Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

A QUICK GUIDE TO GDPR

By Alexandre Mollard, Head of Compliance at Lombard International Assurance

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy in 20 years. After four years of preparation and debate, the regulation was finally approved and adopted by the EU Parliament in April 2016 and is set to be enforced in under a year, on 25 May 2018.

With the GDPR, the European Commission intends to increase individual’s fundamental rights to data protection, in particular with respect to the processing of personal data, and strengthen obligations against companies, while unifying the regulation in the EEA.

Within this, one of the Commission’s primary objectives is to give citizens back the control of their personal data – something that is particularly important in an age where digital processes handle ever greater quantities of sensitive personal data.

This means that the GDPR is at the centre of relationships between individuals to whom personal data belongs and the companies that take responsibility for it. This is a complex relationship and one that is sure to evolve as the regulation becomes better understood, but one thing is already clear: in order to really give individuals the control that has been promised, regulation is not the only area that needs to evolve.

Businesses must also incorporate data protection into their strategy, structure and company culture and Data Protection Officers (DPO) need to act as an interface between the company, the individual and the regulator.

Adapting to the GDPR

The GDPR will impact businesses of all descriptions and in every industry. Some sectors, like finance, have already responded to increased scrutiny on clients’ data security and are therefore perhaps better prepared to meet the demands of the regulation. However, this does not apply to all companies and some still do not have proper governance around personal data.

Indeed, the secure processing of personal data has often been lower on the business agenda and greater attention and resource has been spent on processing special categories of data such as CCTV surveillance, telephone recording or email monitoring. Moreover, in many instances data protection has fallen somewhere in between the activities of compliance and legal teams, leading to a reluctance to accept responsibility and, consequently, accountability for any issues.

This is unsustainable and this new piece of regulation presents a unique opportunity to clearly delineate responsibility and ownership for these key functions. This is where the Data Protection Officer’s role will come into its own.

This person should be responsible for the creation and management of a personal data register, which should ideally be built around the new GDPR requirement. Therefore, it should outline the objective of the data processing, its legitimacy, appropriateness, accuracy of personal data collected,security, transfers in/out (not automatically linked to an outsourcing arrangement) and archiving principles. All of this must be done in a way that will allow for an assessment not only of the compliance of personal data processing, but also what actions should be taken off the back of it.

In order to make this process as efficient as possible, Data Protection Officers should be supported by “data owners”, such as departmental heads, who can help equip and maintain each personal data register. This is a key point, as data protection cannot be managed by one person alone, siloed to a separate part of a business. An effective response to the GDPR should come from Senior Management downwards to ensure that all key stakeholders are on-board and that the whole process is properly documented and implemented.

This is of course a somewhat intimidating project and will undoubtedly be a challenge for many. Ensuring that data protection infiltrates the very heart of a business requires a strategic and measured approach, ensuring that one does not over-engineer the process. It’s helpful to remember that, in practice, all areas of work can be defined as one of the following three work-streams:

  • IT Systems
  • Governance
  • Legal

All activity that falls under ‘IT Systems’should cover both the changes that need to be implemented in current systemsin order to comply with the GDPRand the key features that are expected from any new IT systems.

It is likely that large-scale upgrades will be required but, where no changes are suggested, it is still important to document and explain why things cannot be changed (for example, technical or legitimate reasons or costs) and what mitigating controls are already in place.

The second work-stream on ‘Governance’should cover the changes to corporate documentation and the respective data protection policies and procedures. Essential to this is a detailed review of who is responsible for each element of a data protection scheme.

The third stream on ‘Legal’ should cover the review and updates to legal documentation and contractual agreements. It should also include a review of individuals’ rights, including how employees consent should be obtained with respect to the subordinated relationship with the employer to demonstrate it was given freely. All data transfers, including outsourcing arrangements also fall under this stream.

Those three work-streams should take into consideration any potential gap from the 1995 directive. The “back-book” which keeps a registry of such things as contractual documentation with clients, employees or external providers should be assessed to ensure that contracts are in line with the GDPR principles including rights of individuals, relationship with providers and outsourcing to a third-country, amongst others.

Taking all these factors into account should make the process of complying with the GDPR rules manageable and maintainable. This is an issue that won’t be solved over-night, so instilling the foundations of data protection into the heart of businesses and employees will be productive in helping meet the demands effectively and productively.