GDPR: What you need to know next

If you’re a bank or financial services organization, you’ve had a few months now to adjust to the new business era ushered in with Europe’s General Data Protection Regulation (GDPR). But even if you met the 25 May 2018 deadline for compliance, your work isn’t done.

Now is the time to revisit your initial GDPR responses and processes, and make sure your business is ready for any data challenges that may lie ahead. What are those challenges? This article will explore some of the critical issues you need to consider.

The GDPR supersedes the EU’s Data Protection Act of 1998 and other previous European data regulations. A massive piece of legislation, it sets a new legal framework for personal data protection and applies to every organization that processes the data of European residents.

In a nutshell, the GDPR provides (as a reminder):

• New principles such as lawfulness, fairness and transparency (that is, a legal basis is required for processing data), purposes limitation (i.e., processing of data for specific purposes only) and data minimization (collecting only the data necessary for the specific purpose)
• New obligations for organizations: having a register for personal data processing, making sure that suppliers are in compliance, appointing a Data Protection Officer (DPO), reporting any personal data breach to regulators within 72 hours, “privacy by design,” etc.
• New rights for individuals, and reinforcement of existing rights: right to access, right to be forgotten, right to object, data portability, etc.

With such GDPR requirements now in force, organizations must adjust and improve their frameworks for data privacy protection. If not, they could be subject to significantly strengthened sanctions in the event of a data breach, with fines of up to €20 million or 4% of the organization’s total worldwide turnover, whichever is greater.

Most organizations have worked hard for months – even years – to meet the GDPR deadline and demonstrate compliance to customers, employees and regulators. Some organizations took a risk-based approach that prioritized key issues first. Others worked to achieve across-the-board GDPR compliance, tackling everything at once.

There is more work to do

Whatever approach your organization took, it’s important to remember this: your work isn’t finished yet. Even months past the compliance deadline, you will most likely find some remaining issues that need to be addressed, as well as other areas that need reinforcement or improvement.

Complying with the GDPR is a complex task. Even the regulators responsible for policing it don’t always seem to be fully prepared to deal with all of its requirements.

Already, the first complaints have been filed against some famous tech giants over “forced consent”. It’s too early to say if those complaints will be successful, whether these organizations will ultimately be fined (and, if so, by how much) and what the impact on their reputations might be. However, this shows that the GDPR is a reality that must be taken seriously and that superficial solutions are not sufficient.

Clearly, it’s essential to comply now to satisfy regulators and avoid legal challenges in court. But the stakes are also high at the operational level, because organizations must have systems in place to respond to requests from individuals or regulators in an efficient, smooth and reasonably cost-effective way.

Consequently, every organization needs to revisit its GDPR situation to identify areas where early responses need to be finalized and other responses should be improved. This might require more thought about solution designs and implementation.

As your organization revisits its GDPR response, consider the following:

Creating the required DPR (Data Processing Record) is an intensive and time-consuming exercise that involves many actors, and you might still need to finalize your procedures for handling this.

The DPR documents how personal data within an organization is processed, why it is processed (the “purpose”) and the legal basis for such processing (contract performance, regulatory requirements, etc.). It also deals with the categories of subject data, the types of data stored and data storage timeframes, as well as with other matters such as the tools and systems used.

However they have been developed – most likely per entity, per line of business and per function – your DPRs probably need to be made more consistent, be improved for accuracy and reliability, and be linked across different scopes (entities, businesses, systems and so on). Documenting details about what data is processed, and how, is a GDPR cornerstone (Article 30); once you have established such procedures, your organization will not only need to look for ways to improve and stabilize practices but will need to adopt tools for appropriate governance and periodic review.

To properly integrate, maintain and monitor your various DPRs, you will require a clear definition of roles and responsibilities (RACI) and governance across your organization. 

Data transfers must be closely watched due to strict GDPR requirements (Article 44 and following) that are difficult but essential to fulfil. 

Upon creating a DPR, you must identify to which country or countries personal data flows. This is because the GDPR in principle restricts data transfer to countries that have received an adequacy decision from the EU or to situations where “appropriate safeguards” – such as binding corporate rules – are in place. Any GDPR exercise at your organization must therefore include a complex review of the various flows and agreements that are in place.

In banking, a variety of shifts toward outsourcing models involving external partners has increased the circulation of data:

• Offshoring of activities to countries outside Europe, via subsidiaries and branches or to external vendors
• Creation of mutual back offices across several countries (i.e., hubs employing a “follow-the-sun” mode)
• Adoption of BPO (business process outsourcing) or IT outsourcing
• Partnerships with non-bank financial actors (e.g., fintech, regtech)

Such outsourcing contexts require specific governance across countries and activities to identify and understand the overall data flows and supporting agreements, such as SLAs with near- and off-shore countries, inside or outside of an organization.

Defining the lawful basis for data processing (Article 6) and management of consent (Articles 7 and 8, the second of which applies to children) can be complex under GDPR.

According to the GDPR, you must have a valid and lawful basis for processing personal data. The regulation provides for six lawful bases, which include:

1. Regulatory and legal obligations applicable to the controller (e.g., performing due diligence in the context of KYC)
2. Contract performance (e.g., collecting and processing data to offer the best products and services to customers according to their contracts)
3. Vital interest (i.e., when collecting and processing data are necessary to protect someone’s life)
4. Public tasks (i.e., when data processing is necessary to perform a specific task in the public interest as set out by law)
5. Legitimate interest (i.e., to the benefit of a company; this is the most flexible lawful basis for data processing, but it needs to be carefully and clearly articulated)
6. Consent (i.e., the data subject gives consent to the processing of his or her personal data for one or more specific purposes)

When you define the purpose for processing personal data, you should get it right the first time. You should not switch from one lawful basis to another at a later stage unless you have a good reason. Even if you change your purpose, you are supposed to be able to continue processing data based on the initial lawful basis.

If you are outside the first four legal bases and do not want to ask for explicit consent, you may be tempted to justify data treatment according to the legitimate interest of the controller. However, such a choice is not simple, and can be risky. Although it is flexible, the concept of legitimate interest must be considered on a case-by-case basis and cannot be used as the default basis for all data processing. It requires you to clearly identify the legitimate interest, demonstrate the necessity for data processing and balance your interests against the individual’s interests, rights and freedoms. For example, fraud prevention might be a purpose that constitutes a legitimate interest, while direct marketing would be far more questionable depending on the context.

In some cases, to comply with Article 7 of the regulation, you might have to obtain freely given consent from an individual.

In addition to the identification of use cases requiring consent, the management of consent itself is also complex. It requires appropriate governance and policies, as well as maintenance of use cases (in relation to the data processing record), and it may involve selecting and implementing different tools according to your needs.

To respond to the GDPR’s privacy by design principle, your organization must conduct a Privacy Impact Assessment (PIA) on particular types of data processing (Article 35).

This assessment must be an upstream and integrated process that involves all relevant actors and validations.

Prior to implementing a new or updated data processing measure, you are required to assess its impact if such processing could result in a high risk to the rights and freedoms of natural persons. Examples of processes that are likely to require PIAs include Know Your Customer (KYC) and client profiling.

Performing a PIA in a timely manner requires your organization to have in place clear and holistic processes and governance. This means you must identify the need for a PIA, the data protection and associated risks, and solutions to reduce or mitigate such risks. It also requires sign-off on the outcomes of the PIA, and implementation of the data protection measures. The PIA is a permanent and recurring process that should be driven by people with the appropriate expertise and knowledge: data protection officers (DPOs); business process experts; project managers (and involved stakeholders’ committees); chief information security officers (CISOs); risk, compliance and legal teams; etc. New product committees should be sure to include personal data privacy on their agendas, and every project needs to integrate the topic into its workstreams.

If your organization doesn’t have the necessary internal expertise and experience, you may have to consider bringing in external specialists to consult on or carry out the PIA.

Ultimately, the controller shall seek the advice of the supervisory authority when carrying out a data protection PIA. 

Every organization must review and publish a data privacy policy that describes the ways in which client data is gathered, used, disclosed and managed.

Your privacy notice should include your lawful basis for data processing, as well as the purposes for such processing.

These policies are generally updated by the legal department with the help of business and support functions with knowledge of the data processing activities.

Banks that updated their privacy policies before 25 May 2018 must anticipate that further updates may be required due to changes in data processing and newly created processes.

Thus, your organization should have an overall GDPR set-up that allows you to identify any material changes in personal data processing, and to reflect these changes in your data privacy policy.

GDPR awareness is a matter of people, culture, leadership and acting now.

To become – and remain – GDPR compliant, your organization must place a critical focus on staff awareness. Key people within your organization, both decision-makers and stakeholders, must be made aware of the changes brought by the regulation and the impacts it will have on the organization. Doing this requires organized, immediate and regular communication with all staff members. In addition, specific training must be provided to key people, such as client-facing staff (customer relationship managers, sales, etc.) and experts who need to master the regulation (e.g., DPOs, compliance officers, legal staff and so on) due to the nature of their roles and responsibilities.

The GDPR is a strategic business challenge that requires leadership buy-in. It requires translating ideas into actions, and not only awareness but involvement. It affects everyone and thus must be infused into the culture of your organization. This includes integrating it into a customer-centric approach and being aware of what clients want.

Data controllers shall use only processors that demonstrate they meet the GDPR requirements, and this should be governed by a signed contract (Article 28).

This means bringing new order to previously disordered systems, reaching out to all data processing partners and ensuring their contracts comply with the GDPR. Revising such contracts to achieve these goals is not simple, as difficult issues and high stakes are in play.

For many organizations, this lengthy and time-consuming exercise will continue through 2018 and 2019. It requires mapping and categorizing all existing contracts in scope within the organization, preparing the relevant GDPR clauses to integrate into agreements, and discussing clauses for sign-off with data processors. This process involves the business owners of the contracts, as well as sourcing and legal departments.

Viewed from a different perspective, however, these tasks can offer significant benefits. Think of the GDPR as a great opportunity for banks to thoroughly revamp vendor relationships and the management of related agreements. 

Your organization needs to ensure you have effective mechanisms in place to support the GDPR’s expanded rights of individuals, employees or clients.

This means having the right processes, organizations, governance and systems in place so you can respond within 30 days to requests from individuals who want to exercise their rights. It also means being prepared for a variety of use cases (e.g., different types of data, questions, systems, etc.).

Ahead of the GDPR’s May deadline, you may have implemented mostly tactical organizations and processes, such as helpdesks. While these may be sufficient to address a low volume of requests, such set-ups must be industrialized and made more robust so your organization can respond accurately, efficiently and exhaustively (that is, covering all data, from all areas and systems) – as well as respond in a timely manner.

You should consider – and implement – technical solutions so you can rapidly identify all personal data (e.g., data discovery tools) and execute the “right to be forgotten” in all systems with respect to required retention periods (e.g., data masking solutions). To do this, it could be highly beneficial to use new technologies such as chatbots to communicate with individuals, or case management tools that capture individuals’ requests and help controllers manage and monitor them end to end.

In any case, it’s essential to understand existing tools and data processing methods, as well as who is doing what in the organization.

Most importantly, it is vital to strengthen communication with people across different departments and to work together to understand the expectations of data subjects, while focusing on the most likely scenarios.

A data controller must notify the relevant supervisory authority of a personal breach no later than 72 hours after having become aware of it (Article 33).

Defining and implementing the required data breach response process is a complex and sensitive task. First, it requires being able to identify various types of data breaches according to their different origins, such as internal errors, fraud or data leakage from inside or outside of the organization, vendor failure, etc. Second, it means activating the right sequence of actors to assess, document and escalate the data breach within your organization’s chain of Data Protection Officers (DPOs). Finally, it requires you to notify the appropriate regulators and, when necessary, affected individuals themselves (Article 34).

Doing this means your organization needs to develop and promote strong collaboration among the different actors involved (i.e., front-office sales people, traders, and customer relationship managers; IT; risk, compliance and legal staff, etc.). You also need to document the chain of responsibilities and communicate this as part of your GDPR awareness plan.

Your organization must create procedures that address the scope of possible breaches, different responsibilities, and the steps you will take to communicate the breach.

Once this is conceptually in place, you will need to test these processes beforehand and ensure that all actors are well prepared. That’s because, in an actual breach, inappropriate behavior could make the situation even worse (e.g., communication mistakes could expose affected individuals, impact the organization’s reputation, etc.). 

As a data controller, your organization is strictly accountable for the security of processing (Article 32) by ensuring “confidentiality, integrity, availability and resilience of processing systems and services”.

This means you must have all necessary security measures in place to protect the data of individuals; this includes technologies such as firewalls, encryption, pseudonymization, anonymization, etc. Across any enterprise, systems are likely to be composed of myriad applications that process personal data. This creates complexity when it comes to analyzing, defining and implementing possible solutions.

Remember: your organization’s efforts to improve security did not come to an end on 25 May 2018.

One of your ongoing challenges is to be able to demonstrate at any time that your organization has appropriate measures in place, and that you take security into account systematically whenever new changes or platforms are implemented. 

To comply with the GDPR, your organization requires a strong framework that demonstrates your position on data is robust and defendable.

You cannot do this unless you establish solid supporting governance that includes board awareness, a framework for accountability (with data controllers at the executive level, as well as in compliance offices, risk offices, legal departments, etc.), a risk register, appropriate committees and review processes, as well as the appointment of Data Protection Officers when needed (Articles 37 through 39). You must also be ready to move now from defined governance on paper to up-and-running governance when it comes to addressing individual requests and managing the data breach notification process.

Time to reflect

Over the past 10 years, data quality, security and protection have become an increasingly high priority. The arrival of the GDPR has strongly reinforced this.

We understand that, for most organizations, becoming – and remaining – compliant with the GDPR is going to be a long journey. This is especially the case for retail banks and private banks that process large volumes of personal data, including a lot of highly sensitive information. 

Most financial institutions did the best they could to demonstrate compliance in time for the GDPR’s deadline. However, this new regulation is a beast that creates numerous challenges that will occupy organizations for months and years to come.

Now is the time to move away from those early tactical and superficial solutions and immature processes, and toward systems and procedures that are consolidated, systematized, automated, coordinated and tested.

In banking, data privacy is everyone’s responsibility. And it must be incorporated into the banking culture.

As we move further into the new GDPR era, we are certain to need to revisit important topics and adjust priorities. We are already starting to see this with the arrival of the first requests from individuals, the first audits from regulators, and the first legal challenges in court.

For banks, now is the time to audit what you have done so far and to make sure you are doing the right things in the right way to respond to the GDPR beast.

We are experts in digital business consulting and can help you achieve compliance with the new data protection regulations in a way that is both efficient and effective.

Not only that, but we can also help you to realise business benefits from optimising your data management. The General Data Protection Regulation is much more than a regulatory obligation - it is an opportunity to drive efficiency, build trust and create new business opportunities.

With ready access to information online, customers expect more transparency and responsiveness from the custodians of their data. That’s why in today’s digital economy, businesses are looking for ways to delight their customers and establish trust. However, digital at scale is only successful if GDPR compliance is the core of their data, product and services strategy.