GDPR: Perspectives for global financial services firms
In May 2018, the EU’s new General Data Protection Regulation (GDPR) will usher in unprecedented levels of data protection for EU residents.
Backed by fines of up to €20 million or 4% of global revenue, whichever is higher, the GDPR gives individuals new, expanded rights over their personal data and heightens the responsibilities and liabilities of controllers and processors, regardless of their geographic location.
It is important to understand certain terms as they are defined within the GDPR:
- Controller: a body (alone or jointly with others) that determines the purposes and means of the processing of personal data
- Processor: a body that processes personal data on behalf of the controller; processing activity can include collecting, organizing, storing, disclosing, using, etc.
- Personal data: any information (single or multiple data points) relating to an identified or identifiable natural person such as name, employee identification number or location data
The GDPR imposes new obligations on both controllers and processors of personal data, emphasizing accountability and requiring greater documentation and records. The key highlights include:
- Organizations will have only 72 hours to report data breaches.
- Privacy-by-design principles must be incorporated into the development of new processes and technologies.
- Explicit and affirmative consent will be required before processing personal data.
- Most organizations will need to designate a Data Protection Officer.
- Organizations will have to maintain records of processing activities.
- Organizations will need to scale security measures based on privacy risks.
- International transfers are subject to specific requirements and mechanisms.
- Organizations will report to one supervisory authority.
- Organizations will have to facilitate customers’ and employees’ right to erasure of data, right to portability, and an increased right of access.
Applicability of the GDPR
Many non-EU financial services firms have determined that the GDPR doesn’t apply to them with limited understanding of how the regulation actually works. Figure 1 outlines three distinct questions that can be used to assess applicability.
Figure 1 – Three key questions to assessment applicability
The third question captures a broader range of activities than many firms think. Consider centralized functions that conduct surveillance, such as for fraud, anti-money laundering, sanctions or cyber threats. To the extent those functions use data related to EU residents, a firm may be subject to the GDPR requirements.
Main GDPR concepts and requirements
The GDPR enhances the data protection rights of EU data subjects. In general, firms will need to provide easier access to personal data, with clear and understandable information on its processing, use and storage. Major requirements and concepts include:
- Data protection impact assessment: This assessment, required for high risk personal data processing activities, can help organizations identify risks and define mitigating actions.
- Data privacy accountabilities: The GDPR states that the controller is responsible for confirming that a firm adheres to the law’s privacy principles.
- Condition for processing: The processing of personal data must rely on a lawful basis as outlined in the GDPR.
- Data protection officer: Firms that conduct large-scale systematic monitoring of EU residents’ data or process large amounts of sensitive personal data must appoint a qualified DPO.
- Privacy by design (PbD): Organizations are required to establish privacy controls from the outset of product or process development.
- Right to erasure: An individual can request the deletion or removal of personal data when there is no lawful reason for its continued processing.
- Consent: Consent must be freely given and explicit, indicating the individual’s specific agreement to the processing of personal data.
- Data breach notification: Organizations must notify the supervisory authority of a data breach within 72 hours of becoming aware of it.
- Data portability: This allows individuals to move, copy or transfer personal data easily from one organization to another in a secure way for their own purposes.
Which parts of an organization will be most affected?
The GDPR will have a significant impact across a firm’s three lines of defense:
- First line of defense: This encompasses business lines, day-to-day operations, technology groups, customer relationship management, marketing and human resources. It involves issues such as client segmentation, protection of employee data and how data is gathered, processed, stored and transferred.
- Second line of defense: This encompasses third-party risk management, monitoring, compliance and risk management. It involves issues such as web traffic, alignment with legal requirements and privacy risk reporting.
- Third line of defense: Internal audit is responsible for reviews of access processes and procedures, compliance monitoring and validation of the privacy framework
Figure 2 – Three lines of defense
In enacting the GDPR, the EU gave companies two years to get ready to comply. When enacted, this was viewed as providing sufficient time. With limited time remaining, many financial services firms still have a long way to go to validate if the regulation applies to them and, if so, to make all of the necessary changes to be ready for the 25 May 2018 implementation date.
Building an approach that is sustainable beyond that date is even more challenging. Firms need to take the following steps:
- Educate key stakeholders, including the board of directors
- Risk-assess to whether the GDPR applies to their organization
- Establish cross-function and cross-business governance structure
- Conduct a privacy impact assessment
- Conduct a GDPR gap assessment
- Design and execute a prioritized implementation plan
The days of organizations leaving the responsibility for privacy protection to someone else are about to end. Firms cannot afford to be complacent, irrespective of location or current privacy maturity level. The clock is ticking.
EY Services and Solutions
How EY can help
Implementing the GDPR should be viewed as an integrated exercise set within each firm’s overall privacy risk management framework. GDPR touches on all aspects of an organization, reaching across people, processes and technology and establishes a cross-functional team that supports the transformation of the company, which is a critical step for a successful implementation.
EY has developed a proprietary framework (see Figure 3), which links risk management, compliance, privacy and governance with key privacy domains and allows our teams to put privacy in the context of each firm’s business and information technology strategy. The framework allows firms to set the privacy strategy within the context of the firm’s overall business and IT strategy.
This article was initially published on the Alwin Club based on the work of: