Part 2 - The GDPR revolution: Ensuring compliance and control

In this article series The GDPR revolution, RBC Investor & Treasury Services explores how the European Union's (EU) General Data Protection Regulation will affect data subject rights, compliance and control procedures, and managing breaches for financial institutions.

The General Data Protection Regulation (GDPR) introduces a raft of requirements for data controllers to ensure and demonstrate compliance in processing personal data. A data controller is a party who determines the purposes and means of processing personal data. Financial services firms must be prepared to undertake additional documentation, record-taking and reviews to avoid steep penalties that may result for breaches.

Replacing the 1995 Data Protection Directive, the new legislation requires organizations to implement compliance measures within their data processing systems even if the processing is carried out by an external service provider.

Greater accountability for data processing

This new element of transparency means extra care must be taken when designing and implementing systems for data processing

As outlined in Article 5, GDPR introduces a new principle of accountability that applies to all organizations that control and process personal data. Central to this principle is that data controllers must be able to demonstrate compliance with strict guidelines involving the collection, storage and processing of private information. It requires that each step associated with data processing is documented to guarantee it is performed lawfully, fairly and transparently. Further, that data is required to be kept confidential, only collected for a specified purpose, and limited to what is necessary.¹ GDPR also introduces requirements for data controllers to explicitly obtain customers' consent for how their personal data is retained and used. This new element of transparency means extra care must be taken when designing and implementing systems for data processing.² "This is not like anti-bribery or anti-money laundering, where you carry out process change and you're done. It's a more continuous process; you have to build a new function and make transformational changes, and you have to review and monitor them," said Mark Thompson, privacy advisory lead at KPMG in London.³

Technical and organizational responsibility

Article 24 of GDPR mandates that data controllers are responsible for implementing the necessary technical and organizational measures to ensure compliance. They must be able to classify, track and delete personal data on request. In addition, controllers are to undertake risk assessments and be able to update their collective infrastructure if new threats emerge. This work also includes the implementation of appropriate data protection policies.

The controller must create a system that records all data processing activities, including data retention periods, any cross-border data transfers and the recipients of personal data.

Article 30 stipulates that the controller must create a system that records all data processing activities, including data retention periods, any cross-border data transfers and the recipients of personal data.⁴ Unlike the 1995 Directive, GDPR does not include a requirement to notify supervisory authorities of data processing activities. Data controllers, however, must retain extensive records of their activities and make those available to authorities upon request.⁵

Data controllers who use third parties to process data must ensure that those third parties process data in accordance with the requirements of GDPR.

High risk impact assessments

Article 35 of GDPR sets out the need for a data protection impact assessment (DPIA) when data processing is likely to result in a high risk to individual rights and freedoms. The DPIA must be carried out before data processing or when a new data processing project is implemented to minimize security risk.⁶ Supervisory authorities in EU jurisdictions are empowered to provide a list of operations that should be subject to a DPIA. High-risk activities that might require a DPIA include data profiling, which would likely have a direct impact on financial institutions that conduct automated loan approvals or who use personal data to make recommendations to clients regarding new investments. A DPIA would also apply when sensitive personal data or data related to criminal offences is in play, or when there is large-scale systematic monitoring of public areas.⁷

Such assessments can be intricate and the Information Commissioner's Office (ICO), the UK's supervisory authority under GDPR, suggests that firms establish specialist teams and create templates that identify the need for a DPIA, describe the information flow, the necessary consultation requirements, risks, solutions and documentation of the entire process.⁸

The benefits outweigh the costs

Given the complexity involved, compliance with GDPR may prove a costly undertaking for firms that control and process large volumes of personal data

Given the complexity involved, compliance with GDPR may prove a costly undertaking for firms that control and process large volumes of personal data. The International Association of Privacy Professionals (IAPP) and accountancy firm Ernst & Young estimate that Fortune 500 companies will spend a combined USD 7.8 billion in order to become GDPR-compliant.⁹ The costs are likely to be far greater, however, for non-compliant firms that experience a cyber attack or a serious breach that endangers their clients' personal data. Such firms would have little protection against the steep fines and reputational damage that could result.

Next in RBC Investor & Treasury Services' The GDPR Revolution series: the requirements of reporting data breaches under the GDPR, the steps that market participants need to put in place to comply with the framework, and what other steps they may take to ensure compliance with regulatory obligations.

You may also like

Sources

1. White & Case (July 22, 2016). Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation
2. White & Case (July 22, 2016). Chapter 1: Introduction – Unlocking the EU General Data Protection Regulation
3. Risk.Net (July 6, 2017).'Boiling the ocean' GDPR data demands overwhelm banks
4. Ibid. White & Case
5. Official Journal of the European Union (April 27, 2016). General Data Protection Regulation
6. Ibid. Official Journal of the European Union
7. Ibid. Official Journal of the European Union
8. Information Commissioner's Office (2017). Data protection impact assessment
9. Financial Times (November 8, 2017) Cost of cyber crime rises rapidly as attacks increase