The whole of EU region is chanting a MANTRA now which is GDPR (General Data Protection Requirement), the compliance mandate of which is going to be enforced start from 25 May 2018. This GDPR is a program brought into place to develop, implement and improve the customer data privacy and data protection. GDPR is mandatory for any organization that stores or processes the personal data of any member country and so the requirements of the EU are leading the world in terms of data subject rights. Due to its wide, transnational scope, GDPR Compliance mandate may impact organizations located outside the European Union as well. Organizations should evaluate whether they fall within the scope of GDPR and should try to reach compliance with the requirements in a timely manner.
How GDPR is structured?
The GDPR has around 99 Articles and has very strict penalties for any organization that fails to protect their data up to the standards that the EU requires. Also there are over 170 “Recitals”, which give greater meaning and clarity about the GDPR Regulations. If an organization fails to meet the GDPR regulations, then they will face a maximum fine of 4% of their global turnover or 20 million Euros, which-ever is the larger. For medium size companies there is a very real danger that a serious data breach could put them in serious risk of failure.
Impact on Banking Sector
The following are my views on how implementing GDPR will impact the Banking Sector!
- Data Classification needs to be applied on personal data of customers
- Reporting of data breaches will become mandatory
- A robust Incident Management capability has to be established (Breach Management)
- Secured Communication Channels (Encryption) has to be established
- We need to develop & implement a Data Protection Governance Framework having the relevant policies, processes and roles & responsibilities
- Appointment of Data Protection officer is mandatory (ISO will play this role)
- We may have to revisit the TOR of Information Security Committee to add Data Privacy aspects
- Customer data needs to be deleted based on customer request
- We should get explicit consent from customers on using their personal data for any sort of business purposes
- More rigor has to be applied on KYC Process
- Customers will have the right to transfer the storage of their data based on their preferences
- Customer will have the right to ask their personal data in the format they desire. This will mandate us to have a strong report generation system/capability in place.
- Data Quality has to be given focus and the poor quality data needs to be rectified through periodic reviews.
- Specific clauses need to be introduced into contracts signed with third-party data processing firms used by the bank
- In periodic basis we need to commission privacy impact assessments.
- In periodic basis we need to review and enhance our current IT architecture supporting data storage, transformation and processing of personal data to fulfil GDPR requirements
- We need to develop and implement a Meta Data Management system and establish / expand data lineage to comply with data protection requirements.
- We need to perform a personal data inventory and map all personal data through a glossary.
- IT Systems currently used for data processing have to be designed to ensure best possible data protection from the outset (i.e., compliance with the principles of transparency, of data minimisation of proportionality, etc.).
- An impact analysis will become mandatory if certain categories of personal data (e.g., health, racial and ethnic origin, political opinion, etc.) are processed or processed personal data is used for any kind of profiling.
- Cross border data transfer will be prohibited
- Clear process and procedure to be established in place for managing all external vendors handling our customer data
Implementation of Data Governance Program will simplify GDPR Compliance
Data Governance refers to an overarching strategy that encompasses the policies, processes (including technologies), and people involved in managing and protecting data. An effective data governance program will be both proactive and reactive. It is designed to protect the data and prevent any unauthorized access or exposure, but also contains a response plan that can be put in place quickly if a breach occurs.
A Data Governance applies to many different types of data. Data can be classified in many different ways. Effective data governance involves classifying data according to security requirements. GDPR focuses on personal data. It also addresses special categories of personal data, also referred to as sensitive data. This is personal data that contains information about the data subject’s racial or ethnic origins, political opinions, religious or philosophical beliefs, physical or mental health, sex life, genetic and biometric data, or membership in a trade union. It also includes information regarding criminal history and criminal court proceedings against a data subject.
Personal data is protected by the GDPR. Its disclosure could subject the data subject to substantial risk of loss of privacy as well as criminal victimization (e.g., identity theft). All personal data should be protected by the highest levels of security.
Data Governance program shall protect the needs of data owners and other stakeholders who could affect or be affected by the data. These will include those who create data, those who use data, and those who set rules and requirements for data. The focus in this paper is on protecting the privacy, confidentiality, and integrity of the personal data of EU citizens to help comply with the GDPR.
“Implementation of GDPR aims to gain people’s trust in the responsible treatment of their personal data in order to boost digital economy across the European Union Business fraternity”.
In a bigger picture, GDPR will bring in a structure Data Governance into practice by giving more rights to customers and placing increased onus on businesses to secure the data of customers. Implementation of GDPR will bring in a customer-driven approach to information sharing where the customer will be fully empowered to share and rescind their consent and their data.