GDPR isn't over, but it's already taught us a lot
The EU General Data Protection Regulation is almost upon us. Firms in the Nordics have done a lot in preparation, but the work doesn't end with the May 2018 deadline and it isn't just a compliance exercise.
If you implement GDPR properly, there are plenty of strategic opportunities to take advantage of, from streamlining operations to improving the customer experience.
Now is the time to reflect on what we've learned so far, and remaining work to ensure you're ready to not only meet the deadline, but seize those opportunities.
Lessons learned from the implementation so far
Don't forget the past when planning for the future. The new GDPR regulation is a game-changer compared with previous data protection regulations. A big challenge for a lot of companies has been that they weren't compliant with the original data protection directive from 1995. As you examine the implications of GDPR, make sure you address these gaps. Until now, the risks have been acceptable, but with fines up to four per cent of turnover or €20 million (whichever is greater), noncompliance is very expensive.
Map current information flows
Given the technology evolution we have seen, most Nordic companies have evolved from old mainstream systems to new cloud services. Staying competitive means launching new services, technologies and products as quickly as possible. This has meant some old solutions have simply been added to for the sake of speed. So it's common for system environments to consist of different architectures with complex integrations.
From a GDPR perspective, that's challenging because you have to understand information flows in such systems so you can be sure they meet the privacy requirements.
Plan for future strategic opportunities
Where is personal data stored? Where is it used? Why is it kept? Can it be anonymised? What happens if it's deleted?
You need to consider all these questions because your answers will impact the strategic opportunities for future data analysis.
Work with third parties
Don't underestimate the time it takes to implement effective governance of third parties who process information. GDPR makes you responsible for your partners and collaborators.
GDPR and other regulations
GDPR will impact other financial services regulations - especially those with a focus on data retention, regulatory reporting, and conduct. Firms should approach GDPR in a way that is coordinated with these other requirements to avoid duplicatedeffort.
Both MiFID II and the 4th Anti-Money Laundering Directive have overlapping requirements related to data retention which will need to be taken into consideration. However, we think the most important overlapping regulation for firms in the Nordics is the Second Payments Service Directive (PSD2).
The main feature of PSD2 is the need for APIs that give third-party access to transaction data and payment services. This increases the risk of information leakage and makes the whole financial eco-system more complex and vulnerable. With both PSD2 and GDPR you need to identify and mitigate operational and security risks to protect customers.
That means you need to secure user data, carefully control access rights and manage permissions for critical information and systems. You also need robust logging and monitoring to make sure any abnormalities, frauds or information leakage can be identified.
Both PSD2 and GDPR demand a fast incident response process. In GDPR, you need to tell national authorities and the affected person about unauthorized or unlawful data processing, loss, destruction or damage incidents within 72 hours of discovery. PSD2 has an even tougher deadline. So you should take a comprehensive view of your incident process to make sure it meets both regulations as well as business requirements.
It's wrong to think of GDPR as a compliance exercise and cost burden. That view fails to take into account the strategic opportunities to improve operations and customer experience across the organisation, including:
- Improving data quality and governance for better strategic decisions and customer interactions
- provide differentiated and personalised customer experiences
- review and optimise processes
- create clearer roles and responsibilities
- make access management more effective
- automate processes (e.g. right to access, storage limitation).
Many companies are unlikely to have implemented all GDPR requirements by 25 May 2018. Given the tight deadline before the regulation comes into force, companies should prioritise high risk areas to close regulatory gaps.
You shouldn't lose sight of 'Day 2' and the longer term requirements. You should consider longer term independent assurance to validate where you are on your compliance journey and key areas of focus. As well as how you can upskill and educate your workforce to change behaviours beyond the deadline.
Also, think about building strategic solutions, ideally in close coordination with other regulatory initiatives. Taking a step back and reflecting on the strategic choices will strengthen your firm's position for the future.
Regulatory implementation may often feel like a tick-box exercise to comply and get things done. But GDPR has the potential to initiate a wider change to how data is managed, protected and used and its impact shouldn't be under-estimated. It's important to think about how to make this part of business as usual and embed it in your behaviours and culture.