How to prepare for Europe's new privacy regulation GDPR

26 October 2017 Consultancy.uk

In May 2018, one of the largest changes to privacy legislation in Europe’s history will come into effect. The new General Data Protection Regulation (GDPR) aims at improving the data privacy of consumers, while making organisations more effective and careful in the way they process, analyse and store data. Paul Nielsen, a consultant at FiSer Consulting, sheds light on GDPR’s workings, its impact on organisations and what they can do to prepare their operations.

The General Data Protection Regulation (GDPR) is a significant development in Europe, and one which has been overdue for many years, with the legislation finally taking in to account situations like data stored in a cloud, social media and the current scale of non-domicile processing. These did not previously come under legal consideration, but are now fundamental sources of data the advances in modern technologies. GDPR was essentially created to unite the principals of data privacy within Europe. Data Protection used to be subject to each single country in the EU, leading to remarkable differences – but this new and unique law will apply equally to each EU Member State.

In terms of its scope, a factor of key importance is that the country of the data subject counts the most, not where their data is processed. This determining factor has significant implications for all industries and organisations regardless of size. Data is now viewed as a source of currency in many areas, but with that comes enhanced security responsibility toward personal users, hence maintaining good data governance by implementing the right controls and security levels is critical. And for the first time, data processors will be placed under a direct obligation to comply with certain data protection requirements which previously only applied to data controllers.

How to prepare for Europe's new privacy regulation GDPR

So with all this attention, and for good reason (the fines for not complying are punitive and the reputational damage is incalculable), organisations need to consider that meeting the deadline of 25 May 2018 is a bigger job than one thinks. A set approach could take the following:

  • Perform an impact/risk assessment.
  • Launch a user awareness program and start with rolling out training. An example of this is making people aware of how they should be taking notes and recording information about their customers, prospects and employees. It may seem basic but this data could easily be subject to a data access request.
  • Appoint a Data Protection Officer- we recommend a third party to ensure independence. This person is going to be incredibly busy with a realm of duties not limited to just monitoring compliance.
  • Analyse existing consent procedures and determine their adequacy.
  • Document all third party processing contracts. Confirm that new GDPR requirements will be included.
  • Document all IT and administration processes.
  • Design and document processes which relate to Breaches.
  • Update and publish information regarding Security Policies.
  • Produce processing records.
  • Update privacy notices.
  • Ensure compliance is met.

Such actions can run independently or in parallel to each other, but it’s key that the correct management and governance is in place with so much at stake. Furthermore, it’s also key for organisations to understand how to respond to the new requirements.

Being privy to the key considerations that affect the IT privacy aspect of this regulation, it is quite clear that the general feeling is that there is plenty to be considered and this is now a key focus point for all organisations. There is also now a glut of articles and general news items which imply that this is on the same scale as Y2K, but my opinion is that adequate planning in this area will alleviate all the fears and concerns. Admittedly, where most European organisations have faced fines by their national regulator, such fines have been proverbial slaps on the wrist, versus the €20 million or 4% of turnover which is now going to be in place. That’s enough to grab anyone’s attention, but the onus is on senior executives to prioritise. Directors, non-Execs and Trustees all have a strategic and operational responsibility to mitigate the risks. Failure to comply could have major consequences which could even prematurely end their high flying careers.

The right to be forgotten

In light of these risks, there are two key considerations that have caught my attention. The first one relates to “the right to be forgotten”. Not only will data processors need to submit to this request but also need to erase their data without undue delay. Data controllers are therefore required to inform data processors of any erasure requests and take all reasonable steps to tell other data controllers where data has been shared.

One thing to consider is the interconnectivity of an organisation’s current IT systems. Large corporations particularly face high probabilities of not only having a multitude of internal legacy systems, but also sharing data with external systems for operations, sales, marketing and other functions. Organisations should ask themselves if their data models & current processes enable all the data about an individual to be retrieved and then erased. When considering the answer to this, do companies have confidence in the ability of their suppliers and third party vendors to immediately action such a request to erase data?

The right to be forgotten and Profiling are key aspects of compliance

There are a myriad of details to be worked out on this one. If an individual has also asked to be suppressed from marketing, is it reasonable to keep sufficient data to still enforce that request? The benchmark will be higher than just having a data retention policy and answering Subject Access Requests. A test run of how to execute an individual request to erase personal data across data landscape is also important.

Individuals should have the right to leave organisations and take their data with them. How can organisations provide customers with all the data they need to easily change provider? If this is to be enforced as a requirement, how can firms get this right? Time to plan ahead for this eventuality.

Profiling

The second consideration is around the term “profiling”. This implies the use of personal data to analyse or predict people’s performance, behaviour, situation, location, interests or movements. It includes the right of people to decide not to have their data used for this purpose. Most direct marketing companies use predictive models to target customer interactions.

What is clear is that people i.e. data subjects, will have a right to object and profiling is only legal with their permission. Organisations must be sure they have data models or structures that capture a person’s permission at a granular level. In other words, not just permission for marketing but also permission to have profiling as a permissive function.

Furthermore, in future, it will be important to have analytics and modelling processes that enable rebuilds on the basis of customers withdrawing permission for data previously in modelling datasets. This is certainly not straightforward, and a practical solution will need to be found.

The challenges lie in the detail and the implementation of such may be deemed as onerous, but at the end of the day the key GDPR objectives of i) increasing the rights of individuals ii) strengthening the obligations of companies and iii) increasing sanctions in terms of non-compliance, will no doubt bear.

More news on

×

An 8-step framework for banks to prepare for FRTB changes

02 April 2019 Consultancy.uk

With FRTB expected to come into force in 2022, it is critical that banks implementing necessary changes remain on track for their compliance timelines. Whether a company is aiming for the mandatory Standardised Approach (SA) or the voluntary Internal Models Approach (IMA), the programs often represent a significant investment, requiring process, systems and cultural change. 

Drawing from its experience in helping banks meet the milestone set in their compliance timelines, Capco – a management and technology consultancy for the financial services industry – has developed an eight-point prioritisation framework for FRTB preparation and implementation. Natasha Leigh Giles, a Managing Principal at the consultancy, outlines the main dimensions of the framework: 

Prioritisation framework for FRTB

1. Front office operating model

For those who have already implemented the Volcker rule, the desks are well defined with monitoring and governance frameworks. However, for companies that have not been required to adhere to the U.S. regulation, there may be additional work involved in implementing desk-level controls as required under FRTB. The trading desk structure is especially important for banks planning to implement IMA, as this regime is applied at the desk level and requires that the full flow of the selected desk is able to pass the IMA requirements (including the modelability test for the risk factors). Key business decisions may be required if a desk trades complex products that are more aligned for SA treatment. 

2. Product scope

In order to reach the IMA status, products are required to be supported with additional data sets including historical market and reference data as well as risk factor pricing evidence. The opportunity for 2019 lies in refining the assessment on the feasibility of each product type to ensure a clear scope is agreed for the IMA environment. If the challenges are too complex or costly to overcome, such as access to historical market data, availability of price verification for the risk factors or significant enhancements to support computational capacities, then these products should be scoped out of the IMA program as soon as possible in order to save time and effort on continuing analysis. 

3. Client & trading activities

There is no need to wait until the FRTB implementation timeframe to undertake a holistic review of client and trading profitability – including the capital impacts. For example, running training and awareness campaigns within the front office can help the traders to understand the impacts of their activities and encourage changes in the way that they trade. By considering this holistically as a business and operational change, it can help keep the focus and resources on the primary (profitable) business in preparation for the compliance deadline. 

4. Internal controls

Methodology, reporting, auditability, and process governance for internal controls also need to be monitored in detail. We recommend having clearly defined processes accompanied by effective training across front-to-back office. For some banks, it will be beneficial to audit existing capital adequacy processes to ensure that findings are highlighted in advance of the implementation timeline and the appropriate focus is achieved within senior management.

5. Data & metrics

Financial institutions need to consider their overarching governance and ongoing management for the data (including ownership, quality control, golden source storage solutions, etc.) and the ongoing control framework for ensuring the data remains accurate and relevant for capital adequacy modeling. If there has not been a data lineage exercise already applied, this is a great opportunity to deliver business benefit, even in 2019. By creating agreed definitions, preferred sources, ownership and workflows for managing data quality, the benefits of more accurate data can already be applied to existing capital calculation models. 

Framework for FRTB

6. Model management & validation framework

In preparation for the FRTB regime, an opportunity for 2019 is to understand if there are gaps or control concerns to manage immediately. Model enhancements across SA and IMA will need to be productionized for output accuracy and refinement, however, these need to be maintained alongside existing Basel 2.5 BAU models and other concurrent changes e.g. LIBOR Transition. Business process optimization, testing environments and automation tools, documentation and model validation can all be reviewed for immediate benefits and prepare the process for a smooth implementation of the future FRTB models. 

7. Technology platform & testing environments

With regards to technology planning, the opportunity in 2019 is focusing on gaining agreement of the front-to-back FRTB future state architecture including the use of vendors as applicable. By ensuring a disciplined focus upon design and solution definition across all requirements, it provides a clear baseline for implementation planning and scheduling. Establishing a technology architecture which allows for FRTB data feeds, model enhancements, control definitions and accurate capital calculation outputs will provide the program with essential data and metrics needed for decision making. 

8. Leverging synergies

Once a baseline plan has been established, it is possible to identify synergies across other programs – such as the SA-CCR (Standardized Approach for Counterparty Credit Risk) or the IMM (Internal Models Methodology) – that could deliver overlapping benefits at reduced effort. Understanding requirements, defining the future state architecture, and implementing the change in a complex environment requires a mix of strategic principles and program management. Therefore, we consider it an opportunity for 2019 to take a centralized approach for data lineage and requirements gathering as this would be beneficial for optimizing capital costs across both the market and credit risk environment.

Conclusion

By considering each topic strategically in 2019, benefits such as data quality enhancements, strengthened internal controls and flexible test environments will not only bring immediate business value, but also set a solid foundation for a comprehensive FRTB implementation in the years to come. 

For more information on Capco’s model and the its approach in helping banks plan for FRTB, download the full whitepaper on the firm’s website.