It’s the new reality for financial services. In April 2016, the European Parliament ratified the General Data Protection Regulation (GDPR). Organizations have until 25 May 2018 to establish a strong and accountable framework for safeguarding individual privacy. Firms based outside of the EU will still need to comply in order to do business there, and those that fail to do so will face fines as high as 4% of their annual worldwide turnover.

GDPR is a welcome harmonization of privacy laws across the region that will eventually make business easier for multinational companies. But in the short term it puts pressure not only on business-as-usual operations and budgets, but especially on the larger digital transformation programs that rely on a broad use of data.

Financial services organizations face a special reputational risk. A recent survey of IT and risk/fraud decision-makers named banking as the sector regulators are most likely to make an example of, when it comes to punishing noncompliance.*

Given these challenges, how is the sector doing in achieving compliance? We’ve seen many companies implementing the regulation either too narrowly or too aggressively. A smarter approach is both comprehensive and risk-based – it puts the company in full compliance, but preserves opportunities to benefit from data analytics. By overhauling their processes around compliance, and innovating from that foundation, businesses can still create a great deal of digital value.

Review the key features of GDPR

GDPR emerged after years of negotiation in the wake of high-profile data breaches such as the UK National Building Society in 2006. Regulators were concerned that companies’ evermore-powerful analytics capabilities would undermine individual privacy. The new regulation’s key features are:

  1. Expanding the scope of regulation. GDPR applies not just to data controllers but also to data processors, which become an officially regulated entity. It covers all organizations that target EU citizens, regardless of their physical location. It also confirms the 2013 EU ruling that invalidated the Safe Harbor Framework.
  2. Expanded consent. Consumer consent to data processing must be freely given and for specific purposes, and must be explicit in the case of sensitive personal data or trans-border dataflow. Customers must be informed of their right to withdraw their consent at any time.
  3. Establishing new rights. Individuals have the right to data portability, the right to be forgotten, and the right to object to profiling due solely to automated data processing. Organizations must safeguard these rights on individuals’ behalf.
  4. Assessing privacy impacts. Organizations must undertake Privacy Impact Assessments when conducting risky or large-scale processing of personal data.
  5. Instituting privacy by design. Organizations should design data protection into their business processes and systems, with the default settings on high.
  6. Mandating data protection officers. All companies that systematically monitor or process large amounts of sensitive personal data must appoint an executive-level official to oversee safeguards on privacy.
  7. Demanding accountability. Organizations must prove their accountability on privacy by establishing a culture of data oversight, minimizing the processing and retention of data, documenting their data processing procedures and operations, and building in privacy safeguards.
  8. Mandatory notification of breaches. Organizations must notify the supervisory authority of data breaches within three days, and must directly inform individuals if this breach carries a high risk to them.
  9. Instituting heavy fines. For breaches of GDPR, regulators can impose fines of up to 4% of total annual worldwide turnover, or €20,000,000, whichever is greater.

Not just another compliance exercise

GDPR is a game-changer. In their eagerness to capture the benefits of data analytics, many organizations have worked consumer and employee data deeply into their internal systems – often with insufficient regard for privacy. With GDPR, they’ll have to assess and recalibrate these systems around respecting individuals’ preferences on privacy. Most current systems do not support GDPR requirements. The right to erasure is particularly difficult due to the complexity and breadth of data distribution across databases and backups.

Companies cannot simply layer new procedures over existing operations. Nor can they rely on the legal department or a data protection officer to handle the job. Each data flow must be analyzed for “rightful usage,” which is usage that is inherently legitimate or involves explicitly obtained consent. This is a multi-disciplinary challenge, so the departments and business units involved need a comprehensive way to collaborate. (See Figure 1). Developing a comprehensive framework for collaboration may involve a great deal of work, but it could become the basis for sustainable competitive advantage in the digital economy.

As for companies doing too much, the trouble lies in their ambitious attempts to map their entire data flows. This mapping is an essential first step, but often it is over-detailed and resource-intensive, which can delay efforts to achieve compliance. There’s no need to look comprehensively at every data flow. Companies can focus on flows with high impact, as indicated by the company’s overall risk appetite and its data analytics strategies. Many data flows are unlikely to ever infringe on privacy.

EY - Figure 1: Who should be involved from your organization?

Figure 1: Who should be involved from your organization?

In creating the basic privacy register, most companies can use risk analysis to safely limit the scope of data mapping. They can then use data-discovery tooling to detect further structured and unstructured data as needed.

Step by step

Each company should start from its general data strategy, as informed by its business strategy and risk appetite. GDPR focuses on results, not on specific processes, and doesn’t favor specific technologies. As such, companies can develop the approach that works best with their commercial ambitions. With all the effort that implementing GDPR is likely to involve, companies should take the opportunity to examine and adjust all their data-related processes from the ground up, for maximum business advantage.

With its commercial and privacy goals aligned, the company can then calibrate its information systems for the appropriate outputs – aiming to safeguard privacy while supporting the business objectives. From there, the functions and business units can work together to develop the comprehensive framework for achieving compliance. (Figure 2).

With this framework as a foundation, the next step is data mapping. Companies can draw on tools that monitor what happens to a sample of actual personal data. The resulting flow diagrams can guide practical work in the trenches to achieve compliance with GDPR. It can also point to problematic vendor relationships, and identify where data might leak outside. This tracking is not only an essential foundation for improvement; it will also help to meet the GDPR requirement that organizations demonstrate insight into their data flows.

EY - Figure 2: GDPR key changes

Figure 2: GDPR key changes

Success factors

The organization is now ready to overhaul its processes to achieve compliance. In our work with companies, we’ve discovered several common challenges that need to be addressed early.

How ready are you?

GDPR is the most far-reaching regulatory change to hit financial services since the aftermath of the Great Recession. It encourages companies to move aggressively to redesign their approach to data. They can overhaul outdated legacy systems while reducing the risk of fines and remediation. Bold action in this arena will help win customers’ trust in the future financial marketplace – and generate enormous future value for everyone.

* One Year Out: Views on GDPR, published by Varonis, 2017, https://info.varonis.com/hubfs/docs/2017-GDPR-survey-results.pdf. The research involved interviewing a sample of 500 IT and risk professionals in the UK, France, Germany and the US, between 17 April and 9 May 2017.

 

Our people

Talk to us today about how we can help you build a better working world