THE GDPR GAUNTLET.
MiFID II may be around the corner but Heather McKenzie explains why firms should not ignore the GDPR.
MiFID II may be focusing the hearts and minds of the financial services industry, but it is not the only regulation coming into force in 2018. Close on its heel is the EU General Data Protection Regulation (GDPR) effective on 25 May 2018. It is designed to harmonise data privacy laws across Europe, protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.
Any firm that processes data about individuals in the context of selling goods or services to citizens in other EU countries must comply with the GDPR. This includes firms based in the UK, post-Brexit. The UK Government has indicated it will implement an equivalent or alternative legal mechanism.
Under GDPR rules, organisations can be fined up to 4% of annual global turnover, or E20m, for any breaches, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
“The common denominator across all regulations is data,” says Mithun Sridharan, manager at Sapient Consulting. “Investment banking is rich in data, which is increasingly viewed as a strategic asset that can be leveraged to provide better trading, risk management and customer experiences.”
There are overlaps between MiFID II and GDPR, which means financial services companies are often better placed to comply with GDPR than firms in other industries. Dr Bernard Parsons, co-founder and chief executive of UK-based cyber security firm Becrypt, says the main priority to achieve compliance in time for the GDPR deadline is to accomplish a thorough understanding of what data the organisation holds, how it is collected and processed, and where it is kept on the network. Once this is understood, it will be much easier to put the required data protection measures in place and implement new policies moving forwards.
Sridharan agrees that the first steps in GDPR should be to identify data assets and determine which are considered personal data. This typically comes as a part of a data governance project. The next step is for firms to design and implement processes for correctly handling that data, including all protective measures to prevent breaches. The standard approach is to establish a baseline of what is considered normal behaviour and then set protective measures to initially alert on abnormal behaviour or breaches.
Sridharan warns that GDPR compliance is not only about detection and prevention, but also about how a business will deal with a breach, including notification and response times to avoid financial penalties. Staff must be trained to identify and correctly handle personal information and how to escalate quickly in the case of a breach. “People will make mistakes, so your processes should prevent errors from causing a breach when possible and, if not, quickly raise awareness of the existence of a breach so it can be investigated, resolved and reported,” he says.
Tom Cole, director, Europe at IT company Abacus Group, says firms should realise that becoming GDPR-compliant will entail “recognising it as a business initiative rather than a technology initiative or IT project”. They should identify data and workflows and ensure a culture of compliance is on-going behind the scenes. “There is no silver bullet or software solution you can implement – it will instead mostly entail analysing your internal operational processes,” he says.
The data hurdle
The biggest challenge firms will face will be in understanding their role as either data processors and/or data controllers, and the roles of third party providers and their own responsibility with complying with GDPR. “Determining roles as either data processors or data controllers depends on operational circumstances and workflows. Regarding buyside versus sellside, the difference in challenges is marginal,” says Cole. “The sellside has a greater volume of data in scope, given the relationship nature of the business. Otherwise it’s important to recognise that GDPR is not sector specific – the same controls apply regardless if you are a regulated financial services firm or not.”
There are three main challenges for financial services firms in complying with GDPR, according to Monica Summerville, FinTech analyst and head of European research at Tabb Group. First, financial services companies still largely operate in silos when it comes to business units and technology infrastructure. “This means data is spread throughout the organisation, often duplicated in various electronic and physical repositories. As a result, locating, securing, and creating a sustainable solution to meet GDPR’s requirements is a huge challenge from a technical and data architecture point of view.”
Second, GDPR’s requirements potentially conflict with other financial markets regulatory objectives such as those seeking to foster greater openness and digitalisation of the industry or improve investor protection. For example, MiFID II requires all communications leading up to a transaction to be stored for five years, while GDPR gives people the right to have their records deleted.
Finally, with Personally Identifiable Information (PII) data often residing in unstructured data sources, hardcopy as well as digital, GDPR compliance depends on having a solution in place for both structured and unstructured data sets. “Financial services firms are good at the latter but still struggling with the former,” she says.
Jerry Norton, head of strategy for CGI’s UK financial services business, says the differences in storage requirements between MiFID II and GDPR are not a major source of conflict, but will require some ‘heavyweight’ work to comply. “Firms will have to ensure that the data they hold for MiFID II best execution purposes is stored in a way that is secure and meets GDPR obligations. For many organisations that won’t be easy. There are a lot of obligations in terms of costs, processes, procedures, and compliance.”
The global reach
Summerville says with financial firms in the UK and Europe very focused on MiFID II compliance, the preparation for GDPR has been described by some as an “afterthought” and largely focused on policies and procedural documentation as opposed to tackling the underlying technical and architecture challenges.
“Firms based outside of the UK and Europe, in the US for example, are further behind as many of these firms have yet to accept that this EU regulation could apply to them,” says Summerville. “GDPR might as well have been called the ‘global’ data protection regulation because companies must comply wherever they are using EU citizens’ data.”
Norton agrees with Summerville’s assessment, pointing out that industry observers believe there are many firms that have not yet thought through the full implications of GDPR. “This seems to be particularly the case for organisations that operate across many jurisdictions.”
By now, says Summerville, firms should have a good handle on the policies, procedures, and organisational changes that GDPR requires. They should also have a good understanding of how personal data is collected, stored, and processed in the entire organisation, including across borders. “Ideally ‘data privacy by design and default’ is in place already ensuring new software solutions are developed in a compliant fashion. And they absolutely should have done a gap analysis by now.”
Andrew Rogoyski, vice-president cyber security services, CGI UK, says one area that organisations are not putting enough thought into is the ability to declare a breach to the national authority within the 72-hour breach disclosure time limit. “In practice, you need a pretty slick set of processes and a good team in place to achieve the three-day target,” he says.
There are many companies pushing ‘GDPR compliant’ solutions, but Rogoyski warns that “there’s no such thing”. There are technologies that will help protect sensitive data but they don’t make a firm compliant. “GDPR isn’t about compliance, it’s about risk. The solution to protection of sensitive data involves people, processes and technology – you have to get all three aspects right.”
Despite the significant challenge of GDPR compliance, Summerville believes there is a “huge opportunity for firms to finally clean up their act regarding data management and governance and to strengthen their cybersecurity”. This effort, although challenging, is an absolute requirement for financial firms who want to stay competitive in the digital era, which requires a seamless exchange of data.
“Data is a financial services company’s most valuable asset and the ability to mine it effectively for business insight is wholly dependent on having access to a complete picture of its customers and their behaviours in a way that is compliant and secure while engendering trust from its customers,” Rogoyski adds.