GDPR: making data privacy work in financial services
Published December, 2017 |Conduct and consequences Print
It’s the new reality for financial services. In April 2016, the European Parliament ratified the General Data Protection Regulation (GDPR). Organizations have until 25 May 2018 to establish a strong and accountable framework for safeguarding individual privacy. Firms based outside of the EU will still need to comply in order to do business there, and those that fail to do so will face fines as high as 4% of their annual worldwide turnover.
GDPR is a welcome harmonization of privacy laws across the region that will eventually make business easier for multinational companies. But in the short term it puts pressure not only on business-as-usual operations and budgets, but especially on the larger digital transformation programs that rely on a broad use of data.
Financial services organizations face a special reputational risk. A recent survey of IT and risk/fraud decision-makers named banking as the sector regulators are most likely to make an example of, when it comes to punishing noncompliance.*
Given these challenges, how is the sector doing in achieving compliance? We’ve seen many companies implementing the regulation either too narrowly or too aggressively. A smarter approach is both comprehensive and risk-based – it puts the company in full compliance, but preserves opportunities to benefit from data analytics. By overhauling their processes around compliance, and innovating from that foundation, businesses can still create a great deal of digital value.
Key features of GDPR
Key features of GDPR
GDPR emerged after years of negotiation in the wake of high-profile data breaches such as the UK National Building Society in 2006. Regulators were concerned that companies’ evermore-powerful analytics capabilities would undermine individual privacy. The new regulation’s key features are:
1. Expanding the scope of regulation. GDPR applies not just to data controllers but also to data processors, which become an officially regulated entity. It covers all organizations that target EU citizens, regardless of their physical location. It also confirms the 2013 EU ruling that invalidated the Safe Harbor Framework.
2. Expanded consent. Consumer consent to data processing must be freely given and for specific purposes, and must be explicit in the case of sensitive personal data or trans-border dataflow. Customers must be informed of their right to withdraw their consent at any time.
3. Establishing new rights. Individuals have the right to data portability, the right to be forgotten, and the right to object to profiling due solely to automated data processing. Organizations must safeguard these rights on individuals’ behalf.
4. Assessing privacy impacts. Organizations must undertake Privacy Impact Assessments when conducting risky or large-scale processing of personal data.
5. Instituting privacy by design. Organizations should design data protection into their business processes and systems, with the default settings on high.
6. Mandating data protection officers. All companies that systematically monitor or process large amounts of sensitive personal data must appoint an executive-level official to oversee safeguards on privacy.
7. Demanding accountability. Organizations must prove their accountability on privacy by establishing a culture of data oversight, minimizing the processing and retention of data, documenting their data processing procedures and operations, and building in privacy safeguards.
8. Mandatory notification of breaches. Organizations must notify the supervisory authority of data breaches within three days, and must directly inform individuals if this breach carries a high risk to them.
9. Instituting heavy fines. For breaches of GDPR, regulators can impose fines of up to 4% of total annual worldwide turnover, or €20,000,000, whichever is greater.
Not just another compliance exercise
GDPR is a game-changer. In their eagerness to capture the benefits of data analytics, many organizations have worked consumer and employee data deeply into their internal systems – often with insufficient regard for privacy. With GDPR, they’ll have to assess and recalibrate these systems around respecting individuals’ preferences on privacy. Most current systems do not support GDPR requirements. The right to erasure is particularly difficult due to the complexity and breadth of data distribution across databases and backups.
Companies cannot simply layer new procedures over existing operations. Nor can they rely on the legal department or a data protection officer to handle the job. Each data flow must be analyzed for “rightful usage,” which is usage that is inherently legitimate or involves explicitly obtained consent. This is a multi-disciplinary challenge, so the departments and business units involved need a comprehensive way to collaborate. (See Figure 1). Developing a comprehensive framework for collaboration may involve a great deal of work, but it could become the basis for sustainable competitive advantage in the digital economy.
As for companies doing too much, the trouble lies in their ambitious attempts to map their entire data flows. This mapping is an essential first step, but often it is over-detailed and resource-intensive, which can delay efforts to achieve compliance. There’s no need to look comprehensively at every data flow. Companies can focus on flows with high impact, as indicated by the company’s overall risk appetite and its data analytics strategies. Many data flows are unlikely to ever infringe on privacy.
In creating the basic privacy register, most companies can use risk analysis to safely limit the scope of data mapping. They can then use data-discovery tooling to detect further structured and unstructured data as needed.
Step by step
Each company should start from its general data strategy, as informed by its business strategy and risk appetite. GDPR focuses on results, not on specific processes, and doesn’t favor specific technologies. As such, companies can develop the approach that works best with their commercial ambitions. With all the effort that implementing GDPR is likely to involve, companies should take the opportunity to examine and adjust all their data-related processes from the ground up, for maximum business advantage.
With its commercial and privacy goals aligned, the company can then calibrate its information systems for the appropriate outputs – aiming to safeguard privacy while supporting the business objectives. From there, the functions and business units can work together to develop the comprehensive framework for achieving compliance. (Figure 2).
With this framework as a foundation, the next step is data mapping. Companies can draw on tools that monitor what happens to a sample of actual personal data. The resulting flow diagrams can guide practical work in the trenches to achieve compliance with GDPR. It can also point to problematic vendor relationships, and identify where data might leak outside. This tracking is not only an essential foundation for improvement; it will also help to meet the GDPR requirement that organizations demonstrate insight into their data flows.
The organization is now ready to overhaul its processes to achieve compliance. In our work with companies, we’ve discovered several common challenges that need to be addressed early.
- • Getting your budgets and your board ready: The same survey mentioned earlier also found out that only 40% of decision makers say they have enough budget to ensure compliance in time. Since complete compliance is unlikely by May 2018, the board should now formally accept the priorities of the implementation plan and the risks of noncompliance. It should also agree to a detailed plan for continuing implementation after the deadline, with robust project and change management capabilities.
- • Getting the skills in hand: Digital skills in general, and data analytics in particular, have become notoriously scarce as more companies come to resemble tech firms. It’s critical that companies assess the skill gaps in their new organizational design. They will likely need to hire or train people to manage and support the implementation. Appointing or hiring a Data Protection Officer may be a special challenge.
- • Publicize the plan: GDPR implementation is such a complex project, with requirements in many different areas of the business, that the wider organization needs a sense of how they contribute to the big picture. The plan should include the company’s strategy for commercializing data as well as the framework for prioritizing specific kinds of data handling.
- • Getting your people ready: Only by shifting its culture can a company fully embed privacy practices into day-to-day activities. Traditional risk-awareness sessions for employees and contractors are not enough. A sustained training and awareness program should be designed and rolled out across the entire business.
- • Fix your architecture: Current software packages are likely to be “privacy-smart,” but most organizations use legacy programs with varying levels of privacy protection. These older systems typically hold data indefinitely rather than automatically deleting it after a fixed period – and GDPR limits data retention to seven years. It’s essentially to critically appraise all systems. GDPR is an opportunity not just to ensure privacy protections, but also to align systems with subsequently added business processes and commercial priorities.
- • Prepare for a breach: With financial services companies are under more public scrutiny than ever, communicating the breach may be just as important as solving it. And now it’s legally required: any incident has to be reported within 72 hours. Given heightened interest and media scrutiny, the planning must also include outreach to customers and the public.
How ready are you?
GDPR is the most far-reaching regulatory change to hit financial services since the aftermath of the Great Recession. It encourages companies to move aggressively to redesign their approach to data. They can overhaul outdated legacy systems while reducing the risk of fines and remediation. Bold action in this arena will help win customers’ trust in the future financial marketplace – and generate enormous future value for everyone.
* One Year Out: Views on GDPR, published by Varonis, 2017, https://info.varonis.com/hubfs/docs/2017-GDPR-survey-results.pdf. The research involved interviewing a sample of 500 IT and risk professionals in the UK, France, Germany and the US, between 17 April and 9 May 2017.