Dr.Gero Decker, CEO of Signavio, discusses the importance of mapping out a risk and compliance management framework and the steps required to remain compliant at all times.
Following the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018, organisations will have to fundamentally alter the way they handle, source, and distribute data collected from partners or clients residing in the European Union. This will add to the increasing regulations announced in 2018 so far, with banks still figuring out how to comply with Mifid II and PSD2 regulations. GDPR offers a range of significant challenges and opportunities for businesses of all sizes. But, the question on everyone’s mind is, are Banks ready for it?
By following a few steps, they can be better prepared. For starters, it is imperative to understand the key provisions of GDPR to prepare for the challenges ahead. Once understood, these provisions can be broken down into manageable steps to ensure a business is best-placed to thrive under the new data protection requirements across the EU. There also needs to be a change of mind-set within organisations, with members of staff preparing themselves for the changes to come. This is not solely restricted to the C-suite of a company, but trickles down to any staff member directly handling client data. It is no longer enough to say you are doing things right; you have to be able to prove that your staff is doing things right. Without documented processes and mechanisms, which both track customer application and employee consensus, your business is at risk.
The next step would then be to ensure that all customer data is being properly maintained. Under GDPR, records need to be kept on all customer personal data held – where it came from and who it is shared with. Looking into record-keeping procedures will allow organisations to also reflect on procedures for data processing and whether they are compliant with the new regulation.
Procedures to handle data breaches have been a legal requirement for organisations for many years, with cyber-attacks costing a global average of $3.6 million. This requirement has, however, become turbo-charged under GDPR. In the event of a personal data breach, data controllers must notify their relevant supervisory authority within 72 hours, with a failure to notify resulting in fines up to GDP 10 million. Clearly, time is of the essence. A violation response needs to be modelled in advance, with step-by-step guidance for employees to act quickly and aptly.
Optimizing the above processes by analysing and eliminating unexpected variations is vital. This will also ensure the most efficient and effective means of making sure the process becomes part of ‘business as usual’. Ensuring the whole process is clearly documented removes the margin for error, significantly reducing the likelihood of non-compliant behaviour, and makes certain that the decision-making process is tracked and approvals recorded appropriately. Highlighting all of the Risks and the Controls and ensuring that these processes are embedded in the system comes down to a systematic approach, taking it one step ata time and then optimising along the way.
Being transparent during the collection of data will also enable customers to understand how they can access their personal data records, as they have a right to do so under the new regulation. It will provide a comprehensive foundation for establishing processes for receiving, assessing and responding to client requests for access to their data and reduce response time. These processes can also be used to acquire customer consent. An important change under this regulation is to ensure consent is now explicit and unambiguous. Offering key staff, specifically those dealing with customer requests and consent, decision models and procedural guidelines will also ensure efficiency within the system.
Organisations that process data on a large scale and are engaged in regular and systematic monitoring are also required to appoint a designated Data Protection Officer.The up-skilling of the workforce is also essential, to ensure they are on the same page and can work collaboratively to achieve compliance. A shared communication platform will enable all staff to designate responsibility while also taking a collaborative and transparent approach to data processing.
Achieving compliance can be streamlined into distinct checks and procedures. Ensuring comprehensive record-keeping while enabling efficient and automated data collection will establish the right internal controls within banks and financial services firms. This will be further complimented by collaboration and responsiveness from staff. Compliance can hence be embedded in the banking system, moving away from ad hoc reactions to robust responses.