GDPR – The Next Major Data Privacy Challenge
The recent release of information around the new EU General Data Protection Regulation (GDPR) has highlighted a number of areas of the new privacy regulation that will prove challenging for many Financial Services institutions.
In broad terms, the aim of the regulation is to enable citizens to take back control of their own data and to unify privacy regulations across the EU. It is planned to come into law in 2018. The extent of the amendments and additions will drive significant changes in data collection and processing across all parts of the Financial Services sector.
As a replacement for the current data privacy directive, GDPR has extended the privacy scope to cover data held when an organisation or person is in the EU as well as organisations outside the EU that process EU citizen data. The definition of personal data now covers a raft of areas including the usual personal details as well as possible items like photographs and social media content. Additional challenges around a right for a citizen to be forgotten and the ability for citizens to demand access to their data will cause all Financial Services institutions to look very carefully at their policies around the data they hold on their Customers.
New items like requiring explicit consent to the collection of data and its use will now need to be gained and there are some severe fines/sanctions in cases of data breaches. The maximum fine is now €20m or 4% of worldwide annual revenue – whichever the greater! For most Financial Services institutions this is a very significant amount of money.
Due to GDPR, the role of the Data Privacy Officer has now become a great deal more significant due to the impact of potential fines or sanctions due to non-compliance.
Privacy Data Challenges
As the impact of the new privacy regulation begins to be assessed, there are an immediate number of data challenges Financial Services institutions will face. Here we look at just a few to highlight the scale of the challenge.
- Finding Customer data
- A major challenge for any institution is to find all the privacy relevant data across the enterprise. Customer data sits in many different systems and it can be held in many different forms. As well as traditional transactional systems, other systems related to Customer engagement are also in scope. The rise of omni-channel in Financial Services means that Customers can engage through any channel and through any appropriate medium. When Customers do this a digital footprint is usually stored somewhere to record that fact and to support remediation when errors occur or for proof of activity. All of these footprints, for all types of engagement, have the potential to be in scope.
- Examples could include data such as that held in an application log that captures details about a user session executed via a web application, social media feeds when a Customer makes a service request, web analytical systems that capture the Customer journey through an institutions website, a Customer calling the contact centre to make an inquiry or the capture of a paper document from a Customer making an address change. All these examples highlight that Customer data can exist in many applications and in many forms – all of which could be in scope for the new privacy regulation
- Customers making requests to see the data held by an institution on them
- Customers will now have the right to request a Financial Services institution provide them all the details of all the information held about them. Whilst this is the same issue as the point above, the difference here that the information is going outside the institution requiring additional security considerations whilst being a costly exercise to achieve if done manually. What makes this more significant is if that an institution provides this information and has missed something that the Customer knows about. Now the institution is showing that they don’t have their Customers’ data under control and opens themselves up to some form of sanction.
- What to do when Customer data is identified
- Assuming an institution has found all relevant Customer data, there now comes a need to understand what needs to be done with that data. The new GDPR ‘opt in’ clause for the regulation means a Customer is giving consent to the storage and use of their data whilst Financial Services institutions needs to be aware that this consent may apply to certain parts of a Customers’ data and not to others. The increased complexity driven by the right of consent means institutions will need to consider how to best address the use of non-consented data whilst still maintaining transactional and financial integrity across the business.
- Enacting the right to be forgotten
- The GDPR ‘right to be forgotten’ clause will require an institution to remove all relevant Customers’ data from all its systems – upon request. It is unclear how many Customers will enact this request but from recent media articles there will be a significant number and the associated media interest is likely to drive uptake.
- Removing data held in multiple different systems and in multiple different formats is either a very time consuming and expensive manual exercise (with the risk of not having removed all the data) or requires institutions to look at process automation to do this in an industrialised manner. Either approach will require institutions to look carefully at the time, cost and risks associated with each option and build solutions to address them.
Privacy Data Solutions
Whilst this may seem a huge undertaking, there are software approaches available today that will help address some of these GDPR related issues:
- Data Discovery solutions
- Solutions already exist that are designed for ‘data intelligence’ that would be applicable. These solutions automate the discovery of relevant Customer data across a large number applications and data stores. They use flexible, high-performance, scalable scanning techniques to discover Customer data and show results quickly and clearly. These solutions identify all the locations where Customer data is stored and enables the visualization of this through dashboards and reports. The insights gained enable an organisation to quickly understand not just where Customer data resides but also the risks associated with it.
- This is the same solution capability used to identify and analyse sensitive data across an organisation where the insight gained is used to prevent data breaches or inappropriate use of sensitive data.
- Data Masking solutions
- To maintain transactional integrity or comply with financial/accounting regulations, Customer data can be masked to ensure it isn’t used for any other purposes. Solutions exist that enable different types of masking although fundamentally they all enable data to be stored but only visible to those with the authority or need to see it.
- Restrictions on the visibility of data are a common requirement across Financial Services so some institutions may already have these capabilities in place.
- Master Data Management solutions
- One of the cornerstone solutions for most Customer Centricity or Customer360 programmes are solutions that master Customer data (aka MDM)from across the enterprise. As part of the mastering process, data is collected across the enterprise and a range of techniques are applied to match & merge data related to the same Customer. This approach relies on the mastering process to understand whether data records in different systems are related to the same Customer – or not. It is this process that collects data about the same Customer and stores it in a repository for later use.
- With Customer data mastered in a repository, institutions now have the ability to accurately identify records related to the same Customer. If that customer invokes the right to be forgotten, then two opportunities arise:
- If the mastering process is based upon an ‘Analytical MDM’ style then reports can be run that list out all relevant Customer data. This report can then be sent to the relevant business teams who can manually delete the Customer’s records from the appropriate systems. Updates to the Customer master data will show whether all records have been removed (as they will no longer be mastered) and if not, follow up action can be undertaken.
- If the mastering process is based upon an ‘Operational MDM’ style, the mastered Customer data gets flagged for deletion and the underlying technology automatically applies the deletions accordingly.
- This approach relies on the mastering of all Customer data from across the enterprise where Customer touch points/engagements occur.
- Information Lifecycle Management solutions
- Information Lifecycle Management (ILM) is the approach to ensuring data that should be deleted, is done so in an appropriate manner. In many instances, this involves the defining of parameters that control the rules over which data should be deleted, when it should be deleted and how it should be deleted. This is a common requirement in Financial Services that automates the removal of time expired data from systems and then reports outcomes.
- ILM solutions are also used to automate the creation of data repositories from retired applications so the costs of the application are removed whilst a store of data remains for reporting or analytical purposes. This approach can create a new store of Customer data that needs to be included as part of the Discovery process.
GDPR has shown that the need for Financial Services organisation to really get their Customer data under control has now become a major business imperative. The consequences of non-compliance are potentially substantial.
All is not lost. Software solutions already exist that help address a number of the key GDPR data challenges. As a next step, I would start looking – quickly – at the details of the GDPR privacy regulation and the potential solutions available.
Two years may seem like a long time but Financial Services organisations need to be ready as the implications of not being so are potentially very significant.