Many banks have been working hard to ensure they are in a position to comply with the General Data Protection Regulation (GDPR), a European driven regulation but with global reach. GDPR has a broad scope for protecting personal data, far reaching consequences for extra-territoriality and the potential to hit firms with punitive fines for breaches – up to 4% of annual revenues.
The compliance deadline is also imminent – 25th May 2018.
The scope and geographical reach of personal data is one of the main ‘unknowns’ for firms based outside of the European Union (EU) and which may be affected by this new regulation. The scope of GDPR is the personal data of EU nationals, wherever they or their data may be in the world, whether or not the data subject lives in the EU, and whether or not the firm operates in the EU! This applies to individuals who could be: customers, partners, suppliers, intermediaries, members of staff or any other stakeholder (e.g. visitors or registered website users whose data is retained and processed for marketing).
How to be compliant
GDPR is specific in the requirements for collecting, storing, processing and retaining personal data:
These capabilities demonstrate a firm’s ability to support the rights of the individual. In addition, the regulation requires firms to rapidly notify any data breaches (e.g. data loss incidents) to the appropriate regulator.
Rights of individuals
Under GDPR, individuals have the following rights with respect to their personal data:
- to be informed
- to have access
- to ensure rectification
- to ensure erasure
- to restrict processing
- to data portability
- to object
- to understand and constrain automated decision making, including profiling
Accountability: The ability to demonstrate compliance
Not only is it necessary to be compliant, it is necessary to be capable of evidencing the degree of compliance across the firm to auditors; be that with documentation, ownership and governance, controls and conformance. Only then is a firm able to demonstrate full compliance with the regulation.
Whilst the primary aim of the regulation is to put the consumer and citizens first, there are many remedies available to the regulators to encourage compliance. For serious breaches in large firms, non-compliance could be expensive, since GDPR allows the regulators to fine organisations substantially for breaches. These fines could be up to €20 million, or 4% of the company’s global annual turnover from the previous financial year, whichever is higher. Even before GDPR, the UK Information Commissioner’s Office (ICO) fined Talk Talk (an ISP / Media provider / Telco) £400k in January 2018 for a major personal data breach (see ICO Talk Talk).
The awareness of GDPR and its implications worldwide is expected to be very challenging for non EU domiciled firms who may have EU citizens as clients or staff. Unfortunately the level of awareness of the regulation, its requirements, and the complications it is likely to cause for current business processes appears to be very low outside of the EU, even though many firms will fall into its remit.
There are also differences in intent between US and European legislation in this area. The EU focuses predominantly on the rights of individuals, whilst US regulations focus on the rights of companies to process and manipulate users’ personal data. ‘Safe Harbor’ is already rendered obsolete and working through the contradicting rules will be challenging.
Finally, the UK ICO has already agreed that GDPR will be applicable within the UK when it comes into force in May 2018, and that the rules and regulations around data privacy will be unchanged after Brexit, so all affected firms need to act now!
How GFT approaches the challenge of GDPR
The reach of GDPR is far and wide and will impact any business having interactions with EU nationals. The amount of work to achieve compliance varies depending on: the type of organisation, its scale, and how they use individual data. Enterprise scale businesses are likely to already have mature programmes in place delivering GDPR compliance. For those who have not yet started, or need to ramp up their GDPR programme, we suggest the following approach:
- Defining and understanding personal data scope, and data discovery: what constitutes personal data and where is it located?
- Completing an impact assessment: assessing the current level of compliance, documentation & compliance processing and undertaking a gap analysis.
- Establishing good data governance: from the roles and responsibilities of business and technology people, to the introduction of tools and applications to manage the relevant aspects of good data protection, by design and default.
GDPR should provide definitive impetus to help address data management, effectively, efficiently and sustainably. A holistic approach, backed by a strong commitment from the top management of the financial institution is the heart of a successful strategy to achieve a data governance model that provides a coherent view of personal data. Achieving GDPR compliance requires effective master data management (MDM), combined with a data quality and security model for controlling access and permissions that guarantees access to data only to those users who really need the information, together with the creation of strong information and data security.
Achieving this will make it easier for banks to not only comply rigorously and sustainably with the GDPR, but also achieve greater utility from their data, thereby enabling improvements in efficiency and cost reduction across the firm; good data underpins good processing in the long term.
So if you aware of GDPR but are not exactly clear what is meant by the terms: Personal Data, Sensitive Data, Data Subject, Data Processor, Data Controller, Data Breach, Pseudonymisation, Purpose Limitation, or what your firm is supposed to be doing with them, I would suggest you find out and fast. It is one thing to be aware of GDPR, but in our experience many firms are far away from being really ready!
GFT’s experience across the financial services technology and data landscape is extensive, covering:
- Client onboarding and know your customer (KYC) processes
- Personal banking and capital markets
- Understanding compliance for regulations, including personal data e.g. MiFID II includes reporting 15 items of personal data
- Processes, methods and technologies for Master Data Management (MDM) and good data governance – maintaining automated sourcing, lineage, accountability and ownership
GFT can help firms towards GDPR compliance, specifically though deep expertise in:
- Data Discovery and Data Mapping projects (what data do you have and where is it?)
- Data protection impact assessment projects (how compliant are you to GDPR requirements?)
- Data remediation – delivering projects that fix technology, data and business gaps to remediate gaps and deliver compliance
- Support data protection by design – ensuring good data management is designed and implemented effectively, together with ongoing GDPR compliance