When the General Data Protection Regulation (GDPR) comes into force in May 2018, it is expected to have a significant effect on the financial sector, which processes billions of data transactions and financial records annually. Broadly speaking, whilst financial institutions are aware of the forthcoming changes and most accept that they'll be among the first in the firing line, they don't all seem to recognise the amount of work involved or the time it will take to become GDPR compliant.
Don't assume you're covered
Having to abide by strict international regulations isn't new to financial institutions, but familiarity with regulations might lead some to mistakenly assume that they will already be covered when the GDPR comes into force next year.
There is a perception among some financial institutions that the GDPR "won't impact our organisation". This is due to a few common misunderstandings of the legislation, including:
Time frames will differ for each organisation and will be dependent on a number of factors such as how complex the organisation is, the volumes of personal and sensitive personal data being processed and how much of the data processing is outsourced. With so much to get done, it's best to get started…
Getting started - does your organisation need a DPO?
First, you need to ascertain whether your organisation needs to appoint a dedicated Data Protection Officer (DPO). A company must designate a DPO where:
Map your organisation's data processes
Once you have appointed a DPO or a have dedicated go-to resource to manage your company's obligations under the GDPR, you need to map the current data processing activities within your organisation. This exercise should prompt questions such as:
The key challenge for financial organisations will be to establish the differences between their current practices and the new GDPR requirements. Specific new GDPR requirements include a reduced subject access request deadline, mandatory logging of data processing activities, new requirements around consent and the mandatory requirement for Privacy Impact Assessments.
Generate a risk profile
As you are identifying your organisation's data processing activities and comparing current practice with the new requirements of the GDPR, this should begin to generate a risk profile, highlighting where there are vulnerabilities, the policies required in which areas of the business, which practices need to be stopped or modified, what level of training is required throughout the organisation, what actions need to be taken across the organisation and where you may require additional resource.
This might seem like a huge undertaking, but financial institutions are generally in a better starting place than many other sectors due to their current use and experience of risk management. The financial sector is already a heavily regulated environment where compliance is extremely important. Typically, large financial institutions benefit from a dedicated compliance team which is tasked with ensuring compliance across the various areas of the business. Organisations of this size also often already have sophisticated systems in place to undertake training, carry out real time logging and produce audit trails, as well as having secure IT systems in place which may only need minor tweaking to comply with the new GDPR requirements.
However, this strong starting point is what may lead to a false sense of security, with assumptions being made that the GDPR will not affect them. The internal compliance team may also already be busy with the requirements imposed on them by the Financial Regulator, resulting in the GDPR not receiving the time it deserves. With so much to consider and limited time remaining, what DPOs need is a system which can flag-up areas of risk and help build compliance into activities from the beginning, as well as allow quick demonstration of compliance in one simple click, should the ICO come knocking.
To reflect the growing needs of companies facing large scale requirements to assess and change a significant number of processes and IT systems in order to be GDPR compliant, Sytorus developed PrivacyEngine, a cloud-based SaaS product. Designed to simplify compliance with data protection legislation and to provide one-click access to the evidence necessary to demonstrate this to the ICO in the event of an investigation, PrivacyEngine is simple to use but provides a comprehensive, structured framework to manage your company's compliance with the GDPR, taking some of the pressure and stress off internal teams.
If you'd like to find out how Sytorus' PrivacyEngine can support your internal teams in managing GDPR compliance on an ongoing basis, contact us on:
Dublin team: +353 (0)1 683 3314 / email firstname.lastname@example.org
London team: 0207 936 9442 / email email@example.com