Introduction
Over 90% of the data in the world today has been created in the last two years alone. Approximately 2.5 quintillion bytes of data a day is currently created – and an increasing proportion of this is or relates to personal data.

Source: Click here : Science Daily

Concerns around the management and use of this data, especially concerning an individual’s rights to data privacy and transparency have led to governmental focus and legislation: GDPR is the European Union’s response.
Much has been shared recently in the media concerning the lack of preparedness across the European Union (EU), and indeed the world, for the introduction of GDPR.

This paper contains the thoughts of New Link Consulting regarding the enforcement of GDPR from the 25th of May 2018 and how organisations can prepare themselves.
What is GDPR?
The General Data Protection Regulation (GDPR) is the most significant development in the protection of personal data for the last 20 years

GDPR is the replacement of the Data Protection Directive which is in place across all EU member states and in the UK is known as the Data Protection Act (1998). GDPR is prescriptive and intended to strengthen data protection for all individuals within the EU. It also addresses the export of personal data outside of the EU.
The primary objectives of GDPR are to give control back to residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The rules will apply to all companies globally that handle data for EU residents.

The European Commission has defined personal data as the following:
“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”.
Much of GDPR has evolved from the rapidly changing digital landscape where so much more personal data is now stored, managed and accessible online than 20 years ago, when the original Data Protection Directive was launched. Individuals can easily lose track of all the places where their personal data is stored. GDPR looks to help individuals understand who has their data and what it is being used for.

GDPR grants member states the opportunity to make provisions for how it applies within their country. These provisions in the United Kingdom are contained in the Data Protection Bill that was introduced to Parliament on the 13th September 2017. The Bill includes additional legal recourse for individuals where their data has not been treated appropriately. It is unlikely that Brexit will have a material impact on the implementation and operation of GDPR, especially in the short term, as the UK will still be an EU member state when GDPR becomes enforceable in May 2018.
What is changing?

GDPR is an extension of current regulation. It is a unifying regulation where previously EU member states implemented their own versions of the Data Protection Directive. From May 2018 EU member states interpretations will be much more closely aligned.
Penalties for non-compliance are increasing. Previously, under the Data Protection Act, an organisation in the UK could be fined a maximum of £500,000. Under GDPR an organisation can be fined up to €20m or 4% of global annual turnover, whichever is higher. GDPR has the potential to be a “business ending” issue.
The following are examples of a number of additional clauses incorporated into the new regulation:
The right to erasure
Often this is referred to as the right to be forgotten. Whilst much of the regulation is aimed at bringing data protection up to date following the increase in social media and companies that may be profiling your every move, the right to be forgotten has real consequences for organisations that don’t have a robust understanding of where they store personal information.
The right to be informed
Individuals receive many requests for their personal information where one might wonder “what is it being used for?” The purpose of retaining such data should currently be included in the small print, however can be difficult to find and unclear. This will no longer be allowed. Organisations will have to use plain and simple language to detail what they are using the data for. This is going to be a big challenge for companies as they will need to catalogue all of the uses of that data in order to be transparent. Also, permission will need to be sought before using personal data in new ways.
The right to access
Under GDPR individuals will be able to approach any organisation and request that they disclose the data they hold about them and what it is being used for. This service must be provided for free unless the request is unfounded or excessive. The operational burden of handling such requests may be considerable.
The right to rectification
Individuals have the right to have their personal data corrected, if inaccurate, and for the correction to be passed on to any third parties their data has been shared with.
The right to restrict processing
An individual has the right to restrict the processing of their personal data. The data can be stored but not processed any further. Just enough information can be stored to ensure the restriction is respected in future. This right does not apply where the processing is in the public interest such as complying with other regulations.
The right to data portability
This right allows individuals the ability to obtain and reuse their personal data for their own purposes. This means data will need to be provided in common formats that are not considered to be vendor specific and hence useless to anyone outside an organisation. For example, many banks already provide transaction level data about accounts in open formats such as CSV files.
The right to object
Individuals have the right to object to the ways in which their data is being used, such as data profiling. An individual may not wish for their data to be used to identify ways in which they can be upsold or provided targeted marketing materials.
RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING
Individuals have the right to not be subjected to automated decision making. Unless automated decision making is essential to the performance of a contract entered into by the individual.
All organisations globally that hold personal data regarding any individual resident in the European Union will need to comply with the regulation.
Here are some examples of considerations that financial organisations need to make:
Legal certainty:
Interpretation and legal opinion may be needed to confirm how GDPR will interact with other financial regulations such as MiFID 2, CFT, KYC. This will be specific to the implementations that organisations have made to comply with the regulatory environment they operate in. If a customer requests that a bank delete their personal data it does not necessarily mean it must be deleted for all uses.

One of those uses may be to comply with regulations, such as Counter Terrorist Financing or MiFID 2 surveillance, and hence will need to be kept for some time. Requirements will need to be gathered around all intersections between regulations and implemented accordingly to meet compliance. This may also cover the defence against legal claims.
Legal certainty:
Vendor contracts will need to be reviewed. GDPR extends the responsibilities of an organisation to 3rd party vendors were data is passed to them, meaning the uses of that data must be disclosed and any of the enhanced rights of GDPR will also apply. For example, if an individual requests that their details are deleted, this will also apply to 3rd parties.
Employee contracts:
Employee contracts must be compliant with GDPR. Financial organisations are most likely to be international and will need to ensure that those employees that are resident in the EU have a compliant contract.
Client experience:
Client Outreach and repapering may be required once a review of contracts and how consent for processes has been obtained. This may require entire client bases to be contacted which may be an extensive and expensive undertaking.
Cross border considerations
For financial organisations that operate globally, consideration will need to be given to the physical locations that EU residents’ personal data is stored and processed. Where treaties exist to share data, such as with the US, individual’s data can be shared, stored and processed. However, as with some emerging markets, treaties may not be in place and hence GDPR will place restrictions on data being transferred to those countries.
What does it mean for financial organisations?
Operating models:
GDPR is to be a cross divisional initiative to ensure that clients with products held across divisions can speak to a central contact for an organisation. Appropriate operating models will need to be in place to ensure the customer experience is seamless and data handoffs between entities, branches and affiliates are properly controlled.
Control frameworks:
Organisations will need to ensure robust 1st and 2nd line of defence processes and controls are in place to manage data collection, data input, data access, data storage and data retrieval. Policies and procedures may need to be redrafted across business lines.
Reporting and escalation:
Breach detection and reaction processes will need to be established so the organisation can respond in a timely fashion to data loss or data theft.
Reporting and escalation:
Depending on the level of GDPR related queries received, the operational burden of analysing and responding to GDPR requests may be significant.
Process re-engineering
Change teams must be trained to consider privacy by design in all future system enhancements and business process changes. Processes may need to be enhanced to ensure they can support where individuals’ data has been removed, expired or datasets that include a mix of records that are subject to the regulation and those that are not.
Data models:
Banks are already under pressure to deliver against multiple regulatory programmes which are data heavy such as MiFID 2, Ring Fencing and BCBS239. GDPR may have an impact on the data models of these programmes and it should be integrated into these deliveries.
Data retention:
GDPR has expectations that data can no longer be kept ad infinitum. Data about individuals will have an expiry date at which point it should be removed. Financial organisations will need to complete a review of data on EU residents to understand when data has been collected, is it still relevant, complete, correct and whether it needs to be removed.
A modular approach to compliance
Image
Gap analysis
  • This is the first step to understand how far from compliance the organisation is. This can be a technical, legal, operational gap analysis and will be suited to the organisation.

  • Legal interpretation and opinion into business requirements. This will include all of the relevant sections of the regulation appropriate to the organisation, including where GDPR conflicts with other regulations. What processes and functions in the organisation will need to change to support the regulation? For example, can a function still operate if a subset of personal data is removed?

  • Review of the structure of the organisation to confirm if a DPO (Data Protection Officer) is needed.

  • Agreements with 3rd Party vendors will need to be reviewed to confirm how they are using personal data from the organisation. They will also need to be integrated into operating models for maintaining or deleting an individual’s data. All rules that apply to an organisation also apply to the 3rd party vendors.

  • Operational review – Confirm the processes in place to deal with requests across divisions. Many operations elements will need to be considered.

  • Systems review – Mapping out across all divisions within the organisation where personal data exists and identify the usage of that data.
Operating Model
  • A centralised response team across all appropriate divisions, that have procedures in place in the event of a data breach to ensure that customers and the regulator are informed within 72 hours. By having procedures in place that are prepared for such an eventuality, the reputational damage caused by a breach can be somewhat mitigated. A function will also be required to rapidly investigate which individuals have been affected in order to formulate an appropriate response.

  • A centralised team should be in place to respond to customer queries. Individuals will be able to approach the organisation to request what data is held about them and what it is used for.

  • A process will be required to identify individuals’ data from the organisation and remove it for all applicable uses.

  • A response mechanism to respond to queries from regulators in line with data protection regulations. This will be important as you will need to demonstrate to the regulator how the organisation complies with GDPR

  • Change teams across all divisions must ensure that privacy by design is considered in all architectural enhancements.
    • For dealing with requests about personal data
    • For dealing with breaches
    • For dealing with requests to remove personal data
    • Process flow for how personal data should be deleted:
      • How will other data be affected and will systems still function if clients’ data is removed?
      • What processes rely on the data and how will it be able to handle the removal of data from it?
      • When deleting a customer from one process but not for others can your processes handle the segregation?
      • According to GDPR requirements, organisations must demonstrate that they have implemented appropriate measures to mitigate privacy risks. Even in the absence of a privacy breach or customer complaint, regulators may require firms to exhibit evidence of their compliance and risk management strategies, including a Privacy Impact Assessment (PIA) when appropriate.
New Link Consulting proposes a modular service offering that can be used by firms to help achieve GDPR compliance and can be tailored to suit the needs of a client depending on their current state of readiness.
Consent Affirmation
  • All customer and employee agreements to handle data for individuals need to be revisited. This should be done by experienced data protection lawyers to confirm that current contracts and agreements are in line with the regulation. It must be confirmed that individuals have opted in to uses of data rather than consented by default.

  • Where agreements do not comply with GDPR’s definition of  consent this will need to be obtained and may require the majority, if not all, of the customer base to be contacted.

Technology
  • Systems and processes must be in place to keep track of an organisation’s usage of personal data.

  • Data lineage should be established to understand how personal data flows through the organisation’s systems and processes. This would include all of the interfaces between systems and the transformation of personal data.

  • Ageing of personal data should be established to ensure it is kept for an appropriate amount of time. This should also ensure that data is kept up to date and verified periodically. If the data is beyond the period of allowable retention for the assigned usage, then it may need to be deleted.

  • Ensure GDPR is built into archiving policies and processes.

  • Cyber Security must be robust and appropriate to protect individuals’ personal data consistently across all divisions and functions.

  • Personal data that physically crosses the EU border will need to be revisited to confirm it is within the boundaries of EU data sharing treaties. Data shared and stored physically in Emerging Markets may be in violation of the regulation.
Training
  •  It will be important, when implementing a consistent robust operating model, to ensure staff are aware of their responsibilities.

  • Training staff will be important to allow change professionals to implement compliant processes that are integrated into the “privacy by design” principle.

  • Specific training will need to be provided to those that deal with GDPR in the day to day operation of the business, such as responding to customer queries or regulator requests.

  • Staff need to be trained in GDPR to allow them to deal with data privacy in day to day operations and also ensure that it is a cornerstone of future business design.
Opportunities through compliance with GDPR
Image
The journey to compliance with GDPR may be considered painful at first however there are many positive aspects that should be considered.

The following are examples of those considerations:

  • Differentiation:
    By putting the customer first and showing how personal data is handled will increase an organisation’s credibility.
  • Customer experience:
    By being fully compliant with GDPR, customers can trust that appropriate safeguards are in place around their data. With increased trust comes a better customer experience.
  • Enhanced data asset:
    The ability for a business to gain control of personal data will be a driver for a better understanding of all data flows, facilitating improved quality and efficiency. With a cleaner dataset, the business is in a stronger position to make the right decisions.
  • Transparency:
    With greater transparency around processes, the customer can be better informed about the ways in which their data is used for the benefit of all customers.
  • Efficiency:
    Cost reduction will arise from transparent and effective handling of personal data. Reducing the overhead of handling data that may be out of date or inaccurate should reduce the complexity and improve the impact of new data-driven initiatives.
  • Culture:
    The culture in an organisation can greatly benefit from increased transparency and focus on customer-based initiatives, especially in the context of initiatives such as Senior Managers’ Regime,
  • Innovation:
    Improvements that may result from improved data handling have the potential to be converted into revenue generators.
Questions to ask
The following are some helpful questions to get an initial understanding of your organisation’s requirements to be compliant with GDPR:
Image
Do you know where personal data is held in your organisation?
A) You must be able to identify where you hold personal identifiable information for residents in the EU. You must know which systems it is held in and the locations it is stored physically. This could be any individuals including customers and employees.
Do you know the processes that the data is used for?
A) Organisations must be able to tell customers, upon request, what their data is used for.
Would you be able to delete data for specific individuals if asked and would your processes still work?
A) Processes may need to operate following the removal of data about specific individuals. This could break a key assumption for the process that it includes all previous and existing customers. Will the process continue to work? What adjustments do you need to make?
Do you know how old the data is and whether it is up to date and accurate?
A) GDPR states that data should only be held for a reasonable and appropriate amount of time. This effectively adds a shelf life to the data held and organisations can no longer assume that they can keep this data ad infinitum.
Do you know if you have explicit consent from individuals to keep that data? (Not just obtained through a default ticked box on your website.)
A) The permission granted from individuals to store data must be obtained explicitly. Any data held where this is not the case may mean you need to recertify, potentially to your entire customer base.
Do you know if you send your data externally to vendors and what they are using the data for?
A) GDPR extends to data shared with vendors and it remains your responsibility after it has been shared. You need to know what the data is used for by the vendors and ensure it is removed if requested.
Is data you hold safe from cyber-attack?
A) Appropriate measures must be in place in your organisation to protect individuals’ data from cyber-attack. You also need to ensure that if a breach were to occur this would be detected and you could inform the individuals affected, and the regulator, within 72 hours.
Do you know what you would do if the data were to be lost or stolen?
A) The manner in which you handle a data breach could have a serious impact on the amount of reputation damage incurred by the organisation. Preparation is key to minimising the impact, especially given how quickly disclosure to regulators and affected individuals should occur.
Have your staff been trained?
A) Training will be key for your staff to know how to stay compliant with the regulation and what to do in the event of a breach.
Legal interpretation of regulation can be subject to change over time. The above statements are for guidance only and should be used in conjunction with professional legal advice.
Need any help?

New Link Consulting has the expertise and practical experience to help you move forward as a GDPR compliant organisation.

Our modular approach can be used to customise assistance where appropriate. Gaps in compliance may already be clear and if so our trusted execution experience will allow the gaps to be closed with confidence.

Our consultants have many years of experience dealing with regulatory and data implementations across the financial sector and beyond. By drawing on a wealth of practical experience we can assure our clients a first rate service.

We can also include assistance from our legal partners to interpret the regulation according to your bespoke needs. Translating these interpretations into requirements that fit your business. Our cyber-security partners are well placed to provide expertise surrounding data storage, usage and security.