With General Data Protection Regulation (GDPR) enforcement date coming up on the 25th May, 2018,¹ many banks and insurers have yet to commence the implementation and data remediation activities. GDPR will have wide ranging impacts across the organisation and given the scale and complexity of the changes required, we expect most organisations to struggle to meet the May 2018 compliance deadline. Therefore, it is imperative that organisations adopt a risk-based approach to compliance, prioritising areas that pose the highest risk to data subjects.
Under GDPR, organisations are required to demonstrate compliance against the principles laid out in Article 5.² Hence a compliance check-box driven approach won’t work, and firms are encouraged to embed the “right culture and conduct,” as we see this as critical for ongoing compliance.
PUTTING THE RISK-BASED APPROACH INTO PRACTICE
The ability to locate Personally Identifiable Information (PII) data across the enterprise in both structured and unstructured data sources is fundamental to GDPR compliance and is required for Article 30 reporting.³ If firms start with a technology led PII data discovery, we expect them to generate much noise and consequently this should pose challenges identifying the business processes that use the underlying data sets and the legal basis for such processing. Our experience indicates that adopting a customer-journey driven approach should yield better results. However, for a medium-sized bank or insurer, it is likely to have over a thousand Level 3 business processes. Under such circumstances, a risk assessment is recommended to help prioritise the detailed discovery work.
A customer-journey driven approach underpinned by a process risk assessment can provide a prioritised view of high risk processing activities. This would help inform the remediation roadmap in terms of compliance with data retention, deletion and security requirements. Firms should set their risk appetite to drive the remediation activities. For example, a firm’s target risk profile may require full remediation against critical, high and medium risk processes by May 2018. The low risk processes would be dealt with afterwards, and with a clear implementation plan and funding in place ahead of the compliance deadline.
In our view, the customer-journey led approach is unlikely to uncover all the PII data processing across the organisation, especially data stored in unstructured sources (e.g. online posted presentations, local area networking (LAN) drives, etc.). Therefore, a combination of top-down business process led and a bottom-up data discovery tool led approaches is recommended in the medium to long term.
LOOKING BEYOND MAY 2018
The records of PII data processing will need to be kept up-to-date on an ongoing basis4 and require investment in technology solutions to automate the data discovery and record keeping requirements. This also presents a tremendous opportunity for firms to improve their wider data management practices as well as reduce operational costs by complying with data retention policies and reducing data duplication across the enterprise.
In summary, GDPR compliance is far from being a single one-off remediation effort and firms should instead consider it as a journey towards an enhanced data privacy culture that encourages adherence to new regulations and practices over time. Investment in GDPR can generate strong and durable business benefits, if aligned properly and with the wider strategic business and technology vision.
Similar risk-based approaches can be adopted for consent, third-party contract remediation and data security. These should have their own considerations beyond May 2018 and can drive wider business value. We’ll explore these further in upcoming blogs so stay tuned!
To learn more, view our presentation on GDPR Compliance.References
- “Guide to the General Data Protection Regulation (GDPR),” Information Commissioners’ Office. Access at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- “Art. 5 GDPR, Principles relating to processing of personal data,” General Data Protection Regulation (GDPR),” Intersoft Consulting. Access at: https://gdpr-info.eu/art-5-gdpr/
- “Art. 30 GDPR, Records of processing activities,” General Data Protection Regulation (GDPR),” Intersoft Consulting. Access at: https://gdpr-info.eu/art-30-gdpr/