general data protection regulation protection legislation · (letters, legal documents, etc.)....
TRANSCRIPT
General Data Protection Regulation
General Data Protection LegislationSafeguarding personal data in a responsible and compliant way
b
Target started the GDPR journey in 2016, we have made sense of the legislation and have created a “GDPR Toolkit” to help us execute safely. Work is underway and we are confident that we will achieve compliance and accreditation.
This short and easy to understand paper represents our considered point of view in respect of what you need to know and provides guidance to help you focus on doing the right things in the right way.
GDPR at a glance…The main body of this document explores in more detail our thinking in respect of an effective approach to achieving GDPR compliance.
The following diagram provides an illustration of the primary practical areas for your consideration. These should be included in any approach to achieving GDPR compliance.
Firms do however, need to tailor their approach to take into account the levels of current DPA compliance, complexity of IT landscape, in-flight regulatory activities, geographies and maturity of existing data management capabilities.
Smart organisations will look to drive benefits from exploiting synergies with other growth, efficiency and compliance imperatives, which are included within their overall strategic plans.
Everywhere you turn there seems to be another webinar, breakfast briefing or white paper on GDPR, all promising to shed light on what organisations practically need to do to become compliant ahead of May 2018. In reality, there is a distinct lack of practical advice from people who are actually involved in doing the work.
Why do we need another GDPR document?
2
General Data Protection Legislation
b
Other strategic agendas
Technology
Customer facing functionalityEffective management of consent & subject rights activity.
Personal Data life cycleEffective tracking, movement, quality management and deletion
Cyber SecurityRobust perimeter fence providing protection from cyber crime.
Customer
Extended Responsibilities Ensuring Third Party partners are operating an effective GDPR regime, safeguarding personal data.
Customer ExperienceEffective handling of subject rights requests, responsive, transparent and focused on good outcomes.
Rights Notifications Effective communication advising on GDPR impacts.
People Policy & Process
Organisation & GovernanceDefined data protection accountabilities, supporting policies and governance forum.
People CapabilityPeople are trained, processes tuned for GDPR and the organisation is data and insight literate.
Data AccessClear controls to only hold and access the data required.
General Data Protection RegulationRequires a blend of capabilities tuned for your organisation
Cost of Risk & Regulatory Compliance Data & Insight Lead Organisation
Revenue Growth & Customer Satisfaction £
Cost Efficiency & Enabled Workforce
3
www.targetgroup.com
Key GDPR facts:Data scope: It is designed to protect any data and information relating to an identifiable natural person. It covers employees, customers and prospective customers.
Use scope: It covers all aspects of creating, storing, transferring, updating, and deleting data. It includes all physical and electronic formats (including voice recordings) and individual data items held within images (letters, legal documents, etc.).
Timing: First drafted in January 2012 this initiative was formally adopted by the European Union 27th April 2016. GDPR takes effect on 25th May 2018.
The UK’s Information Commissioners Office (ICO) has confirmed that this will be implemented in the UK irrespective of Brexit.
Key GDPR differences to existing legislation:Consequences and motivation: With fines of up to €20m or 4% of worldwide annual turnover and reputational risk associated with non-compliance or breach, the impacts are considerable.
Greater accountability: The new accountability principle requires explicit demonstration of compliance.
Evidence focus: The legislation provides examples of appropriate technical and organisational measures that ensure compliance can be demonstrated.
Controller and Processor emphasis: Although GDPR exposes the processor to liability; the processor’s primary obligations are a) to keep the data safe, and b) to follow the instructions of the controller. Like the DPA, GDPR is primarily aimed at controllers.
New concepts and increased emphasis: Data subjects are given more rights; consent management requires an explicit opt-in and there is greater protection afforded to ’sensitive data’. It is also expected that organisations will adopt new technologies and introduce new organisational capabilities to aid with compliance. These are just some of the changes which come with GDPR alongside an increased level of regulatory scrutiny.
The current landscape
What’s changing? The Data Protection Act 1998 replaced and consolidated earlier legislation such as the Data Protection Act 1984 and the Access to Personal Files Act 1987. GDPR will replace this legislation.
4
General Data Protection Legislation
Our results confirm that consumers most often cite value for money and prices as the most important factors when considering insurance policies.
Is compliance with the current Data Protection Act enough?A high quality DPA regime will get you a long way, compliance with the DPA alone will not be enough to ensure compliance with GDPR.
In reality, it is already difficult for many large organisations to maintain their levels of DPA compliance, not least due to the genuine challenges of mergers, acquisitions and technological advances... and with more data being generated today than at any other time in human history.
5
www.targetgroup.com
b
How to deliver compliance
How to approach the GDPR work in a structured and systematic way:GDPR creates another investment burden at a time when revenues are under pressure and Cost Income Ratios are in the spotlight; organisations need their GDPR initiatives to go well.
A structured and deliberate approach is essential. With so much to do and a fast approaching deadline it would be easy to confuse activity with progress or to falsely believe that current DPA compliance is sufficient; find time to reflect on your approach and challenge if it’s heading towards delivering the right compliance outcomes. There is still time for course correction!
Careful review of the following four steps will help assess if you are on track and act as a useful completeness check.
Focus areas Completeness check question
Assessing key dimensions of change
Is each area getting the right focus and priority?
Understanding how GDPR effects your organisation and tuning your approach
Will you be able to evidence business engagement, awareness and compliance?
Structuring your GDPR change framework
Do you have a clear and structured view of what requires change?
Recognising and overcoming practical delivery challenges
Are you set up for success?
6
General Data Protection Legislation
b
Key dimensions of change - is each area getting the right focus and priority?
GDPR has the potential to be wide reaching and requires a multi-disciplinary focus.
Different elements will take longer to deliver, so your work really needs to have commenced. An early focus on some of the more straight forward, quicker win areas, may get you ahead of the game and serve to avoid some cost and effort in the future.
The time dimension Compliance from today: Consider what might be quick wins, this can be as simple as modifying change methodologies to ensure personal data is owned, defined, with appropriate quality measures.
_ Ensure that all new and in-flight personal data related projects are joined up and governed with GDPR intent in mind!
Compliance from tomorrow: Consent and treatment of sensitive data figures heavily in the new legislation. This requires origination systems to capture and maintain data in a more sophisticated way than before. This will require changes to customer facing systems and processes, is often problematic, and subject to lengthy lead times with limited IT delivery/deployment slots.
_ Ensure effective design and planning for IT change to support origination activity, the delivery of these changes should be well progressed at this stage!
Resolving the back book: It is recognised that many large firms have inherited a back book of legacy data and systems because of mergers and acquisitions. Cleaning out the back book, being able to demonstrate what data is retained and the legal basis on which it is held, issuing updated fair processing notices if appropriate, identifying which business processes are involved in the creation and usage of the data and that it is being processed in accordance with GDPR will be critical to achieving compliance.
_ This is something with a long lead time which will involve many parts of the organisation, ensure that a dedicated stream of work is underway to give this focus alongside everything else which is going on!
7
www.targetgroup.com
The safe and secure dimension The perimeter fence: Effective cyber protection is a critical priority as it represents the first line of defence. Successful attacks and subsequent data leakage will make the headlines, attract fines and regulator interest and importantly make customers wary of trusting organisations with their business.
_ Ensure your cyber protection is adequate, if you are a data controller ensure your Third Party partners who are managing data on your behalf, also have adequate protection!
The internal ecosystem: We observe terms such as “firms should make use of state of the art encryption techniques”, all well and good providing you don’t have
hundreds of systems over a decade or so old! Clearly some protection is afforded by focusing on the ‘perimeter fence’ but GDPR expects privacy by design for the legacy platforms and newer solutions and this extends to ensuring there are clearly defined policies, roles & responsibilities, standards and processes. An important part of this consideration relates to the capability to delete data which is no longer required or held without a lawful basis (legitimate interest, consent or contract).
_ This is the biggest focus area and is multi-faceted. Establish a senior working group including the Data Protection Officer, Chief Architect, Chief Data Officer, Legal Counsel and Head of Operations, to own the various aspects of your GDPR kit (which is covered in more detail later on)!
The strategic dimension The strategic imperatives: Attitudes and approaches to harnessing data is a major catalyst for change in financial services at the moment, not least due to cost pressures driving the need for more efficient operations. With legislation such as GDPR on the horizon, coupled with the advancement in technologies, there is a real opportunity for companies to behave in a more strategic and deliberate way to drive value from the undoubted power of data. Firms should join up efforts to reduce costs and to forge better customer relationships and outcomes as a result.
_ Stay focused on GDPR whilst ensuring every opportunity is taken to connect into (inform and be informed by) your broader data strategy and other related in-flight initiatives!
8
General Data Protection Legislation
“ Effective cyber protection is a critical priority as it represents the first line of defence”
Understanding how GDPR effects your organisation and tuning your approach - will you be able to evidence business engagement, awareness and compliance?
GDPR requires careful design to take into account your specific situation. The levels of current DPA compliance, complexity of IT landscape, in-flight regulatory activities, diversity of product offerings, geographies and maturity of existing data management capabilities will all play a part.
It is necessary to evidence a robust approach, effective engagement and awareness in the business. Critical components should include:
Define themes: Make the topic less daunting and accessible to those people who will be impacted by the change. GDPR comes in at 55,755 words and is difficult to penetrate in its raw form.
_ Group the legislation into relevant themes which practically mean something to your business!
Set out intent of legislation: You will need to provide more detail for each theme, which should include the simple translation of relevant legal articles into something which means something to your business.
_ Seek legal counsel to interpret the legislation in a way which is relevant to your organisation!
Be clear on your working assumptions: This requires a collaborative approach involving legal counsel, the business and IT teams to determine which parts of the legislation are relevant or will drive change in your organisation.
_ Write down your working assumptions, ensure these are frequently reviewed and challenged to ensure your approach will deliver compliance!
Be outcome focused: Start with a hypothesis which can be validated during business engagement, it will provide shape to what needs to be delivered within a costed programmatic construct.
_ Create deliverables and work packages which can be costed and form part of a formal and governed programme of delivery!
Engage: The size of your organisation will clearly have a bearing on the number of people who need to be involved with or impacted by GDPR. In any event it would be wise to ensure all key business functions are given the opportunity to assess impacts on their area and take some shared responsibility for defining and executing the work which will need to follow.
_ Seek broad engagement; ensure operational teams take shared ownership for defining and executing the work to achieve compliance!
9
www.targetgroup.com
online renewals
Structuring your GDPR change framework Do you have a clear and structured view of what requires change?
Key theme Purpose Examples of focus areas
Fair processing & consent
We access, store and transfer data lawfully.
• Data flows are mapped for the organisation.
• Electronic and physical data can be deleted effectively.
• Customer consents and preferences are actively managed, updated and drive the processes applied to each customer.
Automated decision making
Our systems decisions are based on specific consents.
• Systems and processes restrict the use of ADM to only where appropriate consent exists.
• ADM is specifically identified in data flow maps.
Subject rights People’s ability to request information and challenge.
• Adapt subject request and record keeping (not just DSAR) to deliver changes in line with new rights, response time and fees.
• Ensure letters to customers reference GDPR.
3rd parties Compliance scrutiny of suppliers.
• GDPR compliance of 3rd Parties through date & security audits.
• Enhance ongoing 3rd Party governance regime.
Overseas transfers
Data is managed within EEA boundaries.
• Establish appropriate policy, processes and technical mechanisms that govern the flow of data outside of the EEA.
Governance Policies and controls are fit for purpose and tested.
• Ensure clarity of responsibilities and implications of controller / processor on organisation.
• Update policies into existing enterprise risk framework.
• Enhance internal data training and development.
Data Breach We manage breaches, record and report.
• There is an appropriate Data Breach policy in place, supported by relevant processes, templates and systems.
Privacy by design Systems are built on the right foundations.
• Data governance is embedded within system design.
• Processes & systems are designed with GDPR in mind.
Security Our cyber protection is resilient and regularly assessed.
• Appropriate cyber security is in place to protect the ‘perimeter fence’.
The following table has been extracted from our ‘GDPR Toolkit’; it sets out the key themes to be considered along with some examples of focus areas which are likely to require redesign and potentially IT systems change.
10
General Data Protection Legislation
Recognising and overcoming practical delivery challenges Are you set up for success?
In common with the delivery of any wide reaching legislative change, execution will be problematic. Consider if you need to change your approach, having reflected on the topics covered in this document.
The table opposite brings our document to a close and forms a helpful checklist of likely challenges you will need to overcome.
Ensure you have a comprehensive framework based approach.
Engage early at C’ level to ensure appropriate awareness, prioritisation and sponsorship.
Recognise that there will be a lack of precision in early estimating, until work commences.
Be transparent when securing commitment to funding, to manage expectations.
Be prepared for the business impact assessment which is likely to be wide reaching.
Identify critical SME’s, have them own aspects of delivery or dedicated workstreams.
Secure an effective flight path and landing slots for technology change.
Determine criteria and optionality in respect of build versus buy of enabling technology.
Find ways to identify duplicated activity across the organisation to join up effort and reduce costs.
Carefully select your trusted advisor/ delivery partner.
For further information on how we can support you to become GDPR ready contact us now on 0845 6506200
11
www.targetgroup.com
About Target Group
Target Group is a leading provider of
Business Process Outsourcing (BPO) and
operational transformation for over 50
major financial institutions across the
globe, including clients such as Goldman
Sachs, Morgan Stanley, Credit Suisse,
Barclays and Shawbrook Bank.
Our leading fintech platform manages
assets in excess of £24 billion, enabling
our clients to automate complex critical
processing, servicing and administration
of loans, as well as investments and
insurance. We deliver competitive
advantage and enable scalable growth.
Alongside BPO and software solutions,
Target leverages deep domain expertise
to advise on process improvement, due
diligence, and regulatory compliance.
Our systems currently process over 19
million accounts and collect £3billion of
direct debit payments each year on
behalf of both private and public sector
clients.
In August 2016 we were acquired
by global multi-national specialist in
digital transformation Tech Mahindra.
Joining with £4bn Tech Mahindra
enables us to bring wider propositions
and services to our clients
For further information about Target Group, please visit www.targetgroup.com or call us on 0845 6506200
A personal note from the authors
“With extensive practice experience in
several jurisdictions and more than a
decade leading and advising companies on
Data Protection matters, I believe GDPR
represents a real step change, raising the
bar to deliver essential improvements which
safeguard the personal data which is
entrusted to our care. We are committed to
the regime change and to supporting our
clients to get ready for it.”
“With more than 20 years of experience
leading the data and information agendas
for some of the largest organisations in the
world, I truly believe GDPR, if approached
effectively, can bring additional tangible
value beyond delivering better customer
outcomes and compliance alone.” Victoria Meni Battaglia, Head of Legal, Target Group
Richard Gregory Chief Data Officer Target Group
12