Now GDPR has launched, companies should be investing in technology to support their data, according to a panel at the Global RegTech Summit 2018 in May.
The general data protection regulation has been in force for just over a month, and while businesses rushed to get ready for it, the main priority is where to invest. The panel at the RegTech Summit, which included senior staff from EY, BigID, HSBC and Aqubix, discussed whether financial institutions were ready for GDPR and what the challenges are going a rising following the implementation.
Investing into data risk is key to supporting both GDPR compliance, but also furthering the privacy issues facing businesses. BigID senior director of privacy strategy Debra Farber led the topic, stating that organisations cannot afford to just ignore this information, they need to know where all their data is.
She said, “If I were spending my money, I would be behind technology that can help you assess where the data lives across your enterprise. You need to be able to understand what that risk level is and based on those risks, then be able to action upon the data in any way that you need to. Whether it’s a subject access requests, whether it’s you want to document the data collection process and the consents, so that you could prove to regulators that you were complying with GDPR.”
However, accessing this data will likely bring out more risks, as a business could potentially find hidden deep in their data is information they are not meant to have, and they have been using it. If a company is using legacy data and they use some new technology to correlate data, it could bring out new information on the identities of individuals which had previously been lost or hidden. This brings out new challenges that have to be addressed and not just swept under the carpet, as it breaks GDPR compliance.
Although, this is not an issue that needs an instant fix. “The regulators have stated that they are underfunded and don’t really have the ability to regulate out of the gate and come out with the hard hammer. They’re really going to be looking at organizations that haven’t complied with the spirit of the regulation, and I they know that we’re all trying to work here quickly to a deadline.”
Aqubix CEO Kristoff Zammit agreed with Farber, as the issue isn’t having the software in place, its having the process that will help to find the relevant data. He stated that commissioners are not going to be implementing fines for not having technology in place immediately as it is a progression that will take time. The main issue is from customers requesting their information and a company making sure they can audit it and handle the task.
Zammit said, “I’m not afraid of the software, it’s having an operational process flow in place whether manual or documented or policy driven. However, having prepared yourselves to listen when a request comes in, where do I look for the data, how do I build it, how do I send it to the client securely, how do I send a portability request, how do I update the data?”
Many large financial institutions tend to outsource a lot of their processes to help manage with the scale of their business. This causes issues for new regulations like GDPR, with a lot of trust needing to be given to third-parties to comply. These organisations need to not just have contractual obligations set in motion, but ensure that measures are being taken to comply.
HSBC associate general counsel for data privacy advice and risk management, Mark Reynolds, said: “Unfortunately, I think, pragmatically it can be quite difficult to get 100 percent assurance until something does go wrong because you can never be 100 percent assured, all of the time. But I think with the GDPR lens on, it’s important to just perhaps review your third-party assurance mechanisms, consider how do they need to be updated for the GDPR, what further questions do you need to be having, quite often, how can you support your vendors?”
Reynolds believes the vendors are eager to be compliant, but sometimes financial institutions need to go a step further to explain what they expect and how they can help them to achieve these goals. He added, “I think it’s just building GDPR into that ongoing life cycle and making sure that it’s really updated to deal with those requirements.”
Outside of the EU?
GDPR only impacts companies doing business within the EU. This only impacts this side of operation and means a company does not need to implement the same GDPR compliance measures for customers outside of the EU. This has brought up a lot of attention to whether other countries will look to implement a similar measure. A lot of this focus has been put towards the US, and if a similar regulation will be implemented in the near future.
Privacy has been a hot topic in Europe and BigID senior director of privacy strategy Debra Farber believes that it has caught the attention of Americans. A majority of global companies are not looking to implement new privacy rules across all countries of operation, just the ones impacted by GDPR. Having a lower level of privacy can bring fear and doubt over why there is this different regulatory system for just the EU and why is it not being implemented in other countries.
She said, “I think that that’s actually making Americans pretty upset because they didn’t realise, that we view privacy from more of a consumer protection perspective. So, the US really only regulate if there’s going to be a harm that is perceived, whether it’s financial or another type of harm and not just like, I didn’t like that you processed my data. However, in the EU, it’s approached from your privacy is a human rights issue.”
To get a GDPR esc regulation to be deployed to the US would rely on the political will of the country, as the current environment wouldn’t fit with the legislation. The main challenge is to find a way of making it work in the US model. While there might be desire from a customer point-of-view, it might not be from the business lobby or government.
Farber added, “I do believe companies are going to have to figure out, do I have one set of standards, in terms of security and privacy and data protection and make GDPR the standard so it’s just easier to do business and not have multiple compliance teams with different rules. Or, do you want to segment it out because at least in some jurisdictions you can do more with the data and add more experts and technology.”
Copyright © 2018 RegTech Analyst
Copyright © 2018 RegTech Analyst
