About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Governance And Privacy Are Getting Married

Subscribe to our newsletter

By Dennis Slattery, CEO of EDMworks


The governance community is getting married to the privacy community.

But how do we make sure the marriage is long and happy? The challenges are many and the General Data Protection Regulation (GDPR) is one example of a flood of privacy/trust laws that will impact the couple. The changes needed to processes, systems, contracts, governance and accountabilities are truly huge.

Governance has history. It used to cohabit with Risk!

January 1st 2016 was the ‘go live’ date for sell-side BCBS 239 and buy-side Solvency II regulations, both of which accelerated the implementation of governance disciplines including data ownership/accountability, policies, lineage/data flow, measurable quality, and senior management accountability.

BCBS 239 is criticised for a lack of measurable success criteria, ‘Material or Full Compliance’ are terms without objective measures. For many, the regulation was seen as a risk department issue, ignoring the fact that most risk data originates in upstream business and transaction units. Many people working on the data supply chain still do not understand the underlying principles needed to maintain firm wide fit-for-purpose data and evidence of cultural change is thin on the ground.

Lessons for GDPR implementation:

  • Top level sponsorship is essential
  • Ongoing communication is needed
  • Measures of success are critical
  • Personal data will exist in more areas than you imagine
  • Data is at the heart of the business and needs to be managed as an asset for the overall benefit of the firm.

Should IT be invited to the wedding?

IT has had a lot of bad press for being more interested in technology and less interested in benefits for the firm, while outsourcing of critical systems and staff has meant a huge loss of knowledge and expertise. If you haven’t already done so, it’s time to forgive, forget and embrace. IT needs to be at the heart of change for GDPR.

Lessons for GDPR:

  • Major effort lies in adapting legacy systems and processes
  • ‘Privacy by design and default’ is a core concept within GDPR and must be embedded in new systems and crafted onto existing legacy systems and networks
  • ‘Consent management’ requires careful analysis, planning and change, (great article here from Sima Nadler).

How about inviting the wider family?

GDPR assigns liability for breaches to firms and their sub-contractors so contracts need to be in place and transparency within and between firms needs to exist. Changes envisaged in GDPR are of a cultural nature, whereby people around the firm (and its subcontractors) all need to understand ‘privacy by design’ and know what to do in the case of breaches, near misses and spotting weaknesses.

Lessons for GDPR:

  • Culture and values are critical, firm wide communication and training is needed
  • Incorporate sub-contractors so they know what to do and have capability consistent with your firm.

What is audit doing at the back of the church? It should at the front.

The role of audit is changing as the world becomes more data centric and regulators do not have bandwidth to carry out detailed assessments. Audit has to self-regulate and evaluate how different parts of the business address regulation and other pressures. Audit has a unique perspective and needs to feed that into the front end of the design process.

Lessons for GDPR:

  • Data is at the heart of business, audit needs to become increasingly savvy and proactive
  • Audit needs to collaborate with architecture/IT to formulate taxonomies and classifications that can be used use consistently around the firm. Audit use these to build data consistency into every audit it does.

Who is on the top table at the wedding?

The success of GDPR implementation depends on cooperation, collaboration and the support of a broad community within and beyond a firm’s boundaries.

Who needs to be on the top table?

  • A board member, privacy is a board level responsibility with powerful sanctions to make top management take notice
  • Legal counsel or a data protection officer
  • Heads of data governance, operational risk and compliance
  • Heads of IT/IS, change and data management
  • Heads of product/sales/marketing/customer service/KYC/AML and other stakeholders for personal data
  • Head of HR.

What should be in the dowry?

Governance functions should reach out to privacy and ensure they provide a dowry incorporating:

  • Existing data dictionary definitions, lineage/data flows, quality measures
  • An honest assessment of the capabilities and effectiveness of their lineage work
  • An honest assessment of the current state of data ownership and accountability
  • A set of data governance tools.

I hope you enjoyed reading about the wedding. Feel free to use the analogy as you wish. Further information on the topic and related events can be found here:

The Data Management Industry Forum for Privacy

The Data Management Agenda for Privacy

Subscribe to our newsletter

Related content


Upcoming Webinar: How to ensure efficient, accurate, timely and compliant entity data management

Date: 29 November 2023 Time: 10:00am ET / 3:00pm London / 4:00pm CET Duration: 50 minutes Requesting, gathering, analysing and monitoring customer, vendor and partner entity data is a time-consuming, and often a manual process. These aspects can slow down customer relationships and can expose financial institutions to risk from inaccurate, incomplete or outdated data...


A-Team Partners The Times on Regulatory Compliance Special Report

A-Team Group is thrilled to be partnering with The Times newspaper on its special report covering Regulatory Compliance. Be sure to pick up your copy this Wednesday 12 July from any good newsstand in the UK. Among the topics the special report explores are the state of KYC in 2023, e-communication risk and compliance, ESG...


TradingTech Briefing New York

TradingTech Insight Briefing New York will explore how trading firms are innovating and leveraging technology as a differentiator in today’s cloud and digital based environment.


ESG Handbook 2023

The ESG Handbook 2023 edition is the essential guide to everything you need to know about ESG and how to manage requirements if you work in financial data and technology. Download your free copy to understand: What ESG Covers: The scope and definition of ESG Regulations: The evolution of global regulations, especially in the UK...