The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

Governance And Privacy Are Getting Married

By Dennis Slattery, CEO of EDMworks

Announcement!

The governance community is getting married to the privacy community.

But how do we make sure the marriage is long and happy? The challenges are many and the General Data Protection Regulation (GDPR) is one example of a flood of privacy/trust laws that will impact the couple. The changes needed to processes, systems, contracts, governance and accountabilities are truly huge.

Governance has history. It used to cohabit with Risk!

January 1st 2016 was the ‘go live’ date for sell-side BCBS 239 and buy-side Solvency II regulations, both of which accelerated the implementation of governance disciplines including data ownership/accountability, policies, lineage/data flow, measurable quality, and senior management accountability.

BCBS 239 is criticised for a lack of measurable success criteria, ‘Material or Full Compliance’ are terms without objective measures. For many, the regulation was seen as a risk department issue, ignoring the fact that most risk data originates in upstream business and transaction units. Many people working on the data supply chain still do not understand the underlying principles needed to maintain firm wide fit-for-purpose data and evidence of cultural change is thin on the ground.

Lessons for GDPR implementation:

  • Top level sponsorship is essential
  • Ongoing communication is needed
  • Measures of success are critical
  • Personal data will exist in more areas than you imagine
  • Data is at the heart of the business and needs to be managed as an asset for the overall benefit of the firm.

Should IT be invited to the wedding?

IT has had a lot of bad press for being more interested in technology and less interested in benefits for the firm, while outsourcing of critical systems and staff has meant a huge loss of knowledge and expertise. If you haven’t already done so, it’s time to forgive, forget and embrace. IT needs to be at the heart of change for GDPR.

Lessons for GDPR:

  • Major effort lies in adapting legacy systems and processes
  • ‘Privacy by design and default’ is a core concept within GDPR and must be embedded in new systems and crafted onto existing legacy systems and networks
  • ‘Consent management’ requires careful analysis, planning and change, (great article here from Sima Nadler).

How about inviting the wider family?

GDPR assigns liability for breaches to firms and their sub-contractors so contracts need to be in place and transparency within and between firms needs to exist. Changes envisaged in GDPR are of a cultural nature, whereby people around the firm (and its subcontractors) all need to understand ‘privacy by design’ and know what to do in the case of breaches, near misses and spotting weaknesses.

Lessons for GDPR:

  • Culture and values are critical, firm wide communication and training is needed
  • Incorporate sub-contractors so they know what to do and have capability consistent with your firm.

What is audit doing at the back of the church? It should at the front.

The role of audit is changing as the world becomes more data centric and regulators do not have bandwidth to carry out detailed assessments. Audit has to self-regulate and evaluate how different parts of the business address regulation and other pressures. Audit has a unique perspective and needs to feed that into the front end of the design process.

Lessons for GDPR:

  • Data is at the heart of business, audit needs to become increasingly savvy and proactive
  • Audit needs to collaborate with architecture/IT to formulate taxonomies and classifications that can be used use consistently around the firm. Audit use these to build data consistency into every audit it does.

Who is on the top table at the wedding?

The success of GDPR implementation depends on cooperation, collaboration and the support of a broad community within and beyond a firm’s boundaries.

Who needs to be on the top table?

  • A board member, privacy is a board level responsibility with powerful sanctions to make top management take notice
  • Legal counsel or a data protection officer
  • Heads of data governance, operational risk and compliance
  • Heads of IT/IS, change and data management
  • Heads of product/sales/marketing/customer service/KYC/AML and other stakeholders for personal data
  • Head of HR.

What should be in the dowry?

Governance functions should reach out to privacy and ensure they provide a dowry incorporating:

  • Existing data dictionary definitions, lineage/data flows, quality measures
  • An honest assessment of the capabilities and effectiveness of their lineage work
  • An honest assessment of the current state of data ownership and accountability
  • A set of data governance tools.

I hope you enjoyed reading about the wedding. Feel free to use the analogy as you wish. Further information on the topic and related events can be found here:

The Data Management Industry Forum for Privacy

The Data Management Agenda for Privacy

Related content

WEBINAR

Recorded Webinar: Managing the transaction reporting landscape post Brexit: MiFID II, SFTR, EMIR

The transaction reporting landscape has, for many financial institutions, expanded considerably in size since the end of the UK’s Brexit transition period on 31 December 2020 and the resulting need for double reporting of some transactions to both EU and UK authorities. It has also changed dramatically following the UK government’s failure to reach equivalence...

BLOG

A-Team Group Introduces 2021 Innovation Awards

Here at A-Team Group we have been working hard on plans to celebrate innovative projects and teams with the launch of our A-Team Innovation Awards. The awards are designed to reward teams that have found innovative ways to make use of new and emerging technologies to solve challenges at financial institutions in capital markets. The...

EVENT

Data Management Summit London

The Data Management Summit Virtual explores how financial institutions are shifting from defensive to offensive data management strategies, to improve operational efficiency and revenue enhancing opportunities. We’ll be putting the business lens on data and deep diving into the data management capabilities needed to deliver on business outcomes.

GUIDE

Entity Data Management Handbook – Seventh Edition

Sourcing entity data and ensuring efficient and effective entity data management is a challenge for many financial institutions as volumes of data rise, more regulations require entity data in reporting, and the fight again financial crime is escalated by bad actors using increasingly sophisticated techniques to attack processes and systems. That said, based on best...