10 ways financial services organisations are preparing for the GDPR
21 December 2016
The General Data Protection Regulation (GDPR) will put individuals in control of their personal data, empowering them to choose how (and whether) businesses use their data. Where personal data is not treated correctly, individuals will have increased rights to legal recourse and can, in some instances, claim compensation. Regulators across the EU will have unprecedented power to enforce the legislation and impose hefty fines in instances of non-compliance.
It is not enough to simply understand the headline requirements of the GDPR. What is more important is understanding what the GDPR is intended to achieve and what the real risk issues are for your organisation.
The GDPR will result in widescale data privacy transformation requirements across every organisation. By working with clients across the FS industry to prepare for the GDPR, we have produced a summary of some key considerations in the journey towards readiness.
1. Know where your data is
You must have a clear understanding of what data you hold, why you need it, where it is and who has access to it. What are your core sources of data? How are you managing the risk of duplication, inaccuracy and failure to delete expired data?
2. Understand how your third parties use data
Most FS organisations share data with third parties. These might be clients, suppliers, regulators or partners. You must understand and manage the risks inherent in the transfer of data to third parties and ensure your data is protected adequately by those you share it with.
3. Empower your customers
Data protection is starting to become a market differentiator. Customers expect to be able to trust the organisations they share their personal data with to manage it appropriately. Transparency between you and the customer is key.
4. Understand what privacy means to you
It is important to adopt an organisation-wide approach, factoring data protection and privacy management into your overall business strategy. You should understand the inherent risks, opportunities and priorities for your organisation.
5. Modernise your data infrastructure and governance
How quickly would you be able to identify all of the data elements pertaining to a particular individual across your organisation? Being able to do this will not only enable you to meet the relevant requirements under the GDPR, but will also allow you to unlock the full value of the data assets held by you.
6. Minimise data
Are you using data for the purpose you have committed to and nothing more? Do you need to train your staff on data purpose limitations? How will you monitor this? Organisations must ensure that they only collect and process personal data that they legitimately need for the purposes they have identified. You may find you are able to reduce risk across your organisation by carefully disposing of data which you do not need or for which the purpose has expired.
7. Manage consents and notification
Under the GDPR, individuals are entitled to know all of the ways in which you use their personal data, what purpose you require it for and who you intend to share it with. The rules on consent are also getting tougher, and individuals can withdraw their consent at any time.
8. Understand your level of privacy risk and data security
What are the risks inherent in your processing of personal data? These could be organisational risks or technical risks. What external forces could act to disrupt your business, and how can your cyber security strategy enable you to react to them?
9. Adopt an agile privacy and data protection strategy
You need to maintain awareness of legal developments here and abroad in the ever-changing privacy landscape, and reflect these in your business plans and strategies. These should reflect an end-to-end approach and cover every entity across your entire global organisation that processes personal data originating from the EU.
10. Appoint a Data Protection Officer (DPO)
The majority of organisations will need to appoint a DPO to act as a liaison with Regulators, maintain adequate levels of privacy awareness across your organisation, monitor compliance with the GDPR and influence decision-making at a senior level to drive improvement of privacy and data protection management.
Despite a two-year grace period for implementation, it is imperative that your organisation reviews its approach to privacy and data protection in preparation for the GDPR coming into force, on 25 May 2018. This is a tight time frame within which to plan and implement the complex changes required in order to comply with the new legislation.
This blog was originally posted on PwC's Financial Services Risk and Regulation blog.