Community
Many banks have been working hard to ensure they are in a position to comply with the General Data Protection Regulation (GDPR), a European driven regulation but with global reach. GDPR has a broad scope for protecting personal data, far reaching consequences for extra-territoriality and the potential to hit firms with punitive fines for breaches – up to 4% of annual revenues.
The compliance deadline is also imminent - 25th May 2018.
The scope and geographical reach of personal data is one of the main ‘unknowns’ for firms based outside of the European Union (EU) and which may be affected by this new regulation. The scope of GDPR is the personal data of EU nationals, wherever they or their data may be in the world, whether or not the data subject lives in the EU, and whether or not the firm operates in the EU! This applies to individuals who could be: customers, partners, suppliers, intermediaries, members of staff or any other stakeholder (e.g. visitors or registered website users whose data is retained and processed for marketing).
How to be compliant
GDPR is specific in the requirements for collecting, storing, processing and retaining personal data. Each of these topics necessitates certain chartecteristics where the data bust be:
These capabilities demonstrate a firm’s ability to support the rights of the individual. In addition, the regulation requires firms to rapidly notify any data breaches (e.g. data loss incidents) to the appropriate regulator.
Rights of individuals
Under GDPR, individuals have the following rights with respect to their personal data:
Accountability: The ability to demonstrate compliance
Not only is it necessary to be compliant, it is necessary to be capable of evidencing the degree of compliance across the firm to auditors; be that with documentation, ownership and governance, controls and conformance. Only then is a firm able to demonstrate full compliance with the regulation.
Whilst the primary aim of the regulation is to put the consumer and citizens first, there are many remedies available to the regulators to encourage compliance. For serious breaches in large firms, non-compliance could be expensive, since GDPR allows the regulators to fine organisations substantially for breaches. These fines could be up to €20 million, or 4% of the company’s global annual turnover from the previous financial year, whichever is higher. Even before GDPR, the UK Information Commissioner’s Office (ICO) fined Talk Talk (an ISP / Media provider / Telco) £400k in January 2018 for a major personal data breach (see ICO Talk Talk).
Perspectives
The awareness of GDPR and its implications worldwide is expected to be very challenging for non EU domiciled firms who may have EU citizens as clients or staff. Unfortunately the level of awareness of the regulation, its requirements, and the complications it is likely to cause for current business processes appears to be very low outside of the EU, even though many firms will fall into its remit.
There are also differences in intent between US and European legislation in this area. The EU focuses predominantly on the rights of individuals, whilst US regulations focus on the rights of companies to process and manipulate users’ personal data. ‘Safe Harbor’ is already rendered obsolete and working through the contradicting rules will be challenging.
Finally, the UK ICO has already agreed that GDPR will be applicable within the UK when it comes into force in May 2018, and that the rules and regulations around data privacy will be unchanged after Brexit, so all affected firms need to act now!
How GFT approaches the challenge of GDPR
The reach of GDPR is far and wide and will impact any business having interactions with EU nationals. The amount of work to achieve compliance varies depending on: the type of organisation, its scale, and how they use individual data. Enterprise scale businesses are likely to already have mature programmes in place delivering GDPR compliance. For those who have not yet started, or need to ramp up their GDPR programme, we suggest the following approach:
Summary
GDPR should provide definitive impetus to help address data management, effectively, efficiently and sustainably. A holistic approach, backed by a strong commitment from the top management of the financial institution is the heart of a successful strategy to achieve a data governance model that provides a coherent view of personal data. Achieving GDPR compliance requires effective master data management (MDM), combined with a data quality and security model for controlling access and permissions that guarantees access to data only to those users who really need the information, together with the creation of strong information and data security.
Achieving this will make it easier for banks to not only comply rigorously and sustainably with the GDPR, but also achieve greater utility from their data, thereby enabling improvements in efficiency and cost reduction across the firm; good data underpins good processing in the long term.
So if you aware of GDPR but are not exactly clear what is meant by the terms: Personal Data, Sensitive Data, Data Subject, Data Processor, Data Controller, Data Breach, Pseudonymisation, Purpose Limitation, or what your firm is supposed to be doing with them, I would suggest you find out and fast. It is one thing to be aware of GDPR, but in our experience many firms are far away from being really ready!
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Andrew Ducker Payments Consulting at Icon Solutions
19 December
Jamel Derdour CMO at Transact365 / Nucleus365
17 December
Alex Kreger Founder & CEO at UXDA
16 December
Dan Reid Founder & CTO at Xceptor
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.