GDPR: 100 days and counting - are you really ready?

Many banks have been working hard to ensure they are in a position to comply with the General Data Protection Regulation (GDPR), a European driven regulation but with global reach. GDPR has a broad scope for protecting personal data, far reaching consequences for extra-territoriality and the potential to hit firms with punitive fines for breaches – up to 4% of annual revenues.  

The compliance deadline is also imminent - 25th May 2018. 

The scope and geographical reach of personal data is one of the main ‘unknowns’ for firms based outside of the European Union (EU) and which may be affected by this new regulation. The scope of GDPR is the personal data of EU nationals, wherever they or their data may be in the world, whether or not the data subject lives in the EU, and whether or not the firm operates in the EU! This applies to individuals who could be: customers, partners, suppliers, intermediaries, members of staff or any other stakeholder (e.g. visitors or registered website users whose data is retained and processed for marketing).

How to be compliant

GDPR is specific in the requirements for collecting, storing, processing and retaining personal data. Each of these topics necessitates certain chartecteristics where the data bust be:

• Lawfulness, fairness and transparency - processed lawfully, fairly and in a transparent manner (e.g. with specific opt in consent and other conditions)
•  Purpose limitation - collected for specified, explicit and legitimate purposes and not further processed. Further processing for archiving purposes in the public interest, scientific or historical research may require anonymisation / pseudonymisation
• Minimised - adequate, relevant and limited to what is necessary
• Accuracy - accurate and, where necessary, kept up-to-date, having regard to the purposes for which it is processed
• Storage limitation - kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
• Integrity and confidentiality - processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
• Accountability - managed responsibly by the Data Controller, who shall be responsible for and be able to demonstrate compliance

These capabilities demonstrate a firm’s ability to support the rights of the individual. In addition, the regulation requires firms to rapidly notify any data breaches (e.g. data loss incidents) to the appropriate regulator.

Rights of individuals

Under GDPR, individuals have the following rights with respect to their personal data:

• to be informed
• to have access
• to ensure rectification
• to ensure erasure
• to restrict processing
• to data portability
• to object
• to understand and constrain automated decision making, including profiling

Accountability: The ability to demonstrate compliance

Not only is it necessary to be compliant, it is necessary to be capable of evidencing the degree of compliance across the firm to auditors; be that with documentation, ownership and governance, controls and conformance. Only then is a firm able to demonstrate full compliance with the regulation.

Whilst the primary aim of the regulation is to put the consumer and citizens first, there are many remedies available to the regulators to encourage compliance. For serious breaches in large firms, non-compliance could be expensive, since GDPR allows the regulators to fine organisations substantially for breaches. These fines could be up to €20 million, or 4% of the company’s global annual turnover from the previous financial year, whichever is higher. Even before GDPR, the UK Information Commissioner’s Office (ICO) fined Talk Talk (an ISP / Media provider / Telco) £400k in January 2018 for a major personal data breach (see ICO Talk Talk).

Perspectives

The awareness of GDPR and its implications worldwide is expected to be very challenging for non EU domiciled firms who may have EU citizens as clients or staff. Unfortunately the level of awareness of the regulation, its requirements, and the complications it is likely to cause for current business processes appears to be very low outside of the EU, even though many firms will fall into its remit.

There are also differences in intent between US and European legislation in this area. The EU focuses predominantly on the rights of individuals, whilst US regulations focus on the rights of companies to process and manipulate users’ personal data. ‘Safe Harbor’ is already rendered obsolete and working through the contradicting rules will be challenging.

Finally, the UK ICO has already agreed that GDPR will be applicable within the UK when it comes into force in May 2018, and that the rules and regulations around data privacy will be unchanged after Brexit, so all affected firms need to act now!

How GFT approaches the challenge of GDPR

The reach of GDPR is far and wide and will impact any business having interactions with EU nationals. The amount of work to achieve compliance varies depending on: the type of organisation, its scale, and how they use individual data. Enterprise scale businesses are likely to already have mature programmes in place delivering GDPR compliance. For those who have not yet started, or need to ramp up their GDPR programme, we suggest the following approach:

• Defining and understanding personal data scope, and data discovery: what constitutes personal data and where is it located?
• Completing an impact assessment: assessing the current level of compliance, documentation & compliance processing and undertaking a gap analysis.
• Establishing good data governance: from the roles and responsibilities of business and technology people, to the introduction of tools and applications to manage the relevant aspects of good data protection, by design and default.

Summary

GDPR should provide definitive impetus to help address data management, effectively, efficiently and sustainably. A holistic approach, backed by a strong commitment from the top management of the financial institution is the heart of a successful strategy to achieve a data governance model that provides a coherent view of personal data. Achieving GDPR compliance requires effective master data management (MDM), combined with a data quality and security model for controlling access and permissions that guarantees access to data only to those users who really need the information, together with the creation of strong information and data security.  

Achieving this will make it easier for banks to not only comply rigorously and sustainably with the GDPR, but also achieve greater utility from their data, thereby enabling improvements in efficiency and cost reduction across the firm; good data underpins good processing in the long term.

So if you aware of GDPR but are not exactly clear what is meant by the terms: Personal Data, Sensitive Data, Data Subject, Data Processor, Data Controller, Data Breach, Pseudonymisation, Purpose Limitation, or what your firm is supposed to be doing with them, I would suggest you find out and fast. It is one thing to be aware of GDPR, but in our experience many firms are far away from being really ready!