GDPR: making data privacy work in financial services

Published December, 2017 |

Conduct and consequences Print

It’s the new reality for financial services. In April 2016, the European Parliament ratified the General Data Protection Regulation (GDPR). Organizations have until 25 May 2018 to establish a strong and accountable framework for safeguarding individual privacy. Firms based outside of the EU will still need to comply in order to do business there, and those that fail to do so will face fines as high as 4% of their annual worldwide turnover.

GDPR is a welcome harmonization of privacy laws across the region that will eventually make business easier for multinational companies. But in the short term it puts pressure not only on business-as-usual operations and budgets, but especially on the larger digital transformation programs that rely on a broad use of data.

Financial services organizations face a special reputational risk. A recent survey of IT and risk/fraud decision-makers named banking as the sector regulators are most likely to make an example of, when it comes to punishing noncompliance.*

Given these challenges, how is the sector doing in achieving compliance? We’ve seen many companies implementing the regulation either too narrowly or too aggressively. A smarter approach is both comprehensive and risk-based – it puts the company in full compliance, but preserves opportunities to benefit from data analytics. By overhauling their processes around compliance, and innovating from that foundation, businesses can still create a great deal of digital value.

Not just another compliance exercise

GDPR is a game-changer. In their eagerness to capture the benefits of data analytics, many organizations have worked consumer and employee data deeply into their internal systems – often with insufficient regard for privacy. With GDPR, they’ll have to assess and recalibrate these systems around respecting individuals’ preferences on privacy. Most current systems do not support GDPR requirements. The right to erasure is particularly difficult due to the complexity and breadth of data distribution across databases and backups.

Companies cannot simply layer new procedures over existing operations. Nor can they rely on the legal department or a data protection officer to handle the job. Each data flow must be analyzed for “rightful usage,” which is usage that is inherently legitimate or involves explicitly obtained consent. This is a multi-disciplinary challenge, so the departments and business units involved need a comprehensive way to collaborate. (See Figure 1). Developing a comprehensive framework for collaboration may involve a great deal of work, but it could become the basis for sustainable competitive advantage in the digital economy.

As for companies doing too much, the trouble lies in their ambitious attempts to map their entire data flows. This mapping is an essential first step, but often it is over-detailed and resource-intensive, which can delay efforts to achieve compliance. There’s no need to look comprehensively at every data flow. Companies can focus on flows with high impact, as indicated by the company’s overall risk appetite and its data analytics strategies. Many data flows are unlikely to ever infringe on privacy.

In creating the basic privacy register, most companies can use risk analysis to safely limit the scope of data mapping. They can then use data-discovery tooling to detect further structured and unstructured data as needed.

Step by step

Each company should start from its general data strategy, as informed by its business strategy and risk appetite. GDPR focuses on results, not on specific processes, and doesn’t favor specific technologies. As such, companies can develop the approach that works best with their commercial ambitions. With all the effort that implementing GDPR is likely to involve, companies should take the opportunity to examine and adjust all their data-related processes from the ground up, for maximum business advantage.

With its commercial and privacy goals aligned, the company can then calibrate its information systems for the appropriate outputs – aiming to safeguard privacy while supporting the business objectives. From there, the functions and business units can work together to develop the comprehensive framework for achieving compliance. (Figure 2).

With this framework as a foundation, the next step is data mapping. Companies can draw on tools that monitor what happens to a sample of actual personal data. The resulting flow diagrams can guide practical work in the trenches to achieve compliance with GDPR. It can also point to problematic vendor relationships, and identify where data might leak outside. This tracking is not only an essential foundation for improvement; it will also help to meet the GDPR requirement that organizations demonstrate insight into their data flows.

Success factors

The organization is now ready to overhaul its processes to achieve compliance. In our work with companies, we’ve discovered several common challenges that need to be addressed early.

  • Getting your budgets and your board ready: The same survey mentioned earlier also found out that only 40% of decision makers say they have enough budget to ensure compliance in time. Since complete compliance is unlikely by May 2018, the board should now formally accept the priorities of the implementation plan and the risks of noncompliance. It should also agree to a detailed plan for continuing implementation after the deadline, with robust project and change management capabilities.
  • Getting the skills in hand: Digital skills in general, and data analytics in particular, have become notoriously scarce as more companies come to resemble tech firms. It’s critical that companies assess the skill gaps in their new organizational design. They will likely need to hire or train people to manage and support the implementation. Appointing or hiring a Data Protection Officer may be a special challenge.
  • Publicize the plan: GDPR implementation is such a complex project, with requirements in many different areas of the business, that the wider organization needs a sense of how they contribute to the big picture. The plan should include the company’s strategy for commercializing data as well as the framework for prioritizing specific kinds of data handling.
  • Getting your people ready: Only by shifting its culture can a company fully embed privacy practices into day-to-day activities. Traditional risk-awareness sessions for employees and contractors are not enough. A sustained training and awareness program should be designed and rolled out across the entire business. 
  • Fix your architecture: Current software packages are likely to be “privacy-smart,” but most organizations use legacy programs with varying levels of privacy protection. These older systems typically hold data indefinitely rather than automatically deleting it after a fixed period – and GDPR limits data retention to seven years. It’s essentially to critically appraise all systems. GDPR is an opportunity not just to ensure privacy protections, but also to align systems with subsequently added business processes and commercial priorities.
  • Prepare for a breach: With financial services companies are under more public scrutiny than ever, communicating the breach may be just as important as solving it. And now it’s legally required: any incident has to be reported within 72 hours. Given heightened interest and media scrutiny, the planning must also include outreach to customers and the public.

How ready are you?

GDPR is the most far-reaching regulatory change to hit financial services since the aftermath of the Great Recession. It encourages companies to move aggressively to redesign their approach to data. They can overhaul outdated legacy systems while reducing the risk of fines and remediation. Bold action in this arena will help win customers’ trust in the future financial marketplace – and generate enormous future value for everyone.

One Year Out: Views on GDPR, published by Varonis, 2017, The research involved interviewing a sample of 500 IT and risk professionals in the UK, France, Germany and the US, between 17 April and 9 May 2017.