Seven key GDPR challenges for financial services organisations
17 January 2018
During PwC’s live webcast on the 30 November, key General Data Protection Regulation (GDPR) challenges for financial services were discussed with a panel of PwC GDPR and Data Privacy leads, alongside Jamie Thomson, Head of Operational Risk and Data at Investec Wealth and Investment.
Overall the financial services industry seems to be well on its way to preparing for the GDPR. There has been a clear shift in focus and an increase in general awareness over the last eight months. GDPR is now on the agenda for the board.
Seven key points summarise the discussion during the webcast. For the full on-demand webcast, please click here.
- People and training are both key challenges. Even with the best plan in the world and the best technology, without the right conduct, behaviour and mindset around data privacy, organisations will not develop the level of trust with their customers and clients that GDPR centres on and which is a key issue for success in today’s data driven world. Make sure that people are at the heart of your plan.
Every person in the business has responsibility for GDPR compliance. Getting the basic training rolled out followed by targeted, role specific training is a good approach.
- Data Protection Officer (DPO) – the DPO’s overall responsibility is to ensure their organisation is complying with relevant data protection regulations. Key questions include where in the organisation should the DPO reside and who should the role report too, not forgetting that the GDPR requires that ‘The data protection officer shall directly report to the highest management level of the controller or the processor’. The independence of the DPO is key and many organisations are expecting to locate it operationally within the second line of defence.
- Third parties – represent a key risk for organisations. Reviewing and updating- where necessary- the contracts in place with these third parties should be a key part of the GDPR plan and realisation of the regulatory obligations. Consider allowing three-to- six months to get the third party terms and conditions in place.
- Data limitation – historically financial services organisations have kept data for significant periods of time and even high risk data has moved freely around our organisations. Consider how best to appropriately restrict the movement of data and apply the data minimisation principle.
- Budgets – the biggest drivers of costs are technology and resourcing costs. Naturally the budget will vary and will be impacted by issues such as geographic footprint as well as current maturity of capabilities and legacy systems.
Considerations on the operating model post May 2018 is key, as there is an ongoing obligation to maintain a ‘Business As Usual’ state of compliance and this needs to be included in the budget.
- Breaches – it’s a case of ‘when’ not ‘if’. Key focus areas include educating your staff to recognise breaches should they arise, designing business processes so that reporting to the regulator can be undertaken where necessary within 72 hours and evaluating if there are any circumstances in which you would use a third party for breach handling. It will be key to demonstrate a risk based approach, your own understanding of state of compliance and board awareness.
A letter containing customer specific information, e.g. a statement, going to the wrong address, could be considered a breach. Think about how you would mobilise a process to inform your customers of a breach if that requirement should arise and also think about how to communicate with your customers for relevant third party breaches. For example, after the Talk Talk breach, banks got queries from their customers, because the compromised data included bank details.
- Subject access requests (SARs) – organisations will need to deal with SARs - from both customers and employees - quickly to avoid complaints going to the commissioner. Organisations need a process in place to deal with SARs within 30 days vs the current 40 day period in the UK. A key challenge is locating, accessing and reviewing all of the data relating to the data subject. Also, consider that not all relevant data will be in electronic form.
Beyond compliance – using the GDPR for competitor advantage
The GDPR brings with it a number of challenges to consider and organisations need to protect their data for competitive advantage. People will buy from organisations that they trust, but organisations also need to consider the potential data can offer for growth.
Your data strategy
The GDPR is about putting individuals at the heart of data protection. Data is no longer something you can share at will, it needs to be treated like an asset. It is the new currency that needs to be managed with care, like money!
Data is coming of age so organisations need to think about their data strategy more broadly.