BECM Newsletter | July 2019 1 of 8

Addressing the GDPR challenge with Avaloq

Article by: Orbium and Avaloq Evolution AG

Authors: Adam D. Wisniewski, Senior Manager, Orbium

Dominique Im Obersteg, Head of Consulting Services CH/FL, Avaloq Evolution AG

On 25 May 2018, the General Data Protection Regulation (GDPR) became enforceable throughout the

European Union. Switzerland is expected to follow suit in 2020 with an update of the Federal Act on Data

Protection (FADP).

Avaloq now provides a new solution for one of the central GDPR articles, the ‘right to erasure’. Let us support

you on your journey to compliance.

BECM Newsletter | July 2019 2 of 8

GDPR impact and structure

In times when business models across many industries are increasingly reliant on collecting and processing

data - and customer data in particular - a regulation like the GDPR has fundamental implications for data

ownership, transparency, responsibility and accountability:

• The GDPR confirms that data belongs to the customer along with all corresponding rights. For

example, the right to erasure, to amend or to receive data or to transfer it to another entity.

• Any company collecting or processing customer data - the data controller or the processor - has to be

fully transparent regarding those activities and must seek the consent of the customer for their data-

related operations and clearly explain their purpose.

• Companies have to understand the potential risks, ensure supervision, set up processes for reporting

to customers and authorities and identify a controller - the Data Protection Officer (DPO) - for all

activities that affect customer data.

• Any breach of these rules may result in severe penalties.

BECM Newsletter | July 2019 3 of 8

While all the articles of the GDPR have to be addressed in order to be compliant, smart strategic decisions

early in the process of implementing the GDPR/FADP will ensure the right prioritisation and help in identifying

the appropriate bank-specific implementation options.

The following strategic objectives should be considered in order to lay the foundation for optimal

implementation:

• Understanding and mitigation of the risks related to each of the GDPR articles

• Involvement, education and buy-in of all relevant parties

• Robust technical execution - facilitating further developments in data management

• A focus on best possible customer service

• Ideally, integration into a comprehensive organisation-wide data strategy

Use Case: right to erasure and Avaloq’s data deletion enforcement solution

One of the core articles of the GDPR is Article 17, which provides for the ‘right to erasure’, or the ‘right to be

forgotten’. As this is also one of the most complex issues, and one that has to be addressed with a technical

solution, Avaloq has developed a core module within the Avaloq Banking Suite to provide a framework for the

implementation of this use case - the wiping functionality. Incidentally, this solution also partially covers the

articles ‘Consent’ and ‘Lawful basis for processing’.

BECM Newsletter | July 2019 4 of 8

In its solution, Avaloq will enable banks to erase or substitute (with dummy data) data subjects’ personal data

whenever required by data subjects and if not in contradiction with other regulations.

Banks should be aware that personal data is currently processed in:

• the Avaloq Banking Suite

• payment gateways e.g. Swift Alliance

• the data stage and staging area

• the archiving system

The Avaloq GDPR solution is built on the following principles:

Functional building blocks

• Differentiation between triggering objects and dependent objects in the enterprise wide object model

• Calculation of object and order dependencies where the system runs through the list of defined links

to identify which objects belong together

• Determining which triggering object is a candidate for wiping

BECM Newsletter | July 2019 5 of 8

• Validation of checks to either exclude the entire structure of a triggering object or a single item from

wiping

• Optional two-step process to allow recovery from either business errors or faults in the model

description

• High degree of automation for subject access requests

Re-use of existing frameworks

• Building on the same model of sensitive attributes, as used in ‘Sensitive Data Separation’ and

‘Anonymisation Framework’

• Making use of and extending the Personal Data Wiping framework

• Utilisation of the existing authorisation framework for two-step wiping

Customization flexibility

• Explicit modelling of model dependencies and their relevance to client data structures

• Customisable exit criteria to exclude single items from a wiping structure (e.g. generic document

objects, global hold-mail address placeholders)

• Elaborate logging mechanisms to trace exceptions

BECM Newsletter | July 2019 6 of 8

Part of the Avaloq GDPR solution has been available since May 2019, and the community rollout is planned

for July 2019. You can request a fact sheet from your key account manager.

While the Avaloq GDPR solution should greatly simplify the implementation as well as the maintenance of

this functionality, banks still need to undertake other activities. In addition to setting up associated processes,

such as the handling of customer requests or the reporting of results, further technical aspects have to be

considered. The following list, while not exhaustive, provides some guidance:

• Understanding the customer base, i.e. which customers the GDPR and the updated FADP apply to

• Analysis of the account structures as well as the relations between accounts and customers in order

to design a consistent wiping set-up

• Interfaces with third-party systems as well as wiping functionality within those to ensure data

consistency and completeness of the function

Finally, data sources outside of the infrastructure that connect to Avaloq have to be identified and included in

the activities; this might be independent systems, emails, PDFs or even paper-based documents.

Avaloq Consulting and Orbium support their clients with a strategic approach to GDPR

Avaloq Consulting and Orbium have jointly developed a modular approach to help their clients address the

GDPR in general and prepare for the Avaloq GDPR solution release.

BECM Newsletter | July 2019 7 of 8

Every client has their own specific starting position - be it customer base, technical set-up or risk appetite. It is

therefore key to define a GDPR strategy and then select an implementation option that is aligned with the

strategy.

BECM Newsletter | July 2019 8 of 8

Next steps

It is crucial to define the right strategy from the outset and involve and educate all relevant parties -

Compliance, Business and IT. We can help you jumpstart the activities with a workshop that brings together

your key stakeholders with experts from Avaloq Consulting and Orbium.

Contact