Background
On April 27, 2016, the European Commission adopted the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will enter into force in May 2018. The GDPR will replace current national data protection regulations, such as the German Federal Data Protection Act (Bundesdatenschutzgesetz) or the Data Protection Act in Sweden based on the European Commission Directive 95/46. The GDPR significantly increases the regulatory requirements related to customer and counterparty data protection by strengthening and unifying the data protection regulation within the European Union.
Goal of the GDPR
The goal of the GDPR is to protect natural persons living in the European Union regarding the processing of personal data and to enshrine the protection of personal data as a fundamental right in supranational law. The GDPR addresses data protection, with privacy at its core, in a widely digitalized world and provides a single data protection framework applicable for all institutions processing data in the European Union, or more precisely, the European economic area. The GDPR focuses on the design of data protection processes and the organizational approach of data protection in companies, i.e. how to take privacy seriously and how to protect sensitive personal data of customers and employees. Addressing the processes and organizational structure also leads to major changes in the technical conceptual design and requires the definition of technical details. The GDPR strongly builds on data management capabilities, which have already been triggered in many banks by external requirements such as BCBS 239 or business strategies for further digitalization. In this context, the main challenge is not only to align the requirements imposed by the GDPR with already implemented capabilities and running programs with a focus on the regulatory implications, but also to explicitly emphasize the business benefits of privacy protection.
Importance for banks
Aside from large technology companies, banks are amongst the businesses that are directly affected the most by the GDPR since they possess great amounts of data of private individuals. The recently published “State of European Data Privacy Survey[1]”, which examines more than 900 business and IT decision makers from various industries in France, Germany and the United Kingdom, concludes that the vast majority of European businesses are concerned about complying with the new GDPR regulation. In particular, 96 percent of companies do not fully understand the GDPR and 23 percent state that their companies will not be fully compliant, when the regulation will enter into force in 2018. The latter is especially problematic, since the provisions for infringements have been drastically exacerbated with administrative fines reaching amounts of up to 20 million euros or 4 percent of annual turnover. Moreover, banks also risk the possibility that affected individuals make claims that are significantly higher than fines resulting from regulatory breaches. Aside from the monetary effect, a gap in the data protection framework of a bank can lead to a significant loss of reputation if it is unveiled. Especially banks, which are heavily reliant on the customers’ trust, need to protect their reputation and use it as an asset to face the increasing competition from fintech companies and alleviate the migration of existing customers. In total, estimated costs for each record of compromised data typically range from 150 to 200 euros[2]—including direct costs associated with detection, notification, restoration, forensics as well as indirect costs reflecting the risk of law suits, loss of consumer confidence and subsequent loss of funding. Therefore, it is extremely crucial to address the changes arising from the GDPR.
Major implications and changes arising from the GDPR
An initial GDPR impact assessment shows that the GDPR directly affects European banks and that it has major implications on the three core banking areas of organization, processes and systems.
Several aspects of special relevance for the organization, processes and systems of a bank are identified, which need to be addressed in order to achieve compliance with the GDPR:
Organization
- Establish a privacy office and privacy change agenda as well as senior management reporting on personal data protection
- Develop and implement a target operating model for data protection governance with policies and a framework including organization, processes and roles / responsibilities (controller, data protection officer, etc.)
- Roll out a defined, bank-wide privacy organizational setup, implement committees and integrate new roles in the existing network
Processes
- Implementation of processes for relevant personal data scope identification (personal data required by regulations vs. non-required)
- Definition and implementation of processes for customer consent management, disclosure of stored personal data, correction of wrong personal data, right to erasure and portability
- Design, implement and document privacy impact assessments and train respective persons in the relevant processes
Systems
- Review and adapt current IT architecture regarding data storage, transformation and processing of personal data to fulfil GDPR requirements
- Expand meta data management (incl. MDM systems) and establish / expand data lineage to comply with data protection requirements
- Perform a personal data inventory the creation of a harmonized business glossary and mapping of all personal data
The three core areas are supplementary and each of them needs to be covered in order to become compliant. Even the best banking systems and processes are not able to compensate for a gap in the organizational structure of the bank, such as a lack of the mandatory data protection officer.
By breaking down the high-level requirement analysis to a more practical approach, several key GDPR articles with the highest immediate relevance for the banking sector[3] can be identified.
Deep dive into selected GDPR requirements
From our perspective, special attention in terms of complexity and efforts in the implementation should be paid to a number of GDPR articles.
Article 7 of the GDPR requires companies to obtain, document and prove the explicit consent if they want to process data. This provision leads to a substantial increase in documentation obligations for banks and excludes, for example, the possibility to use pre-ticked boxes or hidden contractual statements such as “by using this service you agree to all aspects of data processing”.
Article 17 of the GDPR requires the deletion of data if it is no longer used for the purpose it was originally collected or if the consent for the storage of data is revoked. Therefore, organizations have to decide whether they have a legal obligation or another legitimate purpose to retain the data or whether it can be deleted. An example of a statutory requirement to retain data is any data necessary for the payment of taxes. Organizations also need to determine if data has been shared with third parties and whether those need to be instructed to delete the data in question as well. As a consequence, organizations have to decide to what extent they re-architect systems, put in place processes to proactively deal with this or deal with requests on a case-by-case, i.e. reactionary basis.
Article 35 of the GDPR requires banks to conduct a privacy impact assessment (PIA) whenever a new product or process is considered for implementation. The PIA should reveal the risk probability of a product or process activity. It has to include descriptions of mitigating controls that will be built into the program to address privacy risks and compliance issues that have been identified. Banks have to nominate qualified individuals with the responsibility of undertaking a PIA during the early design stages of relevant projects and include PIA in the new product process.
Article 37 of the GDPR requests the designation of a data protection officer (DPO) who has benefitted from appropriate training and provides expertise in data protection. One possibility to document expertise might be, for example, a CIPP/E certification granted from the International Association of Privacy Professionals. The DPO needs to be independent and reports directly to the top management. This is a clear indicator for its high organizational anchoring. Furthermore, in a group of undertakings, only one overall responsible DPO may be nominated if they are easily accessible from each establishment.
How to get a grip on GDPR
We propose a three-step approach as outlined in Figure 3 to get a grip on the GDPR and build a consistent implementation road map. First, a quick check is performed to assess the current level of privacy in the bank and to start the preparation for enhancing data management capabilities. As an example, the current data reporting framework within the bank needs to be comprehensively assessed, since regulatory initiatives like BCBS 239 or SREP have often led to major changes in recent years. Partially, those initiatives already touch GDPR requirements especially concerning data management capabilities required as outlined in the introduction. In a second step, the road map is set up and target models for the privacy organization, required processes and collaboration model are defined. The defined target models must fit into the bank’s current data strategy and the GDPR project needs to be properly integrated into its overall digitalization strategy. In addition to the conceptual work for defining required policies, organization and procedures, special focus is on the enhancement of the business glossary—if already existent—in terms of privacy data and the identification of holding applications. During the final stage, the implementation planning is carried out and execution support is identified.
Conclusion
Implementing the GDPR is not an option, but a legal requirement, which needs a high degree of commitment and resources of banks. However, the new requirements offer banks the opportunity to rethink data protection and the possibility to combine necessary with useful aspects. Addressing questions like “where is the data stored” or “which part of the bank is in control of the data” is a regulatory requirement. Simultaneously, banks have to start thinking about which data they own and the best ways to exploit this data. In the current low interest rate environment, customer data can still be seen as a mostly untapped potential of banks. Modern and flexible state-of-the-art data storages provide the basis for advanced analytics to create targeted offerings for cross-selling and up-selling. Moreover, proper data management enhances the user-centered customer journey, making it more compelling and highly differentiated by combining personalization, speed and ease of use for all processes. This includes, for example, loan application and granting, account opening and the understanding of how to make full use of an account and reconcile payments. Furthermore, a high degree of security and well-designed privacy processes can be a unique selling point and provide a substantial competitive advantage to a bank. People become increasingly sensitive to the topic of data protection and are willing to pay for their privacy. Therefore, a bank offering the highest security standards might also be able to collect a markup from its customers for offering this standard. Especially compared to the young and ambitious fintech companies, which are encouraged by the recently adopted PSD II[4] (PSDII), the integrity of a bank can be a significant competitive edge when competing for customers. To conclude, banks should not only see the regulatory efforts associated with the GDPR, but rather focus on the numerous opportunities offered by a well-designed internal data protection framework