On 24 October, it was reported that the Financial Conduct Authority launched an investigation into the US credit checking company Equifax; almost 700,000 Britons had their personal data misappropriated between mid-May and July this year. The FCA gave evidence on this matter to the Treasury Select Committee on 31 October because of the significant public interest. The FCA has the power to fine Equifax, or strip it of its right to operate in the UK, if it is found to have been negligent with its customers’ data. With European Union governments formally stating that cyber-attacks can be an ‘act of war,’ data protection cannot be taken seriously enough. The Equifax data breach is by no means a solitary data breach – several large organisations such as Dun & Bradstreet, Verifone, Whole Foods, Deloitte, DocuSign, Yahoo! are already part of the mix.
The Government is aligning domestic data legislation with the European Union in an effort at continuity, despite our plans to leave the EU. The Data Protection Bill, is proof that the Government seeks to keep the UK au courant with the newest data law of EU provenance.
The number of internet users is now close to 4 billion. Businesses continue to move their products and services online in order to service their customers. Data continues to grow exponentially and will persist in its travel far and wide – enabled by technology proliferation. The EU’s General Data Protection Regulation (‘GDPR’) has been precipitated by acute necessity. Companies need to review and revise their approach to privacy, security and governance of their data. A holistic, data protection framework is needed that is centred on the customer and encompasses their interactions, experience, sentiment, along with those of advocacy groups, shareholders, and regulators. This is a non trivial exercise and requires interventions at the mindset, policy, information governance & security and process levels, along with enabling technology.
Businesses are heading in the right direction with GDPR, but there is still a long way to go. Implementing this change with the right spirit is fundamental to building trust with customers and partners. Leading Point’s experience helping organisations with these requirements suggests that while significant compliance hurdles exist, a risk-based approach that focuses on five core areas, will be instrumental to success.
1. Give your customers control over their data – a mindset change
Bearing in mind the territorial scope of the GDPR – across the current 28 EU member states, plus, anyone dealing with the EU, most teams within organisations will benefit from the ethos behind the Regulation. A mindset shift from owning your customers’ data to stewarding your customers’ data is required. Give your customers control over their data. Any legal or natural person processing data must believe in the spirit of this sea change – the need
to assume responsibility for stewarding your customers’ data and to provide them with confidence in your processes. GDPR expands on the list of ‘rights’ each data subject is afforded: the right to be informed, the right to
access data records, the right to data erasure, to name a few. Tone at the top matters immensely.
2. Achieve Data Protection by Design
Which department is leading your organisation’s GDPR compliance efforts? A cross-functional team will help in deploying a holistic data protection framework. To start with, the focus must be on classification of the data, its
supply chain and its governance. Therefore, leveraging existing data management initiatives to embed data privacy requirements can really help in ‘data protection by design’. In practical terms, companies need a clear picture on: ‘what types of data do they hold on their customers;’ ‘which types of data is sensitive and requires enhanced security levels;’ ‘who has access to customers’ sensitive data;’ ‘where is this data processed and distributed;’ ‘how does it flow;’ ‘what is its quality;’ and ‘are their checks and controls in place around its flow and access’? The rules are more stringent now, as companies establish the depth of customer data – their interactions, experiences, sentiments – what impressions are left in an organisation’s data stores. The definition of personal data and its inherent breadth has been redefined – ‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.’ And so the notion of data minimisation is born. We believe that while there are increasing numbers of quick-fix GDPR solutions in the market, achieving data protection goals is less about technology, and more about energising the organisation into becoming 100% data aware.
Building trust in your data will allow for effective process and controls for data protection, security and governance.
3. The Art of the Process
Focus must be on the ‘process’ exercise – visibility of customer journeys – which processes interact with customer data and the ensuing data lifecycle. Knowing which functions have client-facing processes and ensuring these are
adapted is called for. Threading through specific processes for data collection, data storage, data sharing, access requests and breaches is the focus. Having a command of what happens to personal data, who is involved in gathering it, and responding to Subject Access Requests is important, not least because you will have only a month to respond and cannot routinely charge the current £10. What steps to take in the event of a data breach, how to manage contracts which hold personal data: these are all explicit in the Regulation. For all data processors, we must double down on education and training – on policies, on data governance, on processes and new rules of data. This means highlighting a consistent approach to the different scenarios. Surely the best protection is a body of staff that is wholly informed?
4. Integrating data protection with a risk-based approach
By taking an inventory of obligations to customers via existing contracts and business agreements, organisations can start to manage their stated responsibilities linked to customer data and its management and use. This is a
quick-win.
Data classification and governance exercises will highlight the sensitivity, breadth and depth of data, the access and use of the data held. Data flow will highlight the data processors and third-parties and internal functions involved. Data quality will highlight where data management controls are required to be shored up. In turn, this will flag up priority remediation exercises on customer data.
The aforementioned ‘process’ exercise will highlight key customer-facing process changes, or a requirement to deploy specific data processes referenced by GDPR. Organisations can road-test these processes against the required process turn-around times. For example, data breaches must be reported within 72 hours, and as mentioned above, data subject access requests – one month. Involve your customer services team actively with data protection and security breach scenarios – this will build memory and promote mindset change.
The overarching governance in an organisation will be a key cog in the data protection ecosystem; the Regulation has duly led to the genesis of the Data Protection Officer. Enabling these responsibilities with existing data management governance responsibilities, and appointing data champions, can be an effective approach. Data protection is indisputably everyone’s responsibility, so the emphasis must be on organisational cooperation.
5. Cascading to Third Parties & a Cloud
Third party contracts and the framework that dictates how these are established, must wholeheartedly reflect any changes to the requisite data protection and security obligations. A compliance policy which standardises how third party contracts are established can also be a useful instrument. Data transference should be shored up with model contractual clauses, which allow all parties to clearly realise their responsibilities. We are alive to the persistent risk of cyber attacks, so it is crucial to remember that your data on the cloud is a business issue, as well as an IT issue. Are you fully apprised of where your business stores its data; on the premises, in the cloud, or both? The increasing trend to shift data and infrastructure to a public or private cloud no doubt presents an economic benefit and technology road map for some organisations. But make no mistake, organisations are accountable for their customer data content, its usage, and their security policy for cloud-based storage. Measures such as encryption, pseudonymisation and anonymisation will help, and should be employed as a matter of course, as well as remaining open to select technologies that help underpin cyber defence.
To conclude
When implementing change, evidence-based decision making shouldn’t be the only strategy; knowing which cogs in an organisation interlink cohesively in practice will greatly assist in a robust framework that threads through to
a mindset shift, policy, data, process and third parties. To reinforce an earlier perspective, data is only growing. So are data breaches and cyberattacks. The garnering of our data to feed algorithms and ‘machine learning’, borne
out of the Silicon Valley revolution, is leading to inevitable change in our lives, but we must strive for a democratic jurisdiction for our data. Organisations must give customers control of their data and the confidence in their data
management processes. Rather than penalty-based scaremongering, think of this as an opportunity to build your brand, to send a robust message to your customers and partners, demonstrating care and respect of their data.
To close, a soundbite from the Information Commissioner’s Office: ‘Data protection challenges arise not only from the volume of the data but from the ways in which it is generated, the propensity to find new uses for it, the complexity of the processing and the possibility of unexpected consequences for individuals.’
Leading Point Financial Markets brings compelling value in the intersection of Data, Compliance, Governance and Operating Model Change initiatives.