The EU's General Data Protection Regulation (GDPR) has seen data protection driven up on the agenda at banks and insurance providers. Data privacy regulation has moved from a reactive to a proactive emphasis. “Businesses are now scrambling to put in processes and technology so they can care for any personal identifiable information appropriately, and be seen as taking data security seriously or risk punitive punishment. The impacts of GDPR are felt not only by banks and other financial services companies, but also by the broader ecosystem that encompasses third-party vendors and partners who will also feel the impact of the regulation.
With the financial services ecosystem arguably one of the most intricate networks of partners and third parties reliant on each other to consummate financial transactions, vast amounts of data are generated and moved around at the speed of light. Practical implementation of the GDPR then, in the context of this inarguably complex financial services ecosystem, becomes an enormous challenge.
GDPR will be transformative in that it puts the customers back at the center and in control, but the downside for companies is that they have to be able to find the right data, ensure it is accurate, portable or even be able to delete it, all while meeting regulatory requirements. While the technical challenge is significant, a bigger challenge is understanding the businesses and processes and how people interact with information.
*Note: GDPR requires Privacy by Design compliance. Even if the GDPR jurisdiction does not extend to your organization (e.g., because it may not have EU customers, partners or employees), nonetheless it is now considered worldwide best practice, and a robust Privacy by Design program will ensure compliance with numerous other regulatory compliance standards.
The EU’s General Data Protection Regulation (GDPR) will enter into force on May 25, 2018. It is intended to create a single law on data protection across the EU, and will have significant impact on businesses in Europe and, importantly, also on businesses outside of Europe, such as in the US, that have data on Europeans, whether customers, business partners or employees.
Although the GDPR’s requirements for data protection are in line with most regulations in the U.S., the GDPR is more extensive than U.S. requirements. The GDPR will be a game changer in how businesses use data given the very significant fines being introduced by the GDPR for non-compliance -- up to 4% of annual worldwide turnover for a corporate group.
One of the most challenging requirements of the GDPR is its requirement that organizations fully implement Privacy by Design (also known as privacy by default) principles. Thus, IT professionals have a crucial role to play in any GDPR compliance project. IT professionals will also need to be heavily involved in devising or sourcing technical solutions to the Privacy by Design challenges.
Practical Steps for IT Compliance with GDPR
The following highlights key IT-driven practical steps organizations must take in order to comply with the GDPR by May 2018. (It is important to note that there is NO grace period with the GDPR so businesses need to be fully compliant with the GDPR by May 25, 2018.)
Data Mapping Requirements
It is a legal requirement under the GDPR to maintain a record of data processing activities by creating a data map or data flow analysis. Data mapping is also an essential practical step which helps to identify gaps in current compliance. Whoever is running your organization’s GDPR project will need to schedule calls with IT, provide questionnaires or use data mapping software. Input from IT professionals regarding security and ongoing maintenance measures, data storage and vendors which process personal data will be central to the creation of a data map.
Organizations must review their IT systems and procedures to ensure that GDPR requirements for privacy by design and by default are met as well as data minimization requirements. Under GDPR, Privacy Impact Assessments (PIAs) must be completed where using new technologies and the data processing is likely to result in a high risk to individuals (e.g., employee monitoring). (In fact, recent guidance has recommended that PIAs should be conducted now for current activities even though the GDPR does not become law until May 2018.)
One of the key impacts of the GDPR for IT professionals will be the obligation to report personal data breaches without undue delay, and where feasible within 72 hours. Where the breach is likely to result in a high risk to affected individuals they must also be notified without undue delay. Importantly, controllers and processors must also implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. To comply with this challenging requirement, it is essential to develop or amend existing Incident Response Plans to detect and report breaches effectively and to carry out table top exercises to test the plan. Regular security audits are also important in order to prevent breaches.
Under the GDPR, contracts with data processors (e.g., vendors) processing EU personal data must contain specific data processing terms. These new provisions need to be inserted not only into new vendor contracts but also existing vendor contracts before May 2018. Where an organization already has a vendor management and due diligence program in place, this should be updated to reflect the new requirements under the GDPR.
International data transfers
Similar to existing EU data protection laws, the GDPR restricts transfers of personal data to countries outside the European Economic Area (EEA) that are deemed by the EU to not provide an adequate level of protection, such as the US. There are a number of international transfers such as: (i) EU Standard Contractual Clauses, (ii) the EU-US Privacy Shield, and (iii) Binding Corporate Rules. IT professionals should ensure that all transfers of personal data (i.e., employee, customer, partner) outside the EEA of which they are aware are reflected in their organization’s data map and that an appropriate transfer solution to allow for the transfer of personal data from the EU is in place.