Advise. Change. Do.

GENERAL DATA PROTECTION REGULATION (GDPR) ARE YOU PREPARED?

2

The aim of GDPR is to empower individuals to make informed decisions about the data they generate while using an organisation’s IT systems, including their website and apps. Under the terms of the legislation, financial companies that collect the data must ensure that individuals are made fully aware of the reason for collecting the data and the way in which it is stored and processed. It is the responsibility of the company to protect and dispose of the data when there is no longer a valid business need for it. Previously this was implicit, however the new GDPR data protection rules make it legally binding. In addition to significant reputational damage, offenders risk fines of as much as 4% of their global turnover (revenue) and exposing themselves to lawsuits from clients.

To become compliant, companies face the highly-complex task of assessing the impact the new rules will have on their current data protection practices in a very short timeline. They need to bridge the identified gaps between the policies and their current state, update IT systems and partnerships with vendors, and ultimately adopt “Privacy by Design” as a core value of their organisation. The quality of implementation is also of vital importance, with a particular emphasis on preparation.

After more than four years of negotiations and over 4,000 amendments, the new EU data protection regulation was adopted in May 2016 and has the potential to massively impact the financial services sector. Known as GDPR, the General Data Protection Regulation comes into force in May 2018 and will be the legal framework to govern the way companies handle data generated by EU citizens in an increasingly data-driven world. The regulation is not restricted to countries within the EU border and applies to the data of all EU citizens regardless of where the person or data is located. As a result, its implications stretch right across the globe.

Advise. Change. Do.

3

Rights of individual PRIVACY

PORTABILTY

UNDERSTAND CURRENT DATA USE

TEST AND MAINTAIN COMPLIANCE

CREATE PRIVACY BY DESIGN

REMEDIATENON-COMPLIANCE

PLAN FOR CONSUMER AND REGULATOR REQUESTS

Rights of organisationLEGITIMATE

BUSINESS USE

TECHNOLOGY

PLAN OF ACTION

BALANCING THE RIGHTS OF THE INDIVIDUAL AND ORGANISATION

TEAMS INVOLVED

COMPLIANCE DATA

Figure 1: GDPR Fundamentals

Key considerations when addressing GDPR challenges: 1) Balance the rights of the individual and the organisation, 2) Create a plan of action to implement a complex set of regulations, and 3) Involve the right stakeholders to implement that plan.

4

GDPR KEY BITES

Scope of personal dataThe definition of personal data has been expanded. It now not only includes things that directly identify an individual, such as a name, an address or a tax ID number, but also other types of data, including IP addresses and system IDs or cookies. Even the account mnemomics often used by financial companies to specifically identify individuals would be included. Data that cannot be used to identify an individual is out of scope for GDPR.

Justification for processing and consentGDPR raises the bar for the “legitimate interest” required for collecting and processing personal data. Individuals must be presented with the business purpose for each collected item. This must be done at the exact time of collection – for example, during client onboarding. Explicit consent is required for data to be collected and processed. Consent can be retracted at any point, and can never be considered implicit (i.e. no pre-ticked boxes).

Security, liability and data breach notificationUnder GDPR, both the data collector and processor are responsible for the security of the collected data. This is especially relevant for financial services companies that employ an outsourcing model. Third-party vendors can only be chosen from partners that can ensure full compliance with GDPR. Vendors cannot shift the legal responsibility for determining the security requirements to clients. The contracts for services must be future-proofed with clear stipulation of the responsibilities and the data protection requirements. Security policies are subject to continuous tests to assure robustness across the whole data-processing chain.

In the event of a breach, companies must report it to the local Data Protection Authority without undue delay, and no later than 72 hours after the occurrence.

Fines and enforcement The fines for failure to comply with the regulation are one of the biggest changes GDPR brings. The proposed sanctions range up to a staggering €20 million or 4% of a firm’s global turnover - a figure that has been revised up from the 2% proposed earlier.

Data protection officersUnder the current regulation, financial companies can voluntarily appoint a Data Protection Officer (DPO) to oversee the handling of data within the company. However, under GDPR, DPOs are mandatory for certain cases. The DPO should be a domain expert, and there is talk about special certifications and standardisation of knowledge to evidence competency. The DPO function can be outsourced and shared with other companies.

International data transfersThe new regulation does not prohibit the international transfer of data. However, the destination countries are restricted to an approved list, with a satisfactory level of protection.

Global reachGDPR focuses on protecting the rights of European customers. As a result, the regulation not only applies to financial entities registered within the EU, but also to companies registered in non-member countries who offer their services to EU citizens.

Data portabilityAnother new concept introduced by GDPR is data portability. In broad terms, this allows anyone to ask for personal data collected about themselves to be provided in a readable format without any hindrance from the Data Controllers. This could include any financial regulatory reporting that identifies the individual. The individual can then provide this data to any other vendor who should be able to fully integrate it into their own systems.

Advise. Change. Do.

5

HR IT Process Legal & Compliance

Data privacy by design

Consent & business justification

Data storing & accessibility

Data governance

Supplier chain & partner review

Data breach reporting

Staff training & upskilling

Figure 2: Areas impacted by GDPR

Highly Impacted Moderately Impacted Slightly Impacted

Given the fast-approaching deadline of May 25 2018, companies should act now to assess the impact of the GDPR requirements on their data protection standards, policies, client-facing websites and IT systems. Brickendon does not recommend looking for an off-the-shelf solution, since our extensive experience tells us that each company faces its own challenges and requires a bespoke solution adapted to suit its internal structure and IT landscape. However, the areas which will be most heavily impacted by GDPR can be grouped into certain themes (listed below by severity of impact and remediation effort):

IMPACT OF GDPR ON YOUR ORGANISATION

6

Client Management

Trade Lifecycle

Support Functions

Client onboarding

• ID papers and social media profiles

• PEP/AML/KYCSales & CRM

• Personal identifiers and voice recordings

• Sales & call sheets, handwritten notes

Account & portfolio creation

• Client account mnemonics and IDs

• ISDA & legal documents

Settlement

• Bank accounts

Ledger

• Account IDs

• MnemonicsRisk management

• Account IDs & mnemonics

• Internal emails, chats and archiving

Trade execution & capture

• Account IDs and ecommerce logins and profiles

• IP addresses and archiving

Trade/regulatory reporting

• Counterparty and tax IDs

• Delegated reporting logins and emails

HR & internal

• Employee contacts and system logins

• Payroll and third-party benefit providers

Research

• Emails, contact details and IP addresses

• System access audit trails and usage stats

Vendor management

• Contracts

• Negotiations records

Legal compliance & surveillance

• Contracts

• Suspicious activity report

Big data and BI

• Unstructured data sets

• Management reports

GDPR

Figure 3: Example of areas of a bank impacted by GDPR

Advise. Change. Do.

7

In order to assess compliance, firms need to conduct a bespoke analysis of their data privacy capabilities to outline the gaps between their current state and the GDPR requirements. Key stakeholders throughout the organisation will need to be engaged and all IT systems, databases and client-facing websites and portals analysed.

It is however possible to conduct a quick self-assessment by asking a simple set of questions, which will give a cursory understanding of where your business is with respect to GDPR. A negative, unknown or unsure answer normally highlights an area which requires investigation:

Questions to consider How Brickendon can help

Client consent • Are my methods of seeking, acquiring and recording client consent transparent to the client and explained in simple easy-to-understand language?

Review the grounds for data collection

Review consent gathering and storing methods and ensure they are transparent

Validate that consent is active, explicit and can be withdrawn at any point

Review processing operations – make sure that separate consents are obtained

Data held • What personal/sensitive/proprietary data do I hold?

• Where is it stored? Do my systems allow me to easily distinguish which type of data it is?

• Do I have a legal basis or a legitimate business need for all of it?

Conduct data audits

Build data flows to map what data you have and where it is stored (systems, databases, spreadsheets)

Conduct data analysis to determine the type of data held (e.g., proprietary, personal or sensitive)

Advise on pseudonymisation – masking data so it cannot be attributed to a specific “data subject”

Review and document the legal basis for holding data

Data privacy by design • Is data privacy embedded in my company culture?

• Should I conduct a Privacy Impact Assessment (PIA) which is mandatory for high-risk situations?

Identify high-risk operations which will require a PIA

Conduct the PIA - following the code of practice issued by the Information Commissionaire’s Office

Review and help write policies and procedures

Identify the mechanism to demonstrate compliance to the regulators – legally required

Partnerships and international data

transfers

• Is my offshoring strategy compliant with GDPR?

• Am I confident I can still transfer data internationally?

• Are my partners compliant with GDPR?

• Are the contracts with my partners future-proofed? Do they have clauses about responsibility/liability for data protection?

Map the international data flow

Review data transfer mechanisms

Advise on data clauses in the procurement templates and contracts

Review data transfer mechanisms

Individuals rights • Are my processes, IT systems and data repositories set up to respond to our clients’ rights with regards to their data?

Advise on steps towards compliance:

- Right of erasure - Data portability and client data request - Right to object - Right to opt out of profiling

IS YOUR ORGANISATION COMPLIANT?

8

For a company operating in the financial services sector, it is important to see GDPR not as another regulatory burden, but as a real opportunity to make the way you handle data a selling point, and a strong platform to grow and evolve in today’s data-driven world. Becoming compliant is just as much about the journey as it is about the destination, as it requires comprehensive self-assessment and analysis of data from an end-to-end perspective (something which most organisations have probably not done in the past).

The benefits of compliance are real and have the potential to transform into more revenue for financial services, especially if you stand out amongst your peers.

Figure 4: Benefits of GDPR

An end-to-end strategy for data

minimises the cost for monitoring

compliance and reduces the risk

for expensive late fixes

The systems and policies become predictable. The time and effort

needed to report breaches, extract data or obtain BI

is minimilised

The positive attitude towards data becomes a sellng point and a valuable asset when winning new business

Lower Admin Costs

Consistency

Stand out in the Market

The organisation becomes legally compliant and

is in a good position to react quickly to client

demands

Your clients will appreciate the safety of

their data. Data breaches have a

devastating impact on a company’s

reputation

Compliance

Client Satisfaction

GDPR – YOUR ORGANISATION’S OPPORTUNITY TO EVOLVE

Advise. Change. Do.

GDPR IS GOING TO BE THE BIGGEST CHANGE TO DATA PROTECTION REGULATION IN MANY YEARS AND FINANCIAL SERVICES COMPANIES NEED TO ENSURE THEY ARE READY. FAILING TO ACT NOW COULD NOT ONLY COST FIRMS SUBSTANTIAL AMOUNTS OF MONEY IN TERMS OF FINES, BUT ALSO THE LOSS OF FUTURE INCOME AS A RESULT OF SEVERE REPUTATIONAL DAMAGE.

“

“

9

© 2017 Brickendon Consulting Limited. All rights reserved. In the absence of specific statements to the contrary, copyright for this publication vests in Brickendon Consulting Limited. Brickendon grants permission for the browsing of this material and for the printing of one copy per person for personal reference only. The express permission of the copyright holder must be obtained for any other use of this material. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication.

info@brickendon.com www.brickendon.com +44 203 693 2605

Brickendon is an award-winning transformational consultancy specialising in innovative solutions that solve our clients’ challenges quickly and efficiently. We are experts in digital, data and automation, with a particular focus on DevOps and agile methodologies, digital transformation, rapid prototyping, product development and the automation of support and business/IT processes. Our aim is to disrupt the market with the latest machine learning, automation, data analytics advisory and programme delivery. We do this in weeks and not months, saving our clients time, money and protecting their reputation.

WE SOLVE YOUR CHALLENGES

Why choose Brickendon?

Our track record: We have demonstrated a long, proven track record of transforming our clients through our innovative bespoke solutions.

Our innovative approach: No one client is the same therefore our intelligent, experienced and focused consultants use their domain experience to address each challenge in an innovative way, using skills from their past and knowledge from Brickendon’s continual learning hub.

Our resources: Our onshore, offshore and nearshore capabilities mean we are well placed to cater for all our clients’ needs, making the best use of our consultants’ 10 years-plus domain experience.

Our passion: We love what we do and thrive on improving our clients’ profitability, efficiency and increasing their competitive edge. We are driven to develop the most innovative solutions and take pride in seeing the tangible benefits of a project come to fruition.