Update Data Protection No. 45
GDPR non-compliance may adversely affect the outcome of the annual financial statement audit
When auditing annual financial statements, auditors are required to draw attention to risks that potentially threaten the company. Such risks can result for example from failure to implement the EU General Data Protection Regulation (GDPR) that has been in force since May 25, 2018. Given the substantial fines envisaged in the GDPR, these risks can result in high provisions, in the worst case in refusal on the part of the auditor to issue an unqualified audit opinion. If they have not already done so, CEOs and Board Members should therefore take measures to implement the requirements of the GDPR in their company, in order to ensure that the company is GDPR-compliant at the latest by the date of the audit of the annual financial statements.
When auditing the annual financial statements of a company, auditors are required, among other things, to assess whether the annual financial statements of a corporation comply with the statutory regulations, and whether the management report illustrates the opportunities and risks of the company's future development.
The management report shall set out whether and to what extent the company has recognized endangering developments. Among other things, such risks can result from failure to implement the requirements of the GDPR in the company.
Compared to the legal position applicable up until May 25, 2018, the GDPR imposes numerous new or additional requirements on companies, for example the creation and maintaining of a record of processing activities, the conducting of data protection impact assessments, as well as extensive obligations of the company with respect to data subjects whose personal data are processed by the company.
Failure to comply with such requirements can have far-reaching negative consequences for companies, such as the restriction or prohibition of data processing. Furthermore, violations of the GDPR can result in fines of up to 10,000,000 EUR or 2% of annual sales - in the event of serious violations of data protection up to 20,000,000 EUR or 4% of annual sales. Such risks are by no means merely theoretical risks; rather, there is much to suggest that the supervisory authorities across Europe will make use of the sanctions provided for in the GDPR. Waiving this would "deprive data protection law of the powers it has just been given," was how Marit Hansen, Data Protection Commissioner for Schleswig-Holstein, summarized the situation in an interview in May 2018.
By its own accounts, the Bavarian Data Protection Authority began checking companies in terms of compliance with data protection requirements in September 2018. Supervisory authorities in other EU member states have already imposed fines in the mid six-figure range (EUR) for relatively minor violations.
When auditing the annual financial statements, an auditor is required to analyze, among other things, whether the company has taken suitable and effective measures to implement the requirements of the EU General Data Protection Regulation.
In case the auditor ascertains that data protection requirements have not been complied with, he must assess whether the matter constitutes serious violations of the law and/or significant weaknesses of the internal control system. In such case, he is required to report on the result of his audit within the framework of a final audit opinion, and to decide whether an unqualified audit opinion can ultimately be issued, or whether this will even be refused completely.
In addition, the company can be obliged to recognize provisions, for example for the costs to be incurred by the company for implementation of the requirements of the GDPR, as well as for possible fines.
If they have not already done so, CEOs and Board Members should therefore take immediate measures to implement the requirements of the GDPR in their company, in order to avoid negative consequences during the audit of the annual financial statements. Considering the drastic sanctions imposed by the GDPR, it is indispensable for data protection to become a firm constituent of the company's risk management system, and therefore to be reflected in the annual financial statements and the management report.