Time is running out: the compliance deadline for General Data Protection Regulation (GDPR) is May 25, 2018, and with fines running up to 4% of annual turnover or €20 million for firms that fail to protect European citizens’ personal data, no-one can afford to take this EU data privacy law lightly. From a data management perspective, market participants cite outstanding challenges as the regulation’s ‘right to be forgotten’, accountability, and getting the best technology in place to sustain compliance.
Essentially, GDPR requires firms to track down and secure all the personal data they hold on EU citizens, wherever they hold it. They must tell the individuals concerned they have the data and get their consent to use or share it. They also have to allow individuals to access their data, change it if it’s wrong and get it deleted or removed if there’s no compelling reason for the company to use it, the right to be forgotten. You can find out more about the regulatory requirement and response in A-Team Group’s GDPR Handbook.
Despite the threat of significant financial and reputational damage for non-compliance with GDPR, readiness for Day 1 is mixed. A poll taken during a recent A-Team Group webinar on GDPR showed 44% of respondents hoping to be ready by May 25, 25% expecting to be ready, 20% expecting to be ready but with numerous workarounds, 6% not expecting to be ready, and only 6% already ready.
GDPR consultant Sue Baldwin, who is helping Lloyds of London with its preparations, says: “Everybody wants to be able to say they are going to be compliant by 25 May and that is not going to be possible.” Colin Ware, BNY Mellon regulatory product manager and former head of Barclays’ GDPR impact assessment, agrees: “There aren’t compliance gaps as such, it’s the scale of the programme that will undoubtedly mean that, although the ethos and the spirit of the regulation will be met by May, I will be astonished if anyone says, ‘well I’ve done absolutely everything’.”
The key question for data managers is: if you haven’t done absolutely everything, what should you focus on now to be GDPR compliant and escape the regulator’s wrath?
Right to be forgotten
One major data management challenge facing financial firms is GDPR’s ‘right to be forgotten’, which mandates that firms must, in most cases, act on individuals’ requests to delete personal data they hold unnecessarily. The problem is that this conflicts with the core principle of many other financial services regulations – such as Markets in Financial Instruments Directive II (MiFID II), BCBS 239, the second payment services directive (PSD2) and the US Consolidated Audit Trail (CAT) – that requires firms to collect and keep more and more data to demonstrate they are acting above board.
Ware says: “This is probably the biggest dichotomy. The right to be forgotten goes against a lot of the regulations that have been coming out around financial services. We’re being told we need to be more open and transparent, against this idea of ‘well, actually I don’t want you to remember any of my data’. This is a huge problem for financial services firms. At the end of the day, we can’t eradicate the data because to do so breaks compliance with every other regulation.”
Baldwin agrees: “One area that jumps out at me is data retention. There is conflict between what GDPR says and other regulations such as Know your Customer (KYC) and Anti-Money Laundering (AML). The biggest issue for me is this cross-regulation, where people are going to say, what regulation takes precedence here? It’s very difficult for organisations to know and that’s where they’re going to need more help from regulators. You don’t want to get hit by the Financial Conduct Authority (FCA) for not doing something.”
Until the Information Commissioner’s Office (ICO) offers clarity, Baldwin suggests firms should be very specific in their data retention policy and identify what they are going to do and how long they are going to keep data. She says: “If there is a conflict, perhaps you’re going to keep data longer than the individual may want, you have to say the reason we’re doing this is not because we’re following GDPR, but because we’re following other regulations.”
Ware says it may be beneficial to tighten controls on who within an organisation can access personal data. He also suggests obfuscation – where firms hide or protect data in a different system or different database, but don’t completely delete it – may be helpful.
Another key requirement of GDPR is to get ‘accountability’ right. UK data privacy regulator Elizabeth Denham calls this ‘the most important aspect of GDPR’. Essentially, accountability is the need for financial firms to ‘own’ data privacy and set up comprehensive measures to show they take the responsibility seriously.
According to the ICO, the actions needed to achieve this ‘may include’ auditing your data, staff training, and security measures like data minimisation and pseudonymisation.
But the fact that this advice is not entirely clear-cut, combined with the sheer scale of GDPR, means accountability remains a major data management challenge.
To demonstrate enough accountability and compliance by May, firms should follow the ICO guidelines and make sure they document all they have done to achieve this. They should also recognise that, while they have the right compliance and accountability programmes underway, they may well fail to complete the compliance task by May 25.
Baldwin says: “It’s a vast area. Most firms will have done their data audit and got to the stage where there are gaps in their evidence and documentation. Everyone’s trying to fix that by May 25. Bigger organisations may know they’re not going to make it by the deadline, but they‘ve got everything documented and know what’s on the timeline.”
Ware sees a similar scenario unfolding: “Firms will be training staff, reiterating how personal data should be handled and making sure clients are aware of what they are doing.” By May 25, he suggests: “Every company will be able to demonstrate compliance – demonstrate what they have done, the policies, procedures, training. But the bit that no company will really be able to say is, ‘If someone says right now I’m going to come and audit you across everything’, that’s going to be OK.”
Ware believes larger financial firms could be working through their compliance programmes for the whole of 2018, after focusing first on securing highest-risk personal data. During the recent A-Team Group webinar mentioned above, he said: “Most financial services companies are taking a pragmatic view. They are taking a risk-based approach, looking first at areas with more sensitive and high-risk types of personal data, then they have plans to manage lower-risk areas going forward.”
The saving grace here is that if firms can show they are actively seeking to be ‘accountable’, the regulator is likely to go easy on them – even if they fail to achieve full auditable compliance by May 25.
Denham said as much in a recent speech: “Yes, GDPR gives me greater sanctions for those that flout the law. You can expect the ICO will uphold the law and there will be no grace period – you’ve had two years to prepare. But I know that when May 25 dawns, there will be many organisations that are less than 100% compliant. This is a long haul and preparations will be ongoing. If you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair. Enforcement will be a last resort.”
The right technology?
Compliance raises the question of which technologies data managers should be using to deal with GDPR. Baldwin suggests data mining tools are important, though not necessarily those tailored especially for GDPR. She says: “There are a lot of data management tools in the marketplace. These tools need to focus on data mining because what you’re looking at for GDPR is being able to mine specific privacy fields. Use these tools to pinpoint privacy data, rather than looking to GDPR specific tools.”
GDPR security expert Jamie Graves, CEO of software company ZoneFox, says: “The toughest challenge for data practitioners is balancing the need for data to be available versus ensuring it has necessary privacy and security aspects in place to protect it. A proactive approach is vital. User and entity behaviour analytics can make a huge difference to regulating data access and usage in an organisation. This type of technology builds up a baseline of normal user behaviour and alerts unusual behaviour, perhaps a sales report copied onto a USB drive, or someone connecting to payroll through public access Wi-Fi. Incidents like these can be flagged by user and entity behaviour analytics, making it easier to secure against sensitive customer data being exposed to risk and an organisation failing to meet its compliance duties.”
For firms still struggling with compliance projects and systems, the ICO website offers resources including guidance, checklists and sector-specific FAQs. Denham also says the ICO runs voluntary audits, so firms can check they are on the right track and identify weaknesses or red flags before they cause real problems. She concludes: “No strings attached and it’s free.”