The Challenges We Know You Are Facing
ADS understands the challenges that our clients face regarding compliance with the pending EU/UK General Data Protection Regulation (GDPR) scheduled to become EU/UK Parliamentary Law on May 25, 2018.
ADS has been compliant with all EU/UK regulations throughout its operational life, which sets a solid foundation for legal operations; but with the advent of technology and the daily use and processing of personal data, it comes under the new EU/UK regulations known as the GDPR-General Data Protection Regulations (May 25, 2018) which will replace the Data Protection Directives (1995). It speaks to good sense and management that our clients should be in a state of readiness to comply with the requirements of this new regulation (EU/UK-GDPR) to satisfy compliance on a timely basis. It is in this regard that ADS will provide our clients the necessary solutions to support GDPR readiness and prevent any issues of non- compliance.
Are You Ready?
The GDPR has been the most lobbied regulation in the history of the European Parliament, to the tune of 4,000 amendments. The reason is the monumental impact it will have on companies doing business in the EU and even non-EU businesses targeting European data subjects. It is expected to have the most significant effect on the financial sector, where billions of financial records and personal data transactions are handled annually. Broadly speaking, financial service providers are woefully unaware and unprepared for the mandate, rendering them exposed to serious risk and severe sanctions. Despite being first announced in 2012 and being formally approved by the European Parliament on April 14th 2016, as of April 2016, 20% of IT decision-makers in the UK are still unaware of the new regulation.
The protection of personal data from breach, leak or attack is one of the biggest challenges facing the financial sector today. In response, what the GDPR seeks to do is unify data protection procedures within the EU/UK to place EU citizens in control of their personal data by providing a minimum set of standards on the use of data. In the past ten years, the spread of globalization, rapid advances in technology, and the subsequent avalanche of data privacy concerns, have rendered the EU Data Protection Directive 95/46/EC (1995) insufficient and in 2012 the European Commission proposed the first draft GDPR to replace it. In March 2014, the European Parliament approved its own version, and on June 15, the Minister of Justice of all 28 European Union member states, sitting as the Council of the European Union, adopted its own version – known as the ‘General Approach’.
How does the GDPR Impact Global Business in Relation to Privacy and Data Managment?
- Territorial scope: The GDPR extends regulations from EU companies to include those organizations outside of the EU processing data relating to EU citizens
- Security:Tightened and broadened security where data protection and privacy is by design and default
- Data Protection Officers:to be appointed to ensure data protection compliance within organizations where over 5000 records are processed or there are 250+ employees (mandated appointment of a Data Protection Officer is not required in Council’s draft)
- Data breaches & right to know:Data breaches need to be reported within 72 hours and a notification to the affected individuals sent ‘without undue delay’
- Data portability(right to easy access to one’s own data): where individuals can request copies of personal data being processed in a format usable by the person, and so they can transmit electronically to another processing system
- Data erasure(or the ‘right to be forgotten’): When an individual asks for their data to be deleted (i.e. they withdraw consent), provided there is no legitimate grounds for retaining it, the processors or controllers must comply. NB: this article is intended to empower individuals, not erase past events or restrict freedom of the press
- Stronger enforcement & fines:Higher fines and sanctions introduced for noncompliance – up to 4% of global turnover
Perhaps the most significant change the GDPR proposes is the concept of obtaining customer consent and it is arguably this change that will have the most significant impact on the financial industry. In short, the General Data Protection Regulation states that for personal data to be processed by a controller or processor they must have proof of freely-given, informed, clear and affirmative data subject consent. To fully understand the impact on financial service providers within the EU, it is important to define the terms as laid out in the GDPR –
- Personal data:Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
- Data Controller: The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law
- Data Processor:A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller
- Processing:Any operation or set of operations which is performed upon personal data or sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination restriction, erasure or destruction
- Data Subjects’ Consent:Any freely-given, specific and informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
Question: How will our clients be ready in time?
Answer: ADS ConnectCompliance and Database Management (iBoss) Solutions.
What does this mean for our clients? Put simply, before a business collects, processes, digitizes, or shares any customer data it must first receive auditable customer consent for each operation, or where consent is not the legal basis of processing, the specific legal basis must be captured. It means that the broad blanket terms of agreement or conditions will no longer be valid and a company’s current standard of implied authorization will be insufficient. Explicit consent will become mandatory and separate from terms and conditions – requiring banks to fundamentally rethink the way in which they collect and handle customer data.
ADS’ ConnectTech and Data Management (iBoss) Solutions enable compliance with the GDPR consent requirements and generates customer and counterparty authenticated, regulatory-compliant, auditable certificates in real-time. In today’s climate of increased legal scrutiny and reputational vulnerability, it is unthinkable for an organization within this sector not to take all efforts to reduce corporate risk and eliminate liability, especially in relation to global data protection challenges. Regardless, explicit consent governed by the GDPR will soon become a necessity, rather than a choice. But, predictably, it will be those that move first and proactively, that will win out.
The Challenges and their Solutions
CHALLENGE #1: Tightened Data Security & Privacy Protection
SOLUTIONS: ADS ConnectCompliance, Data Management (iBoss)
CHALLENGE #2: Mandatory appointment of a Data Protection Officer
SOLUTIONS: ADS ConnectCompliance Consulting
CHALLENGE #3: Management Strategies for…
- Data Portability (right to easy access to one’s own data)
- Data Erasure (or “the right to be forgotten”)
- Data Breaches (notification within 72 hours)
SOLUTIONS: ADS Data Management (iBoss)
CHALLENGE #4: Operations Strategies for…
- Data Control/Controller (How JN controls their Customer’s Data)
- Data Processing/Processor (Who Handles JN’s Customer Data)
SOLUTIONS: ADS Data Management (iBoss)
CHALLENGE #5: Customer Communications Strategies for…
- Personal Data (Data Subjects)
- Data Subject’s Consent (A Clear and Affirmative Statement)
GDPR COMPLIANCE SOLUTION STATEMENT OF WORK (SOW)
- ConnectCompliance Consulting: To help you identify gaps in the data management and data subject security measures necessary for GDPR compliance and to get your security operations and processes ready for the GDPR, ADS consultants will assist across the following GDPR-specific streams of work.
- Data Security and Privacy Protection: Perform Data Protection Impact Assessment per Article 35 GDPR guidelines. Engagement that helps manage risks to personal information. ADS will advise on building the DPIA process with consideration to the database current state of maturity and gaps in security practice against the GDPR standards for information security and incident response practices, to produce a roadmap to compliance
- Data Management Strategies: Engagement to identify the data that is currently in and out of scope of GDPR, assist in building data flows/data maps to ensure all data is brought within the scope of GDPR compliance.
- Data Operations Strategies: Demonstrate Compliance as Controller following obligations outlined in Article 24
- Outsourced Data Protection Officer (DPO) Services: Provide DPO services per Article 37 – Designation of the Data Protection Officer. To include the following duties:
- monitoring an compliance with GDPR (controller and processor entities)
- providing advice when conducting data protection impact assessments
- informing the entity and its employee of data protection obligations
- cooperating with various supervisory authorities.
- Data Management iBOSS™
- Total Compliance Integration (TCI): relative to GDPR Compliance + Data Enrichment
- Data Security: develop processes to ensure appropriate security measures are established to ensure compliance with Article 32 – Security of Personal Data/Security of Processing.
- Data Privacy Protection: develop processes to ensure compliance with Article 18 – Right to restriction of processing and Article 25 – Data protection by design and by default
- Data Portability: develop processes to ensure compliance with Article 20 – Right to data portability.
- Data Erasure: develop processes to ensure compliance with Article 17 – Right to be forgotten.
- Data Breaches: develop processes to ensure compliance with Article 33 – Notification of a personal data breach to the supervisory authority and Article 34 – Communication of a personal data breach to the data subject.
- Total Data Integration (TDI): Data Management to support ConnectCompliance deliverables
- Data Control: see “Data Control & Access” on page 13 of Appendix under “Application Structure”.
- Data Processing: develop an integrated database for JN
- Data Health Analysis: perform DHA on current JN customer database to determine level of improvement and provide/review DHA reports with JN leadership.
- Data Enrichment: manage import process of current JN customer database and perform data and whitespace append following DHA.
- Data Hosting: see “Server Instance” on page 12 of Appendix under “Technical Backbone”.
- Customer Service
- ADS will maintain an inbound customer service line staffed during normal business hours.
- ADS will maintain an inbound customer service email address staffed during normal business hours.
- Disaster Recovery
- Company will keep two full copies of iBOSS™ databases updated as needed which will be both accessible and in the case of a serious equipment failure or other disaster the second copy will be immediately available for processing transactions.