Skip to main content

Beyond Legal #31: The finance controller who couldn't speak numbers

·5 mins
Beyond Legal Board Reporting Accountability GDPR Article 5 Data Protection Leader Risk Management Governance GDPR at 10

Beyond Legal #31: The finance controller who couldn’t speak numbers

She couldn’t speak numbers. So the board didn’t listen. — Sue W., Finance Controller

In my experience, data protection programmes fail at the board level more often than they fail in the systems. The legal framework is understood. The technical controls are in place. The record of processing activities (RoPA) is maintained. But when the Data Protection Leader stands in front of the board and cannot articulate risk in the terms the board uses to think about every other kind of risk — financial exposure, operational liability, reputational cost — the programme looks trivial to the board. And programmes that look trivial struggle to justify investment. They also do not protect the company when something goes wrong.

Sue’s story #

Sue is a finance controller at a professional services company with operations across seven EU member states. She manages financial reporting, budgeting, and internal controls. She sits on the risk committee. She understands how the board quantifies exposure and makes resource allocation decisions, because she speaks the language those decisions are made in.

She had never been asked to contribute to the data protection programme.

The Data Protection Leader — let’s call her Saoirse — had been in post for two years and had built something genuinely solid: a functioning RoPA, a DPIA process that was actually being used, a training programme with measurable completion rates, and a clear accountability framework across the company’s processing activities. By any data protection measure, the programme was in good shape.

The problem emerged at the annual board risk review. Saoirse presented the programme’s status in data protection terms — number of processing activities documented, DPIA completion rate, training coverage, incidents logged and resolved. The board heard a compliance update. They did not hear a risk position. When the CFO asked what the financial exposure from a regulatory investigation would look like in a worst-case scenario, and how the current programme investment compared to that exposure, Saoirse did not have an answer prepared in those terms.

The board passed over the programme for additional investment. Saoirse was not promoted. The risk committee noted that data protection had not demonstrated strategic financial value.

Sue had been in the room. She had not been asked to help.

Why does a Data Protection Leader need to speak to the board in financial terms? #

The accountability principle under Article 5(2) of the GDPR requires controllers to be able to demonstrate compliance — not just implement it. For a board, demonstrating compliance means translating the programme into terms the board uses: quantified exposure, probability-weighted risk, investment return, and benchmarked liability. Under Article 83, fines for serious violations can reach €20 million or four percent of global annual turnover, whichever is higher. That is a financial number the board understands immediately. The cost of a breach — notification obligations, Supervisory Authority investigation, reputational damage, data subject compensation claims — can be modelled and expressed alongside the programme cost. A Data Protection Leader who presents compliance statistics to a board that thinks in financial terms is not communicating. A finance controller who understands the regulatory liability framework is the bridge between those two languages.

Keeping an eye on enforcement decisions is useful in this context. In October 2024, the Irish Data Protection Commission fined LinkedIn €310 million after finding that he company had processed user data for behavioural analysis and targeted advertising in violation of the lawfulness, fairness and transparency requirements of the GDPR — a set of failures that a well-funded, board-supported data protection programme would have had a meaningful chance of identifying and challenging earlier — even acknowledging that lawful basis for behavioural advertising has been genuinely contested across the industry. In January 2022, the Hellenic Data Protection Authority fined Cosmote and its parent OTE a combined €9.25 million following a 2020 cyberattack that exposed customer data, finding violations that spanned lawful basis, transparency, data protection impact assessment and security obligations — failures of governance as much as of technical control. In both cases, the financial consequences of the compliance failure substantially exceeded the cost of the controls that would have prevented it. That is a calculation a finance controller can make.

What does the GDPR accountability principle require at board level? #

Under Article 5(2) of the GDPR, the controller is responsible for, and must be able to demonstrate compliance, with the data protection principles. For a board-level audience, demonstrating compliance means more than presenting programme metrics — it means expressing the programme’s purpose and value in the terms the board uses to govern every other material risk: financial exposure, probability of harm, cost of controls relative to cost of failure, and trajectory of risk over time. A Data Protection Leader who cannot make that case is not failing at data protection. They are failing at governance. And a finance controller who has never been asked to help them make it is a resource the organisation is not using.

The challenge for today: Book half an hour with your finance controller or CFO (if you have direct contact). Ask them to help you express your programme’s risk reduction in financial terms — what is the worst-case regulatory exposure under Article 83, what are the estimated breach costs, and how does the current programme investment compare? If you cannot answer those questions in the language the board speaks, you are not yet making the case that the programme deserves.

For more on how accountability plays out across functions, see Beyond Legal #24 on third-party risk governance, and Beyond Legal #29 on the gap between legal advice and operational implementation.

Article references: Article 5(1)(a) (lawfulness, fairness, transparency), Article 5(2) (accountability), Article 6 (lawful basis), Article 32 (security of processing), Article 35 (data protection impact assessment), Article 83 (administrative fines), Article 83(5) (upper tier fines up to 4% of global turnover).

Series: This is post 11 in the ‘GDPR at 10’ series — 20 roles, 20 days, real consequences. Sue, Saoirse and the story are fictitious; the two cases are real.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get a sense of what we do.

Author
Tim Clements

Browse by Topic

accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 28 article 30 article 32 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness campaigns behaviour change beyond legal board reporting case law cloud infrastructure compliance monitoring consent cross-border transfers dark patterns data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection day data protection leader data quality data residency data retention data sovereignty datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc horizon scanning hr and data protection hr and employment incident response information security intellectual property international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture public sector quantum computing records of processing regulatory guidance risk management risk reduction ropa software development special category data standard contractual clauses strategic planning sub-processors sustainability third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts