The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. Companies that are already in compliance with the Directive must ensure that they’re compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.
Why was the GDPR drafted?
There are two main drivers behind GDPR. Firstly, the EU wants to give people more control over how their personal data is used. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
What are the requirements of GDPR?
To give you an idea of what will be expected, here are some of the requirements:
- Each individual must give explicit consent for their personal data to be collected and used.
- These individuals must understand how their information is going to be used.
- Companies must clearly stipulate the legal channels available should data-processing not comply with its agreed-upon use.
- All personal data must be wiped after a prescribed period of time.
- In the event of a serious cyberattack, companies must inform all those affected by the security breach, as well as the Information Commissioner’s Office, within 72 hours.
So what should my bank or financial institution do to comply with GDPR?
Aside from large technology companies, banks are amongst the businesses that are directly affected the most by the GDPR since they possess great amounts of data of private individuals.
Under GDPR, several aspects of special relevance for the organization, processes and systems of a bank are identified, which need to be addressed in order to achieve compliance with the GDPR:
- Establish a privacy office and privacy change agenda as well as senior management reporting on personal data protection
- Develop and implement a target operating model for data protection governance with policies and a framework including organization, processes and roles / responsibilities (controller, data protection officer, etc.)
- Roll out a defined, bank-wide privacy organizational setup, implement committees and integrate new roles in the existing network
- Implementation of processes for relevant personal data scope identification (personal data required by regulations vs. non-required)
- Definition and implementation of processes for customer consent management, disclosure of stored personal data, correction of wrong personal data
- Design, implement and document privacy impact assessments and train respective persons in the relevant processes
- Review and adapt current IT architecture regarding data storage, transformation and processing of personal data to fulfill GDPR requirements
- Expand data management and establish / expand data lineage to comply with data protection requirements
- Perform a personal data inventory, create a harmonized business glossary and mapping of all personal data
Implementing the GDPR is not an option, but a legal requirement, which needs a high degree of commitment and resources of banks. However, the new requirements offer banks the opportunity to rethink data protection and the possibility to combine necessary with useful aspects. Addressing questions like “where is the data stored” or “which part of the bank is in control of the data” is a regulatory requirement. Simultaneously, banks have to start thinking about which data they own and the best ways to exploit this data.
People become increasingly sensitive to the topic of data protection and are willing to pay for their privacy. Therefore, a bank offering the highest security standards might also be able to collect a markup from its customers for offering this standard. The integrity of a bank can be a significant competitive edge when competing for customers. To conclude, banks should not only see the regulatory efforts associated with the GDPR, but rather focus on the numerous opportunities offered by a well-designed internal data protection framework.
How about my systems and what do I need to think about?
The digital economy requires you to be innovative. With regards to the regulation, you need a competitive service offering that provides transparency to internal operations, customers and partners. By using a reliable, secure and scalable infrastructure provided by a modern business integration platform, you can:
- Manage and secure the increase in data and streamline all data flows
- Automate operational controls that relate to the regulation
- Gain insight into operational performance
- Manage any channel to deliver innovative products and services while leveraging existing assets
Don’t let compliance drag you down, tackle your compliance hurdles now with SEEBURGER.
Find out how SEEBURGER can help your company become compliant: