About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Governance And Privacy Are Getting Married

Subscribe to our newsletter

By Dennis Slattery, CEO of EDMworks


The governance community is getting married to the privacy community.

But how do we make sure the marriage is long and happy? The challenges are many and the General Data Protection Regulation (GDPR) is one example of a flood of privacy/trust laws that will impact the couple. The changes needed to processes, systems, contracts, governance and accountabilities are truly huge.

Governance has history. It used to cohabit with Risk!

January 1st 2016 was the ‘go live’ date for sell-side BCBS 239 and buy-side Solvency II regulations, both of which accelerated the implementation of governance disciplines including data ownership/accountability, policies, lineage/data flow, measurable quality, and senior management accountability.

BCBS 239 is criticised for a lack of measurable success criteria, ‘Material or Full Compliance’ are terms without objective measures. For many, the regulation was seen as a risk department issue, ignoring the fact that most risk data originates in upstream business and transaction units. Many people working on the data supply chain still do not understand the underlying principles needed to maintain firm wide fit-for-purpose data and evidence of cultural change is thin on the ground.

Lessons for GDPR implementation:

  • Top level sponsorship is essential
  • Ongoing communication is needed
  • Measures of success are critical
  • Personal data will exist in more areas than you imagine
  • Data is at the heart of the business and needs to be managed as an asset for the overall benefit of the firm.

Should IT be invited to the wedding?

IT has had a lot of bad press for being more interested in technology and less interested in benefits for the firm, while outsourcing of critical systems and staff has meant a huge loss of knowledge and expertise. If you haven’t already done so, it’s time to forgive, forget and embrace. IT needs to be at the heart of change for GDPR.

Lessons for GDPR:

  • Major effort lies in adapting legacy systems and processes
  • ‘Privacy by design and default’ is a core concept within GDPR and must be embedded in new systems and crafted onto existing legacy systems and networks
  • ‘Consent management’ requires careful analysis, planning and change, (great article here from Sima Nadler).

How about inviting the wider family?

GDPR assigns liability for breaches to firms and their sub-contractors so contracts need to be in place and transparency within and between firms needs to exist. Changes envisaged in GDPR are of a cultural nature, whereby people around the firm (and its subcontractors) all need to understand ‘privacy by design’ and know what to do in the case of breaches, near misses and spotting weaknesses.

Lessons for GDPR:

  • Culture and values are critical, firm wide communication and training is needed
  • Incorporate sub-contractors so they know what to do and have capability consistent with your firm.

What is audit doing at the back of the church? It should at the front.

The role of audit is changing as the world becomes more data centric and regulators do not have bandwidth to carry out detailed assessments. Audit has to self-regulate and evaluate how different parts of the business address regulation and other pressures. Audit has a unique perspective and needs to feed that into the front end of the design process.

Lessons for GDPR:

  • Data is at the heart of business, audit needs to become increasingly savvy and proactive
  • Audit needs to collaborate with architecture/IT to formulate taxonomies and classifications that can be used use consistently around the firm. Audit use these to build data consistency into every audit it does.

Who is on the top table at the wedding?

The success of GDPR implementation depends on cooperation, collaboration and the support of a broad community within and beyond a firm’s boundaries.

Who needs to be on the top table?

  • A board member, privacy is a board level responsibility with powerful sanctions to make top management take notice
  • Legal counsel or a data protection officer
  • Heads of data governance, operational risk and compliance
  • Heads of IT/IS, change and data management
  • Heads of product/sales/marketing/customer service/KYC/AML and other stakeholders for personal data
  • Head of HR.

What should be in the dowry?

Governance functions should reach out to privacy and ensure they provide a dowry incorporating:

  • Existing data dictionary definitions, lineage/data flows, quality measures
  • An honest assessment of the capabilities and effectiveness of their lineage work
  • An honest assessment of the current state of data ownership and accountability
  • A set of data governance tools.

I hope you enjoyed reading about the wedding. Feel free to use the analogy as you wish. Further information on the topic and related events can be found here:

The Data Management Industry Forum for Privacy

The Data Management Agenda for Privacy

Subscribe to our newsletter

Related content


Recorded Webinar: Best practices for compliance with EU Market Abuse Regulation

EU Market Abuse Regulation (MAR) came into force in July 2016, rescinding the previous Market Abuse Directive and replacing it with a significantly extended scope of regulatory obligations. Eight years later, and amid constant change in capital markets regulation, technology and culture, financial institutions continue to struggle to stay on the right side of the...


Fenergo launches AI powered CLM with Amazon Bedrock

Fenergo recently launched its AI Powered Client Lifecycle Management (CLM) at Money2020 in Amsterdam. The new CLM solution leverages Amazon Bedrock to enhance operational efficiencies in onboarding, client and counterparty management, and regulatory compliance. This launch comes at a time when financial institutions are grappling with intensifying regulatory pressures and rising costs. Stella Clarke, Chief...


AI in Capital Markets Summit London

The AI in Capital Markets Summit will explore current and emerging trends in AI, the potential of Generative AI and LLMs and how AI can be applied for efficiencies and business value across a number of use cases, in the front and back office of financial institutions. The agenda will explore the risks and challenges of adopting AI and the foundational technologies and data management capabilities that underpin successful deployment.


FATCA – The Time to Act is Now

The US Foreign Account Tax Compliance Act – aka FATCA – raised eyebrows when its final regulations requiring foreign financial institutions (FFIs) to report US accounts to US tax authorities were published last year. But with the exception of a few modifications, the legislation remains in place and starts to comes into force in earnest...