GDPR: Next stop in the 2018 compliance race
For those who believe that “go-live” is merely the beginning of the end of the compliance journey, next year will mark yet another milestone for major regulatory implementation. 2018 starts with the long-anticipated go-live of the revised Markets in Financial Instruments Directive (MiFID II) on 3 January, followed four months later on 25 May, by the General Data Protection Regulation (GDPR) which will mandate much stricter controls on personal data security, and governance on internal and external data transfers. With the Securities Financing Transaction Regulation (SFTR) on the horizon for 2019, the end is not yet in sight.
Firms that have been gearing up for the MiFID II implementation would have done well to consider GDPR as part of these preparations to avoid hurtling from one regulation to another, as both mandates will cause enormous upheaval due to the presence of legacy systems and disparate data structures.
Preparing for MiFID II implementation has put enormous pressure on financial firms’ data processing systems. The volume and variety of data to be processed, analysed and reported will increase exponentially. While some firms may have merely patched up existing legacy systems to satisfy these complex requirements, it is highly unlikely that these same firms will be able to do the same to meet the stipulations of GDPR as the regulation will present some unprecedented technical and operational challenges.
At the heart of GDPR is the requirement to understand the complete data structure and data workflow within an institution. To do so firms will have to demonstrate they can identify the data source – a natural person (data subject), the firm itself or a third party – and understand the requirements around the mandated level of consent for the attributes of data falling under the scope of the regulation. Moreover, when preparing their data infrastructure for 25 May, firms should take into account the impact of any over-riding regulations that mandate data storage for compliance purposes, such as FCA record-keeping requirements.
Once the individual data attributes have been identified, firms would be wise to document the flow of data throughout their systems thoroughly; this applies to the unmasked data attribute itself as well as any data that relates to the original attribute. Firms must also ensure they record any data exit points from the system; this could be something as simple as an Excel spreadsheet saved onto an internal drive, or the submitting of data to a third party for regulatory reporting.
Furthermore, firms will need to fully understand their use of third-party data providers and carefully document all interactions. Two significant developments in financial services in recent years have been the increased acceptance and use of cloud data storage, and outsourced utility providers that have taken on back-office technology and staff. However, as banks (“data controllers”) are still responsible for the data, they will need to satisfy themselves that their assigned data processors meet the required standards; this will be both contractual, such as possible updates to existing contracts, and audit based – including on-boarding and compliance assessments. It is important to note, however, that under GDPR, for the first time data processors will also have actual liability. In this context, data controllers may do well to ensure their processors have ISO 27001 certification which should be a fair proxy for compliance with data security and breach management standards.
Perhaps the most significant challenge that underscores the importance of understanding the complete data structures and flows within firms’ systems is contained within the eight “rights” for individuals under GDPR. Likely to prove challenging to achieve are: ensuring the right of access, the right to data portability, and the right to erasure (also known as the right to be forgotten). Firms must, therefore, implement procedures enabling them to extract the required data upon request quickly. The right to erasure in particular – where it does not contravene the existing EU or member state laws and regulations – will affect any systems that store data that can be directly attributed to an individual. The requirement goes so far as to include any saved documents that may reference a client, including any stored archives and back-ups. The latter should not be underestimated!
Similar to MiFID II, GDPR’s reach is extraterritorial. The regulation will apply to any entity that controls or processes the personal data of EU data subjects, in spite of where it operates; this means that any company based outside of the EU that manages the data of EU residents will be subject to GDPR’s stringent requirements.
The penalties for non-compliance are well documented – up to 4% of an organisation’s global annual turnover, or €20 million, whichever is higher. However, lesser known is the fact that supervisory authorities will have the power to impose a temporary or limited ban on processing of personal data, which could be extremely detrimental to a firm’s business.
Meeting GDPR requirements should not be viewed as a burdensome regulation. For financial institutions taking a long-term view, it offers a chance to rationalise and simplify data structures and review internal processes. For those that do – especially within financial services – there is a real opportunity and competitive advantage to demonstrate that they get data protection right.