About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Governance And Privacy Are Getting Married

Subscribe to our newsletter

By Dennis Slattery, CEO of EDMworks


The governance community is getting married to the privacy community.

But how do we make sure the marriage is long and happy? The challenges are many and the General Data Protection Regulation (GDPR) is one example of a flood of privacy/trust laws that will impact the couple. The changes needed to processes, systems, contracts, governance and accountabilities are truly huge.

Governance has history. It used to cohabit with Risk!

January 1st 2016 was the ‘go live’ date for sell-side BCBS 239 and buy-side Solvency II regulations, both of which accelerated the implementation of governance disciplines including data ownership/accountability, policies, lineage/data flow, measurable quality, and senior management accountability.

BCBS 239 is criticised for a lack of measurable success criteria, ‘Material or Full Compliance’ are terms without objective measures. For many, the regulation was seen as a risk department issue, ignoring the fact that most risk data originates in upstream business and transaction units. Many people working on the data supply chain still do not understand the underlying principles needed to maintain firm wide fit-for-purpose data and evidence of cultural change is thin on the ground.

Lessons for GDPR implementation:

  • Top level sponsorship is essential
  • Ongoing communication is needed
  • Measures of success are critical
  • Personal data will exist in more areas than you imagine
  • Data is at the heart of the business and needs to be managed as an asset for the overall benefit of the firm.

Should IT be invited to the wedding?

IT has had a lot of bad press for being more interested in technology and less interested in benefits for the firm, while outsourcing of critical systems and staff has meant a huge loss of knowledge and expertise. If you haven’t already done so, it’s time to forgive, forget and embrace. IT needs to be at the heart of change for GDPR.

Lessons for GDPR:

  • Major effort lies in adapting legacy systems and processes
  • ‘Privacy by design and default’ is a core concept within GDPR and must be embedded in new systems and crafted onto existing legacy systems and networks
  • ‘Consent management’ requires careful analysis, planning and change, (great article here from Sima Nadler).

How about inviting the wider family?

GDPR assigns liability for breaches to firms and their sub-contractors so contracts need to be in place and transparency within and between firms needs to exist. Changes envisaged in GDPR are of a cultural nature, whereby people around the firm (and its subcontractors) all need to understand ‘privacy by design’ and know what to do in the case of breaches, near misses and spotting weaknesses.

Lessons for GDPR:

  • Culture and values are critical, firm wide communication and training is needed
  • Incorporate sub-contractors so they know what to do and have capability consistent with your firm.

What is audit doing at the back of the church? It should at the front.

The role of audit is changing as the world becomes more data centric and regulators do not have bandwidth to carry out detailed assessments. Audit has to self-regulate and evaluate how different parts of the business address regulation and other pressures. Audit has a unique perspective and needs to feed that into the front end of the design process.

Lessons for GDPR:

  • Data is at the heart of business, audit needs to become increasingly savvy and proactive
  • Audit needs to collaborate with architecture/IT to formulate taxonomies and classifications that can be used use consistently around the firm. Audit use these to build data consistency into every audit it does.

Who is on the top table at the wedding?

The success of GDPR implementation depends on cooperation, collaboration and the support of a broad community within and beyond a firm’s boundaries.

Who needs to be on the top table?

  • A board member, privacy is a board level responsibility with powerful sanctions to make top management take notice
  • Legal counsel or a data protection officer
  • Heads of data governance, operational risk and compliance
  • Heads of IT/IS, change and data management
  • Heads of product/sales/marketing/customer service/KYC/AML and other stakeholders for personal data
  • Head of HR.

What should be in the dowry?

Governance functions should reach out to privacy and ensure they provide a dowry incorporating:

  • Existing data dictionary definitions, lineage/data flows, quality measures
  • An honest assessment of the capabilities and effectiveness of their lineage work
  • An honest assessment of the current state of data ownership and accountability
  • A set of data governance tools.

I hope you enjoyed reading about the wedding. Feel free to use the analogy as you wish. Further information on the topic and related events can be found here:

The Data Management Industry Forum for Privacy

The Data Management Agenda for Privacy

Subscribe to our newsletter

Related content


Recorded Webinar: New solutions to the old problems of compliance with communications surveillance regulation

Communications surveillance is an integral element of trading at financial institutions, and its functions are clearly set out in jurisdictional regulations – to capture, record and retain all communications. Essentially, all business related communications must be recorded whatever the underlying mechanism – be it a work phone, personal mobile phone, text, video and so on...


GLEIF continues LEI push with mapping of S&P Global Company ID to the identifier

The Global Legal Entity Identifier Foundation (GLEIF) continues to promote use of the LEI through a collaboration with S&P Global Market Intelligence that certifies the mapping of the S&P Global Company ID to the LEI. GLEIF says links like this increase the value of the LEI by extending its connectivity to the world’s entity identifier...


TradingTech Summit London

Now in its 12th year the TradingTech Summit London brings together the European trading technology capital markets industry, to explore how trading firms are innovating in today’s cloud and digital based environment to create flexible, scalable trading platforms to support speed to market and business agility.


Regulatory Data Handbook 2022/2023 – Tenth Edition

Welcome to the tenth edition of A-Team Group’s Regulatory Data Handbook, a publication that has tracked new regulations, amendments, implementation and data management requirements as regulatory change has impacted global capital markets participants over the past 10 years. This edition of the handbook includes new regulations and highlights some of the major regulatory interventions challenging...