RegTech Insight Knowledge Hub
In a nutshell: GDPR gives control of personal information back to its individual owners: requiring businesses to capture, control and protect data under strict new guidelines that impose hefty fines for non-compliance.
Read on in our Knowledge Hub ‘Everything you need to know’ section to understand the full details of what GDPR is all about, who it impacts, the key requirements, the technical and data challenges it presents, and the outlook.
You can also take a look at all the latest content we have related to GDPR. And you can see a listing of key vendors delivering solutions to this regulatory challenge.
By Alex Scheinman, Director, ACA Compliance Despite its crucial importance, data protection in a post-Brexit world is not getting the attention it deserves. UK firms have spent a significant time preparing for the General Data Protection Regulation (GDPR) as members of the EU. However, Brexit means that they may have to comprehensively re-think their approach…
Regulatory compliance continues to be a burden for data management practitioners working in capital markets, but approaches are changing as firms move towards managing reference data once for as many regulations as possible, adopt a utility model to ease the burden, or look to regtech solutions to support reporting. The ongoing challenges of compliance were…
A-Team Group’s RegTech Summit returned to London last week with an impressive line-up of keynote speakers, lively panel discussions and an innovative regtech showcase featuring four newcomers to the market. The event also hosted numerous sponsors exhibiting leading regtech solutions and was joined by over 200 capital markets participants keen to further their knowledge of,…
Financial institutions around the world are bracing themselves for the onset of the EU’s General Data Protection Regulation (GDPR), which introduces eye-watering financial penalties for firms failing to meet stringent new rules on managing the personal data of EU residents. GDPR – which comes into effect in May 2018 – will have a major impact…
You can listen to the recording of this webinar by registering on this page. Are your client lifecycle management processes – including client onboarding, Know Your Customer (KYC), Anti-Money Laundering (AML) and most recently General Data Protection Regulation (GDPR) – up to the right standard for today’s pressing regulatory challenges? Early iterations of KYC and…
You can listen to the recording of this webinar by registering on this page. Data monetisation has become key to revenue growth at financial institutions, but how can they get it right and achieve competitive advantage, and how will General Data Protection Regulation (GDPR) impact their progress? This webinar will discuss why and how financial…
You can listen to the recording of this webinar by registering on this page. Balancing the use of personal data required by Markets in Financial Instruments Directive II (MiFID) as part of its transparency regime with the personal data protection rules set out in General Data Protection Regulation (GDPR) is a tough task – tell…
The May 25, 2018 compliance deadline of General Data Protection Regulation (GDPR) is approaching fast, requiring financial institutions to understand what personal data they hold, why they process it, and whether it is shared with other organisations. In line with individuals’ rights under the regulation, they must also provide access to individuals’ personal data and…
In a testament to the enduring popularity of the A-Team Regulatory Data Handbook, we are delighted to publish a sixth edition for 2018-19 of our comprehensive guide to all the regulations and rules that might impact data and data management at your institution. As in previous editions of the Regulatory Data Handbook, we have updated…
Data lineage has become a critical concern for data managers in capital markets as it is key to both regulatory compliance and business opportunity. The regulatory requirement for data lineage kicked in with BCBS 239 in 2016 and has since been extended to many other regulations that oblige firms to provide transparency and a data…
Everything you need to know about: GDPR
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU ruling that replaces the previous EU Data Protection Directive 95/46/EC of 1995. It aims to harmonise data privacy across the region, improve data protection for EU residents, and ensure data security. It gives individuals ownership of their own personal data and the right to find out what personal information is held about them and how it is used, request for it to be rectified or deleted, and restrict processing or movement between organisations.
GDPR provides individuals with:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling
While the 1995 edict took the form of a directive, which places obligations on member states and which their governments are then required to transpose into local law, GDPR is an EU regulation and is directly applicable and enforceable as law in every EU member state. GDPR provides a single set of data protection rules for all EU member states, while still allowing a degree of tailoring within individual jurisdictions.
GDPR was approved by the European Parliament on April 18, 2016, and tool effect in all member states on May 25, 2018. Despite the UK’s planned departure from the EU in 2019, UK businesses within the scope of GDPR will be required to remain compliant if they want to trade within the single market.
The regulation includes 99 articles, of which 64 are general and cover areas such as objectives, scope, definitions, requirements, liabilities and penalties. The remaining 35 articles are actionable and include 15 related to business and requiring actions such as setting policies, seven covering assessment of areas such as infrastructure and deployment, and 13 including technical detail about what data controllers and processors must do to achieve compliance.
Who are the regulators?
The primary regulator is the European Data Protection Supervisor. In addition, the Article 29 Working Party is an advisory body made up of a representative from the data protection authority of each EU member state, the European Data Protection Supervisor and the European Commission.
In the UK, GDPR is regulated by the Information Commissioner’s Office (ICO).
A full list of EU regulators can be found in Appendix 1.
Who needs to know?
While GDPR is an EU regulation, its requirements extend to any business globally that is collecting personal data from EU residents. GDPR applies to every entity that holds personal data derived from activities subject to EU regulation anywhere in the world. Its global scope means firms that control or process data relating to EU and non-EU citizens residing in the EU will be forced to deal with complex regulations governing personal data.
Unlike its predecessor, GDPR extends accountability not only to controllers that determine the purposes, conditions and means of processing personal data, but also to processors that handle personal data on behalf of controllers.
As GDPR applies to every company that sells to, or stores personal information about, EU citizens, it inevitably impacts financial services firms. They need to reconsider how they capture information, build data management systems, govern and protect personal data, and handle potential breaches. The regulation also has a knock-on effect for vendors of technology and data solutions that provide relevant services to financial clients and will need to incorporate GDPR compliance into their solutions.
Firms that do a good job of GDPR and take a proactive approach to compliance should benefit from improved customer communication, strategic data management and a higher level of trust in the market. Breaches of compliance could entail not only reputational damage but fines up to €20 million or 4% of annual group turnover, whichever is the greater.
What are the key requirements?
While financial firms subject to the 1995 directive already have data protection policies and practices in place, the detail of GDPR adds a significant layer of complexity that must be addressed in order to achieve compliance.
Notable challenges presented by GDPR include:
- Understanding the lawful basis for processing personal data
- Gaining consent to process the data
- Building data privacy by design
- Notifying authorities and individuals of data breaches
- Ensuring data portability
- Giving individuals the right to have data deleted, provided there are no legitimate grounds for keeping it.
Key elements to consider include:
Since May 2018, general contractual terms have no longer been sufficient to provide proof of consent from individuals to process personal data. Instead, consent must be unambiguous, freely given, informed and refer explicitly to each processing purpose. Consent for processing sensitive data held by banks and financial institutions must also be explicit. In order to manage data appropriately, companies must consider how customer data is collected, managed and shared with third parties, and develop appropriate consent management policies.
GDPR requires firms to identify personal data, manage it within the scope of the requirements, and ensure ?it is secure and accessible. This presents numerous data management challenges including data centralisation, master data management, data governance and automation. Organisations must be able to prove compliance throughout processes that fall within the scope of the regulation. This requires extensive data lineage to be put in place and data governance policies to be established, documented and enforced across an organisation.
Financial institutions must respond to the regulation’s enhanced rights for individuals to access, transfer and delete data by amending privacy policies and procedures, and the way in which they manage data access requests. GDPR also introduces the concept of data privacy by design, which requires financial institutions to promote privacy and data protection compliance in new system builds.
GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
To assess security risks, GDPR mandates that controllers carry out data protection impact assessments (DPIAs) when certain types of processing of personal data are likely to present a high risk to the data subject. The regulation also recommends a number of techniques?to prevent security breaches, including encryption, anonymisation and pseudonymisation. Constant monitoring of personal data is required in order to detect anomalies, and any breach must be reported within 72 hours.
What technological challenges does GDPR represent?
GDPR requires a much more rigorous approach to protecting data privacy than its predecessor. At its core is the understanding that while data is an asset, its ownership remains with the EU citizen?and not with the data controller or processor. GDPR’s main articles describe interactions between these stakeholders, and this set of parameters represents a significant challenge for financial institutions in terms of understanding the scope and granularity of what is required. Specific challenges include understanding what personal data is held within the organisation, what business processes affect regulated data, and how data is handled and transported.
Organisations should document all personal data they hold, including data that falls into special categories, and record where the data came from, and any other organisations it is shared with. An information audit across the organisation or within particular businesses may be necessary. GDPR also requires data processing activities to be recorded. For example, if inaccurate personal data is shared with another organisation, the inaccuracy must be communicated to ensure both organisations correct the data.
Current privacy notices should be reviewed and amended in line with GDPR requirements. Personal data collection previously required giving people information such as the organisation’s identity and how it intends to use the information. Under GDPR there are additional requirements, including the need to explain the lawful basis for processing the data, retention periods, and individuals’ rights to complain to supervisory authorities if they think there is a problem with the way their data is being handled.
To achieve best practice GDPR compliance and effectively locate and manage personal data, organisations need to capture the data, make a data inventory and create a central data repository. This will ease the challenge of identifying and sustaining personal data workflows by ensuring disparate data is reconciled, data is maintained, entitlement policies are in place, and access to personal data is available to data subjects. Challenges include legacy systems that may need replacing, data silos, derived data, and scattered and duplicated data within big data environments or collaboration tools.
GDPR introduces a duty on all data controllers and processors to report certain types of data breach to the authorities within 72 hours. To ensure compliance, organisations need robust processes for breach detection and investigation, which can be supported by data lineage and governance, as well as internal reporting procedures. Failing to notify a breach when required to do so can result in significant fines and penalties, making it crucial to have data management processes in place that can support detection, reporting and access to the details of a breach
What solutions can be used?
GDPR is an enterprise-wide regulation where the use of emerging technologies could improve the accuracy and efficiency of compliance, reduce costs, improve data quality and deliver better customer service. Existing in-house systems may need to incorporate vendor solutions to improve or add new data privacy policies, new processes, and/or specific elements of compliance. These solutions need to meet both reporting and compliance requirements by providing a data inventory or catalogue of protected data showing where the data is stored and how it is used. Alerts for possible non-compliance are also an option.
An over-arching GDPR solution could include core capabilities such as:
- A data identification system
- A centralised inventory of personal data
- Data lineage to track and trace all application use of protected personal data
- Workflows around personal data ownership
- Data sharing agreements that dictate how personal data should be shared both internally and externally
Key areas to explore include:
Metadata management tools can be used to identify personal data, categorise the data and assign GDPR attributes to it. The metadata can be loaded into a data governance platform and used to identify data elements relevant to GDPR. Once data processes and data elements are identified and governed, they can be linked and data elements used in particular processes can be mapped.
Solutions include technology tools and techniques that support the identification and capture of personal data wherever it is. For most firms, and particularly those with hundreds or even thousands of servers, the need is to minimise the number of locations holding personal data and use automated tools to analyse and consolidate the data. Master data management (MDM) is also helpful in marshalling data and reconciling it to create a data warehouse containing master data records of personal data. In the context of GDPR, this data can then be used across services and applications that individuals opt into.
Many firms already have data governance and lineage in place, and this can be extended to support the requirements of GDPR using either in-house technology and expertise, or vendor solutions. Some, however, will need to start from scratch, or may decide to refresh their solutions. Typically, vendor solutions are based on platforms that automate data governance and management, and provide trusted data to business users including help desk advisors responding to requests from data subjects about what personal data the organisation holds about them and how it is used.
GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system that can provide the individual with direct access to his or her information.
Implementing the regulation is a large data management challenge requiring significant budget, IT involvement and human resource including lawyers and subject matter experts. It is also an evolution of data protection that will deliver benefits to both data controllers and data subjects.
Data controllers can look forward to business benefits based on a better understanding of customers, the potential for product innovation and the ability to build customer trust, brand image and reputation. Data subjects can gain greater insight into how, why and when their data is used and request that it be corrected or deleted in certain circumstances.
Looking beyond these gains, GDPR will harmonise data protection across the EU, provide a level playing field for data controllers and data subjects and, more broadly, push forward best practice data management across the financial sector.
GDPR: Pros and Cons
- Harmonised data protection across the EU
- A level playing field for data controllers and data subjects
- Improved customer trust, communication and brand image
- Operational benefits including centralised data, updated data content, improved processes and reduced costs for internal and external audits
- Reduced time to build applications, which could lower costs and provide competitive advantage
- Improved security, lower potential liability
- Improved customer service and targeting, and the potential for product innovation due to a more accurate view of personal data
- Potentially use of data science and predictive analytics due to the creation of a trusted source of centralised information.
- High fines for breaches/non-compliance
- Limited access within the EU to start-up technologies unable to afford the cost of GDPR compliance
- EU-wide multi-jurisdictional scope could raise the risk of conflicting interpretations
- Potential compliance conflicts with other regulations including KYC, AML and other financial crime measures that take a different view of data privacy
- Larger data management burden for data controllers and processors
Appendix 1: European Regulators
|EU||Article 29 Working Party (WP29)|
|European Data Protection Supervisor (EDPS)|
|Austria||Austrian Data Protection Authority (DSB)|
|Belgium||Commission for the Protection of Privacy (CPP)|
|Bulgaria||Commission for Personal Data Protection (CPDP)|
|Croatia||Personal Data Protection Agency (AZOP)|
|Republic of Cyprus||Office of the Commissioner for Personal Data Protection|
|Czech Republic||Office for Personal Data Protection (UOOU)|
|Denmark||Danish Data Protection Agency (Datatilsynet)|
|Estonia||Estonian Data Protection Inspectorate (DPI)|
|Finland||Data Protection Ombudsman (Tietosuojavaltuutettu)|
|France||Commission nationale de l’informatique et des libertés (CNIL)|
|Germany||Bundesbeauftragete für den Datenschultz und die Informationsfreiheit (BfDI) (Federal)|
|Datenschutzkonferenz (DSK) (independent)|
|Greece||The Hellenic Data Protection Authority (HDPA)|
|Hungary||National Privacy and Data Protection Authority (NAIH)|
|Ireland||Data Protection Commisioner (DPC)|
|Italy||Italian Data Protection Authority (Garante)|
|Latvia||Data State Inspectorate (DVI)|
|Lithuania||State Data Protection Inspectorate (VDAI)|
|Luxembourg||National Commission for Data Protection (CNDP)|
|Malta||Office of the Information and Data Protection Commissioner|
|Netherlands||Personal Data Authority (PDA)|
|Poland||General Inspector for the Protection of Personal Data (GIODO)|
|Portugal||National Commission for Data Protection (CNDP)|
|Romania||National Supervisory Authority for Personal Data Processing|
|Slovakia||Office for Personal Data Protection (PDP)|
|Slovenia||The Information Commissioner|
|Spain||Agencia Española de Protección de Datos (AEPD)|
|Sweden||The Swedish Data Protection Authority (Dataprotektionen)|
|UK||The Information Commissioner’s Office (ICO)/td>|
ASG – enterprise data intelligence solution plus policy-driven content services solution to manage the lifecycle of personal data and capture consent
AQMetrics – automated risk register, regulatory rules engine and regulatory reporting hub
Capnovum – cloud-based Joint Learning platform that combines regulatory monitoring, collaboration and communication tools with project management capabilities and best practice processes
Collibra – enterprise-wide data governance solution to automate data governance and management, paired with GDPR specific professional services and a GDPR accelerator
The Cyber Consultants (Evidology) – end-to-end compliance management system targeting principles-based legislation
Enfusion (Integrata) – cloud-based, multi-tenant investment management system
Exate Technology – data middleware system built from scratch to apply GDPR rules through a data privacy and data protection platform
Fenergo – cloud-based client lifecycle management system
iPushpull – secure data sharing and collaboration platform connecting data in real time between desktop applications, cloud services, databases, third party platform
Pontus Networks – PontusVision Open Source GDPR IT Solution, one of the world’s first open source GDPR platforms
Privitar – tools for privacy by design, direct compliance through pseudonymisation and anonymisation, data breach protection and processing assistance
Provectus – automated blockchain-based out-of-the-box-solution
Solidatus – web-based digital dashboard to map, visualise and share the flow of data
Trunomi – consent management and data rights platform
ZoneFox – compliance reporting toolbox
If you want to appear on this page please contact Jo Webb at email@example.com or call us on +44 (0)20 8090 2055.