Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites.
Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. For avoidance of any doubts and to make it easier, you may consider any links to external websites as sponsored links. Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Beyond the Deadline: What does ongoing GDPR compliance really look like?

Dr.Gero Decker, CEO of Signavio, discusses the importance of mapping out a risk and compliance management framework and the steps required to remain compliant at all times.

Following the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018, organisations will have to fundamentally alter the way they handle, source, and distribute data collected from partners or clients residing in the European Union. This will add to the increasing regulations announced in 2018 so far, with banks still figuring out how to comply with Mifid II and PSD2 regulations. GDPR offers a range of significant challenges and opportunities for businesses of all sizes. But, the question on everyone’s mind is, are Banks ready for it?

By following a few steps, they can be better prepared. For starters, it is imperative to understand the key provisions of GDPR to prepare for the challenges ahead. Once understood, these provisions can be broken down into manageable steps to ensure a business is best-placed to thrive under the new data protection requirements across the EU. There also needs to be a change of mind-set within organisations, with members of staff preparing themselves for the changes to come. This is not solely restricted to the C-suite of a company, but trickles down to any staff member directly handling client data. It is no longer enough to say you are doing things right; you have to be able to prove that your staff is doing things right. Without documented processes and mechanisms, which both track customer application and employee consensus, your business is at risk.

The next step would then be to ensure that all customer data is being properly maintained. Under GDPR, records need to be kept on all customer personal data held – where it came from and who it is shared with. Looking into record-keeping procedures will allow organisations to also reflect on procedures for data processing and whether they are compliant with the new regulation.

Procedures to handle data breaches have been a legal requirement for organisations for many years, with cyber-attacks costing a global average of $3.6 million[1]. This requirement has, however, become turbo-charged under GDPR. In the event of a personal data breach, data controllers must notify their relevant supervisory authority within 72 hours, with a failure to notify resulting in fines up to GDP 10 million. Clearly, time is of the essence. A violation response needs to be modelled in advance, with step-by-step guidance for employees to act quickly and aptly.

Optimizing the above processes by analysing and eliminating unexpected variations is vital. This will also ensure the most efficient and effective means of making sure the process becomes part of ‘business as usual’. Ensuring the whole process is clearly documented removes the margin for error, significantly reducing the likelihood of non-compliant behaviour, and makes certain that the decision-making process is tracked and approvals recorded appropriately. Highlighting all of the Risks and the Controls and ensuring that these processes are embedded in the system comes down to a systematic approach, taking it one step ata time and then optimising along the way.

Being transparent during the collection of data will also enable customers to understand how they can access their personal data records, as they have a right to do so under the new regulation. It will provide a comprehensive foundation for establishing processes for receiving, assessing and responding to client requests for access to their data and reduce response time. These processes can also be used to acquire customer consent. An important change under this regulation is to ensure consent is now explicit and unambiguous. Offering key staff, specifically those dealing with customer requests and consent, decision models and procedural guidelines will also ensure efficiency within the system.

Organisations that process data on a large scale and are engaged in regular and systematic monitoring are also required to appoint a designated Data Protection Officer.The up-skilling of the workforce is also essential, to ensure they are on the same page and can work collaboratively to achieve compliance. A shared communication platform will enable all staff to designate responsibility while also taking a collaborative and transparent approach to data processing.

Achieving compliance can be streamlined into distinct checks and procedures. Ensuring comprehensive record-keeping while enabling efficient and automated data collection will establish the right internal controls within banks and financial services firms. This will be further complimented by collaboration and responsiveness from staff. Compliance can hence be embedded in the banking system, moving away from ad hoc reactions to robust responses.