“What you can prevent is them taking and exfilling [extracting] that data and information out.” A sophisticated hack can be catastrophic for a company. If it is executed with skill and precision, companies can lose sensitive product information to corporate espionage, reams of consumer information to malicious hacking syndicates and potentially a significant chunk of its share price once the world finds out – and find out it will.
For tax departments, data loss is particularly dangerous. Company data will contain tax information which is only required to be disclosed to tax authorities. Companies do not want this commercially sensitive information stolen and disclosed publicly. The tax world has recently seen the leakage of confidential documents, first in Hong Kong and then later in Luxembourg. Both leaks triggered extensive press coverage, much of it negative for companies.
Guarding personal data
As if the threat of data loss were not enough, companies operating in the European Union (EU) will soon have to contend with harmonized legislation designed to protect consumers from having their data lost, stolen or exploited.
“Personal data protection, as of today, is not a priority in practice,” says Fabrice Naftalski, an EY Practice Group Leader – IP/IT Data privacy. “Confidentiality is a priority because companies want to protect their know-how, their strategic information, their financial information – but they are not very interested in the protection of personal data. That’s something that needs to be improved in the management of transactions.”
The EU’s data protection regulation (the Regulation) asks much more of companies when it comes to data privacy and security, making them more accountable in their role as data custodians.
“It’s not accountability as in the US, [where] very often when you speak from accountability you refer to self-regulation,” says Naftalski. “Under the EU Regulation, companies will have to implement specific procedures, specific tools, as provided by the regulations. There will be less flexibility.”
The Regulation was first presented in January 2012 by the European Commission and is expected to be voted on by the EU Parliament in late 2015 or early 2016. A two-year transition period will follow, giving companies time to prepare to be compliant. Impact assessments will be required for sensitive data processing.
Two years is not a long time to overhaul IT systems designed to store data rather than delete or obscure it. And although compliance with the Regulation will make data far safer, the penalties proposed in draft versions of the Regulation would impose fines of €1 million (US$1.13 million) or 5% of a company’s global turnover, groupwide, should companies fail to adequately protect customer data. Customer information will have to be deleted after a certain time period, and it may become compulsory for every company to appoint someone to take responsibility for data protection.
The easiest way to protect consumer data is to delete it as soon as it is no longer required. “German law says that if you don’t need data anymore, then you must delete it, and if you must retain it, then you limit the access,” says Peter Katko of EY.
“For instance, you may buy what could be considered ‘embarrassing items’ online. Then you pay, and then warranty periods expire, so there is no more need for the online retailers to actually keep this data.”
This presents a unique challenge for tax departments, however. Many jurisdictions require companies to retain data for 10 years or more.
“Maybe you returned the items and the retailer deducted the loss in the books because they had to unwind the purchase contract, and then after eight years the tax authority questions this,” hypothesizes Katko. “You must prove this scenario, and therefore you have the retention.”