Six key aspects executives should consider for GDPR compliance

13 September 2017 Consultancy.uk

In May 2018 the General Data Protection Regulation (GDPR) will come into effect. Preparations for the new privacy regulation are well underway. Yet, organisations across the board are concerned about the impact and their progress as they grasp the magnitude of change required and the bearing it will have on the personal data landscape. In a bid to help executives understand the impact of GDPR, as well as support preparatory work, consulting firm Sia Partners have drafted six key aspects that they should be aware of when striving for GDPR compliance.

Data portability is the key aspect of the GDPR

The requirement for data portability sets out the right of data subjects to request that their data be made available in machine readable format – a format that can easily be processed by a computer. They may even request such data be sent directly to another organisation, which may include direct competitors. In effect, this is the data equivalent of moving over your mobile phone number from one network to another, or moving your bank account number from one bank to another. This will have two significant impacts. The first of these is that firms will need to have the technological capability to make all the ‘Personally Identifiable Information’ (PII) available in machine readable format and delete it from all their systems ‘without undue delay’. With PII data often proliferating across many systems across organisations, including many legacy ones, this is a significant challenge for most firms.

The second is that data portability will create new business models. Firms will be able to steal a march on their competitors in their target markets if they are among the first to make ‘data portability’ capability available to potential customers, with GDPR making it easier for consumers to switch from the others. We are likely to see firms, particularly banks, spreading themselves into new markets (e.g. utilities). Imagine your bank being able to request your details from your service providers (energy, water, internet, etc..) – which they can glean from your direct debits – and compare those to your neighbours to inform you whether you might benefit from switching to another provider or move to a better package / deal. It is likely that banks will see this as an opportunity to become data hubs – custodians of not only your money but your data too. Additionally, we would expect firms to step up their communications, customer care and marketing efforts as the lowering of the switching cost should drive firms to give their customers less incentive to switch and more aggressively pursue competitor’s customers.

Six key aspects executives should consider for GDPR compliance

The biggest change needed within organisations is in the culture.

GDPR aims to make firms more liable for the risk associated with holding PII data. Firms will need to adapt their mentality and culture around how and why personal data is used and maintained within their departments. Currently, there is still a pervading mentality to collect as much information as possible, even if not directly required. For example, is date of birth needed when getting a new fibre-optic internet connection installed? Firms then often treat this data as ‘their data’. Under the GDPR it will clearly become ‘the data subject’s data’… This is a big change. Firms will now be required to demonstrate that business processes that touch PII are designed to use the smallest amount of data for the shortest possible period of time and not exposing it to employees who don’t need to see it – both at the organisational and system level. Without changing the fundamental culture around personal data management, we believe firms won’t be fully able to ensure the rules are followed consistently. And if not, it is only a matter of time before they will be in breach with the likely consequences being a potential fine.

UK firms will need to implement the GDPR – despite Brexit

This year’s Queen’s speech already referred to the Data Processing Bill that will ensure the UK is compliant whilst it remains a member of the EU (keeping in mind that GDPR comes in force before the Brexit date) as well as ensuring that it will still have similar standards after leaving the EU. The Bill will replace the existing Data Protection Act 1998. Additionally, GDPR itself will always apply as long as firms, even when located outside the EU, handle data of people in the EU – and that includes many, if not most UK firms.

The fines are big but the reputational risk is bigger

While the 4% of revenues potential fine under the GDPR has grabbed most headlines, far greater damage can occur through the breach disclosure requirements. These state that the firm is obliged to report to the regulator and, in most instances, to the data subject(s) within 72 hours, any data breaches that affected their data and what data was affected. With social media at everyone’s fingertips, it is likely that data breaches will quickly find their way into the public domain and be shared widely. To date there have been plenty of data breaches that would have qualified under the GDPR for disclosure. In 2017 to date alone, Wonga, Three, Sports Direct and Zomato all encountered data breaches that they didn’t initially disclose.

It is likely that there are more organisations that have experienced breaches but have been reticent to disclose altogether for fear of the reputational risk. With an increase in breach disclosures likely from H2 2018 onwards, and the greater attention on it from social media as well as the mainstream media due to the GDPR introduction, we believe that reputational risk should become a key consideration for firms post implementation.

Quote GDPR

Having a defined communication strategy will be important

If breaches are not managed properly from a communications points of view, it can expose the firm in the event of a breach. Imagine a scenario where hackers intentionally target a firm and make public the breach or where a disgruntled customer, having been informed about the breach by the firm, vents their anger on social media. The firm will have no choice but to confirm and handle the situation, making it vital that they have a clear communication strategy. Cases where firms have bungled their social media responses and suffered a public backlash are abound with American Airlines top of mind.

The GDPR introduction will likely lead to a wave of fraudulent data requests from imposters

We think that in the early days after 25 May 2018, imposters will try to fraudulently request individuals’ data from firms. GDPR gives data subjects the right to do so, but without proper identity checks, this can easily be done fraudulently. This could then constitute a breach and expose the firm and the data subject to further problems and disclosures. Firms should make sure they implement appropriate measures to avoid such a fate, including the ability to handle the volume of data requests in the required GDPR timeframes (within 1 month) while still performing ID checks to the required level.

Related: Ensuring GDPR compliance from a human resources perspective.

Profile

More news on

×

An 8-step framework for banks to prepare for FRTB changes

02 April 2019 Consultancy.uk

With FRTB expected to come into force in 2022, it is critical that banks implementing necessary changes remain on track for their compliance timelines. Whether a company is aiming for the mandatory Standardised Approach (SA) or the voluntary Internal Models Approach (IMA), the programs often represent a significant investment, requiring process, systems and cultural change. 

Drawing from its experience in helping banks meet the milestone set in their compliance timelines, Capco – a management and technology consultancy for the financial services industry – has developed an eight-point prioritisation framework for FRTB preparation and implementation. Natasha Leigh Giles, a Managing Principal at the consultancy, outlines the main dimensions of the framework: 

Prioritisation framework for FRTB

1. Front office operating model

For those who have already implemented the Volcker rule, the desks are well defined with monitoring and governance frameworks. However, for companies that have not been required to adhere to the U.S. regulation, there may be additional work involved in implementing desk-level controls as required under FRTB. The trading desk structure is especially important for banks planning to implement IMA, as this regime is applied at the desk level and requires that the full flow of the selected desk is able to pass the IMA requirements (including the modelability test for the risk factors). Key business decisions may be required if a desk trades complex products that are more aligned for SA treatment. 

2. Product scope

In order to reach the IMA status, products are required to be supported with additional data sets including historical market and reference data as well as risk factor pricing evidence. The opportunity for 2019 lies in refining the assessment on the feasibility of each product type to ensure a clear scope is agreed for the IMA environment. If the challenges are too complex or costly to overcome, such as access to historical market data, availability of price verification for the risk factors or significant enhancements to support computational capacities, then these products should be scoped out of the IMA program as soon as possible in order to save time and effort on continuing analysis. 

3. Client & trading activities

There is no need to wait until the FRTB implementation timeframe to undertake a holistic review of client and trading profitability – including the capital impacts. For example, running training and awareness campaigns within the front office can help the traders to understand the impacts of their activities and encourage changes in the way that they trade. By considering this holistically as a business and operational change, it can help keep the focus and resources on the primary (profitable) business in preparation for the compliance deadline. 

4. Internal controls

Methodology, reporting, auditability, and process governance for internal controls also need to be monitored in detail. We recommend having clearly defined processes accompanied by effective training across front-to-back office. For some banks, it will be beneficial to audit existing capital adequacy processes to ensure that findings are highlighted in advance of the implementation timeline and the appropriate focus is achieved within senior management.

5. Data & metrics

Financial institutions need to consider their overarching governance and ongoing management for the data (including ownership, quality control, golden source storage solutions, etc.) and the ongoing control framework for ensuring the data remains accurate and relevant for capital adequacy modeling. If there has not been a data lineage exercise already applied, this is a great opportunity to deliver business benefit, even in 2019. By creating agreed definitions, preferred sources, ownership and workflows for managing data quality, the benefits of more accurate data can already be applied to existing capital calculation models. 

Framework for FRTB

6. Model management & validation framework

In preparation for the FRTB regime, an opportunity for 2019 is to understand if there are gaps or control concerns to manage immediately. Model enhancements across SA and IMA will need to be productionized for output accuracy and refinement, however, these need to be maintained alongside existing Basel 2.5 BAU models and other concurrent changes e.g. LIBOR Transition. Business process optimization, testing environments and automation tools, documentation and model validation can all be reviewed for immediate benefits and prepare the process for a smooth implementation of the future FRTB models. 

7. Technology platform & testing environments

With regards to technology planning, the opportunity in 2019 is focusing on gaining agreement of the front-to-back FRTB future state architecture including the use of vendors as applicable. By ensuring a disciplined focus upon design and solution definition across all requirements, it provides a clear baseline for implementation planning and scheduling. Establishing a technology architecture which allows for FRTB data feeds, model enhancements, control definitions and accurate capital calculation outputs will provide the program with essential data and metrics needed for decision making. 

8. Leverging synergies

Once a baseline plan has been established, it is possible to identify synergies across other programs – such as the SA-CCR (Standardized Approach for Counterparty Credit Risk) or the IMM (Internal Models Methodology) – that could deliver overlapping benefits at reduced effort. Understanding requirements, defining the future state architecture, and implementing the change in a complex environment requires a mix of strategic principles and program management. Therefore, we consider it an opportunity for 2019 to take a centralized approach for data lineage and requirements gathering as this would be beneficial for optimizing capital costs across both the market and credit risk environment.

Conclusion

By considering each topic strategically in 2019, benefits such as data quality enhancements, strengthened internal controls and flexible test environments will not only bring immediate business value, but also set a solid foundation for a comprehensive FRTB implementation in the years to come. 

For more information on Capco’s model and the its approach in helping banks plan for FRTB, download the full whitepaper on the firm’s website.