CFOs in the dark on data rules despite approving investments

Chief financial officers (CFOs) in Ireland are increasingly signing-off on major IT projects despite knowing little about data legislation that could have a massive impact on their organisation, according to new research.

The study finds that increasingly, Irish CFOs are more likely to be in control of large-scale IT investments than chief information officers (CIO). However, as many as two-thirds of the CFOs surveyed admitted to being completely in the dark about key regulations such as Privacy Shield.

The survey of 200 financial decision makers working in organisations with an average 800 employees was carried out by Amárach Research on behalf of BT Ireland.

It shows that 69 per cent of decision makers surveyed were unfamiliar with the Privacy Shield data transfer framework which was agreed between the EU and the US earlier this year. In addition, 63 per cent were unaware of the requirements or penalties associated with the EU's General Data Protection Regulation (GDPR), which is due to come into effect in May 2018.

In spite of a lack of awareness of key data protection agreements and legislation, 89 per cent of CFOs said they felt “extremely well informed or fairly well informed” when signing off major IT investments.

Just 28 per cent of CFOs who did know about GDPR believed it would have a significant impact. Similarly, just 32 per cent of those aware of the Privacy Shield expected it to make a major difference.

According to the study findings, 45 per cent of decision makers surveyed said they had more direct responsibility for data protection than they did three years ago, while half said managing regulatory compliance was becoming a bigger part of their job.

Although CFOs are increasingly in charge of signing off on major IT investments, 84 per cent of respondents said they believed that unsanctioned tech spend outside of the IT department, or “shadow IT”, was occurring within their organisation.

"While CFOs are taking a more proactive role in IT investment, it is clear that they are seriously unprepared when it comes to key data protection agreements and directives. The research also demonstrates the prevalence of shadow IT spend, which means crucial IT decisions are being made outside of the CIO's control, again running the risk of breaches, said Shay Walsh, managing director of BT Ireland.

“We are in an era of unprecedented data regulation and a divided organisation risks massive penalties and serious reputational damage by not understanding the implications. CFOs, in collaboration with their boardroom peers, need to understand the impact of their tech spend, and ensure they have clear procedures, policies and compliance in place, in preparation for the changes coming in May 2018,” he added.