In this article Scott Bancroft, Capco’s Chief Information Security Officer discusses the five key steps businesses must take to gain from General Data Protection Regulation (GDPR).
In the run up to the GDPR deadline on 25 May, many companies were largely struck by panic. This new EU data privacy law, designed to overhaul how businesses process and handle data, certainly presented some operational challenges for companies.
However, as they joined the mad rush to comply or die, many financial services firms seemed to miss that getting GDPR ‘right’ could bring them opportunities that most have been seeking to fulfil forever - a single view of the customer’s data and effective information management in the digital age.
Getting a single view of all data held on a customer has largely become the ‘holy grail’ these days - allowing businesses to track their customers and communications across all marketing channels, and as a result, turn that data into viable business intelligence. While the big online retailers have been making a success of this for years, few businesses have in financial services. Why? Many haven’t had the financial impetus before, and their technology infrastructure hasn’t been up to it.
So how can GDPR facilitate? Most recent financial regulations (such as MiFID II, Open Banking and GDPR) all have elements of data privacy requirements that must be fulfilled. If companies manage GDPR compliance properly, they will spend significantly less time, effort and money on managing other regulations - and achieve a much-improved level of information management – irrespective of the type of information – in the process.
This requires a unified and consistent approach to information throughout its lifecycle, not forgetting record management across the business, which with GDPR returns with a vengeance. Under GDPR, unused or ‘stale’ data must now be disposed of, thus giving companies the ability to properly respond to data subject access requests and perform defensible disposition.
Here are my tips on how you can discover the Holy Grail:
1) Assess your existing ‘maturity’ in terms of GDPR compliance… and identify any gaps.
This requires looking at the maturity of your whole organisation – and additionally from the perspective of company functions handling customer data, such as human resources, sales & marketing and finance. Remember: the regulator won’t absolve you if all but one of your teams is GDPR compliant!
Therefore, company processes and systems should cover all types of business information, not just those pertinent to GDPR. This includes all information repositories in a company, down to end-user computing equipment.
2) Set up an information management programme.
Once a gap assessment has been completed, create an internal team responsible for information management strategy. This needs to have support at board level, to give it the prominence it deserves.
The programme should not just concern GDPR, which will undoubtedly be updated or surpassed by new laws and regulations in due course, but all data matters.
To be truly effective, the team must additionally contemplate how it can consolidate existing regulatory and compliance change programmes throughout the business. For instance, many businesses have multiple enterprise resource planning (ERP) systems. That in turn, means going through the GDPR consent process multiple times, but also adding to the risk of a breach!
3) Fill in the gaps you find from your assessment.
The difficulty comes with discovering where data comes from, how it is used, and where it resides. Therefore, data management needs to become a continual process of reviewing and tracking these elements.
It should be noted that this is not a purely technology-related activity - and will include non-techie representatives to fully understand the business processes that the information supports.
4) Be certain of your evidentiary capabilities - now and for the future.
Go through GDPR and read it - yes, all 88 pages! When it comes to data protection, it’s no longer ‘innocent until proven guilty’, the regulator now needs proof of compliance. Enlisting the help of internal audit should help with this.
To put this into motion, consider what evidence you need, why you need it and how long you’ll retain it. Therefore, knowing the legal citation for retention of information of all types across the whole business becomes an imperative.
Also, GDPR gives data subjects additional rights and specifies the times in which companies must comply. This has the potential for litigation to become more commonplace in financial services and some people will want to take advantage of GDPR. For example, GDPR requires you to delete data subject information within 30 days of the request (up to 90 if sufficient complexity can be demonstrated). Yet, you need to know where the data is, that it uniquely identifies the requester, that they are actually the requester (as opposed to a fraudster or third-party), and that the data does not have to be retained for any other legal or regulatory reason. This is a true step-change in the ability of companies to manage information – could your company do this today?
5) Know your risks.
You need to ascertain whether the other third-parties (i.e .vendors) you are working with are also GDPR compliant. Your GDPR contracts will therefore require model clauses and risk assessments to ensure these third-parties up to speed. This will in turn give you the opportunity to review both data privacy contractual terms, controls and drive improvement within your third-party risk management process; resulting in a far clearer picture on the level of risk and allows more accurate evaluation of whether this is within your risk appetite.
GDPR is what we all should have been doing for years, however, it should be seen as an ongoing process that does not finish at the end of a specific project. It may be painful, but it’s absolutely the right thing to do. As technology and the world moves on, GDPR will evolve.
Do not only think about how you meet the minimum requirements of GDPR, but how you’ll use the lessons learnt to anticipate and be ready for the next generation of data privacy requirements. Wouldn’t it be a differentiator if all customer data was available quickly and simply – benefiting both the business and the consumer? That has to be the Holy Grail.
How great would it be to go to your boss with a cheaper and more streamlined approach to information management?