the penalties associated with a data breach?’

While 71pc of CFOs expect job changes due to technology, 63pc of them are surprisingly oblivious to the new General Data Protection Regulation (GDPR), an EU directive that comes into full force on 25 May 2018, 16 months from now.

GDPR has severe penalties for organisations that lose data – up to €20m, or 4pc of an organisation’s revenue.

For example, Tesco Bank in the UK suffered a data breach recently. Under the GDPR regulations which come into effect in 2018, Tesco would have been fined up to €1.8bn.

Similarly, 69pc of CFOs are also unfamiliar with the new Privacy Shield which overlooks data being shared between Europe and the US.

Shadow IT is rising

Some 34pc of CFOs say they spend significant sums on technology; including hardware, software, and services.

But ironically, they are not the only member to invest in IT, outside of the CIO.

Around 84pc of CFOs believe that unsanctioned tech spend outside of the IT department, or shadow IT, is occurring within their organisation.

This leaves companies open to considerable risk and data leakage; again, running the gauntlet of the new GDPR regulations.

When asked whether the issue of shadow IT needs to be addressed by the CIO, CFOs expressed uncertainty, with 42pc saying it did not need to be controlled.

However, this unauthorised and uncontrolled spend could potentially lead to an even greater data privacy risk for organisations.

BT Ireland managing director Shay Walsh commented: “With just over two-thirds of CFOs unfamiliar with the latest EU data protection regulation, the question you have to ask is: are boardroom decision-makers aware of the penalties associated with a data breach?”

“While CFOs are taking a more proactive role in IT investment, it is clear that they are seriously unprepared when it comes to key data protection agreements and directives.

“The research also demonstrates the prevalence of shadow IT spend, which means crucial IT decisions are being made outside of the CIO’s control, again running the risk of breaches.

“We are in an era of unprecedented data regulation, and a divided organisation risks massive penalties and serious reputational damage by not understanding the implications.

“CFOs, in collaboration with their boardroom peers, need to understand the impact of their tech spend, and ensure they have clear procedures, policies and compliance in place, in preparation for the changes coming in May 2018,” Walsh recommended.

GDPR is coming: But CFOs are blind to potential financial nightmare

Infographic: BT Ireland

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years