Introduction
”GDPR” – you thought that was an abbreviation that we left behind us as after 2018? Well think again because the General Data Protection Regulation (EU) 2016/679 is here to stay.
GDPR was the buzz word number 1 during the first half of 2018 and the date 25th of May was nailed to the walls of almost every company processing personal data alongside nightmares of threats of fines for 4% if the company turnover. Around and after the big bang of enforcement, there was a lot of uncertainty on how this new regulation would affect companies. Now the dust has started to settle and the data protection authorities have beefed up and begun their audits. So what to expect?
Six simple rules, and then you are safe right…?
The main purpose of GDPR is to strengthen the individuals’ right over their personal data as well as to simplify and harmonize the various legislations within the EU and EEA countries. So what is actually the idea of GDPR? The regulation sets out seven key principles for how personal data shall be processed:
(a) processed lawfully, fairly and in a transparent manner
(b) collected for specified, explicit and legitimate purposes
(c) adequate, relevant and limited to what is necessary
(d) accurate and, where necessary, kept up to date
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
(f) processed in a manner that ensures appropriate security of the personal data
By following these principles in your every day work, you capture most of the essential areas of the regulation which the individual employee should be aware of – a quite easily digested task compared to reading the entire 88 page regulation.
The financial sector, GDPR and Sweden
Ensuring proper use of personal data is nothing new in Sweden. Since 1998, Sweden has had Personuppgiftslagen with the purpose of protecting the personal integrity of each person and since 2004 the bank secrecy laws has regulated personal information on bank customers.
So, should banks and financial institutions expect that the Swedish Data Protection Authority “Datainspektionen” (SDPA) will strike down with full force and audit every single corner of the business now when GDPR has entered into force? Since banks and financial institutions are a substantial force in society and holds large amounts of personal data, they should expect to be on the top of the list of potential audit candidates. The SDPA will work in cooperation with the Swedish FSA “Finansinspektionen” when it comes to GDPR monitoring of the financial services industry.
The initial main message from the SDPA has been that companies (and banks) must have a clear strategy for how to work with personal data questions in a structured way and continuously improve integrity and to report on all personal data breaches.
The real change in behavioral and to see protection of personal data as a competitive advantage
As the regulations in the financial services industry pile up (MiFID II, IDD, AML etc.), it is easy to take a top down approach in an organization and simply send out instructions saying “dear employees please comply with these new rules”. Since people are used to old habits and behavioral change is hard, there is a great risk that we continue to handle personal data in the same manner as before – ad hoc and sometimes with no clear purpose.
The true compliance with GDPR comes from a bottom up perspective when all employees truly change their behavior in how to process the personal data of customers and colleagues.
In the light of global scandals such as Facebook / Cambridge Analytica, where personal data was misused in political campaign purposes, or Google, where the processing of personal data for the users was questionable resulting in a fine of €50 million in France, customers and the general public are being more and more concerned how their personal data actually is used.
Ensuring the proper and compliant use of customers’ personal data should rather be seen as an opportunity to create a competitive advantage rather than yet another costly regulation to comply with. If you manage to ensure that the personal integrity of your customers always is of top priority, you could find this as that extra driver for customer satisfaction.
The GDPR Eco System – a map to facilitate compliance and to pinpoint challenges
GDPR affects basically all aspects of an organization in the financial services industry, from internal processes and systems to customer interfaces as well as third party suppliers and interactions with authorities. At 421 we call it the “GDPR eco system” where it is possible to map out all areas where personal data is processed, regardless or if is in manual business processes, automated core systems or at third party vendors.
For a bank, the main challenges are typically not in the customer facing parts of the eco system and the ability to answer on the data subjects’ requests. As one would guess, many of the challenges lies within the system structure with a legacy and complex architecture which most banks struggle with. An insufficient process mapping is also a source of many challenges when it comes to the processing of personal data – if you don’t know where it is used then it is hard to ensure that it is compliant. Therefore, the GDPR Eco System can be a good starting point in mapping of the processes where personal data is used. When using a third party vendor for processing of personal data, you are always accountable for this vendor. Thus it is crucial to properly vet each vendor and setting up a Data Processing Agreement before initiating the processing.
So how to begin?
In order to fully get control of the processing of personal data and ensure compliance with GDPR, creating awareness and understanding of why lawful processing of personal data is crucial for an organization. It is important to establish a solid 1st line addressing the privacy related question in their daily work (Privacy Management).
The entire organization must understand the change journey to be done and connect this to the competitive advantage of always ensuring the personal integrity of their customers and employees.
Thus GDPR and the processing of personal data should be a natural part of the everyday work and not just another regulation to comply with for the sake of it. Because with the acceleration of the digital society and massive increase in personal data, the value of integrity is a train that won’t slow down.
