On May 25th 2018, the EU General Data Protection Regulation (GDPR) will come into force and any business processing data about EU Citizens will be required to comply. This is arguably the most fundamental change to European data privacy laws in over twenty
years. Failure to comply will result in substantial fines - as much as 4% of a firm’s annual global turnover or €20m - whichever is greater, for serious offences. For example, it has been estimated that the £400,000 fine TalkTalk received for security failings
in 2016 could have been up to £69 million under GDPR. Fines in more recent cases, such as Facebook and Cambridge Analytica, could be in the billions.
It is therefore essential that businesses in the finance sector, and all businesses handling EU Citizens’ data, are highly proactive about implementing a GDPR solution ahead of the May deadline, rather than potentially waiting for other organisations to
be fined before they become serious about their own compliance.
The Information Commissioner’s Office (ICO) has created a paper called
Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now, which lays out a very useful framework for helping to ensure your firm is GDPR compliant. However, for many firms, even attempting to comply with this regulation and get a
handle on all of their customer data is a daunting prospect. For this reason, many firms are looking to consultancies and third-party providers to help with compliance.
Here are six questions to ask before implementing a GDPR solution:
1. What are the high risk areas in your business?
This is the very first question to ask when thinking about GDPR compliance, and is is generally called the Risk-Based Approach to the data. It’s important to identify all of the high risk areas within your business i.e. the key systems where personal data
is sorted. Prime examples of high risk areas include marketing, customer support and HR systems, as these systems typically contain large amounts of personal data.
As part of this process we also recommend identifying the structured data sources, such as databases and spreadsheets, and unstructured data sources, such as text files and emails. Mapping out all of the types and sources of data across all of the high risk
areas often presents a more complex situation than initially anticipated.
2. How and where is your data currently stored?
Central to GDPR lies the need for firms to manage customer data in a manner that’s easily accessible, standardised and complete, enabling businesses to quickly and accurately collate all data associated with a given person, so they can effectively respond
to Subject Access Requests (SARs). For most organisations, this presents a huge data challenge because data is currently stored across multiple siloed databases, in different formats, and duplication is rife. Accessing information is often a manually-intensive
process riddled with risk; even knowing who accessed the data, and why, can prove challenging. This problem is only compounded by the continuous volume, inconsistency and variety of new data generated.
Furthermore, as the number of touchpoints continues to increase, the complexity of gathering this information extrapolates. For example, a single banking customer could feasibly have a personal bank account and a business account, and then open a savings
account for their child. They could have a mortgage jointly with their spouse, be using mobile banking apps and also have credit cards - all with the same financial institution. Many businesses are now finding that using relational databases to manage this
fundamental, yet highly complex, requirement proves difficult, insufficient and ultimately far too slow.
These data storage challenges are often best addressed by speaking to the IT department and business analysts to figure out the systems that belong to each part of the organisation, and, crucially, what data pertains to GDPR. The final step is looking at
the best way to extract that data.
3. Are there additional business benefits over and above compliance?
We’re starting to see a shift towards conversations around the ‘added value’ of GDPR compliance, both by industry commentators and firms looking for GDPR solutions - many people are seeing the opportunities in GDPR, rather than just regarding it as a compliance
cost.
If ‘data is power’, as we’re so often told, then having a much better handle on your customer data can only be a good thing. A single view of your customer data provides your firm with an opportunity to deliver a more positive customer experience.
If your organisation is currently unable to identify all of the different customer interactions, you are potentially ignoring what could prove to be a very rich, valuable and meaningful source of detailed business / customer insight. Once revealed, this
insight could be used to improve customer experience levels and identify cross-selling opportunities. When implementing a GDPR solution, it’s important to think about how you can use the new processes to improve your relationships with customers and make your
business more valuable as a result.
4. Should I choose a proprietary or open source solution?
Although much of the technology used in financial institutions has traditionally been proprietary, there is a growing trend towards open source solutions. Both options come with advantages and disadvantages:
If you need a highly bespoke solution and all of your technology comes from the same provider, a proprietary solution may be the best option, as all of the systems can work together seamlessly. However, proprietary solutions can have a number of potential
downsides, including lengthy and costly contracts, the associated vulnerabilities of having all of your technology with a single provider (concentration of risk), as well as less transparent testing when compared to open source solutions.
Open source solutions have multiple contributors and rigorous testing - by virtue of a program being open source, anyone can see how the program is built (and attempt to ‘break’ it). This can be seen as both the biggest strength and the biggest weakness
of open source. On the one hand, this means that the program must be built in a highly secure and robust way, as vulnerabilities are quickly identified. Additionally, there is no vendor lock-in, and firms that possess the in-house expertise can download and
install open-source software independently. On the other hand, a malicious actor can easily see exactly how the program is coded, vulnerabilities may be identified but not addressed for some time, and companies can face compatibility issues when trying to
incorporate an open source solution into their existing technology.
5. Security - Should data be stored in the cloud?
Many firms now want to take advantage of cloud-based data storage. However, secure storage in the cloud is complex, particularly for large databases containing data with multiple touch points. Big data and data management on this scale barely existed a decade
ago. Technology designed to help firms manage these volumes of data is new and demand for skilled data scientists is growing exponentially.
If you choose to store data in the cloud, try to remain relatively cloud neutral - by using more than one vendor to store your data, you will be less vulnerable to price hikes and security breaches. An additional tip: Ensure your private keys are not stored
with the rest of your data.
‘Rogue’ employees (insider risk) are one of the biggest risks to an organisation, so really protect who has access to your data by curbing and monitoring the power of system administrators and also spreading responsibility across more than one person and
department, where possible and practical. This will help you to diversify risk and reduce the chances of a potentially malicious collusion.
6. How scalable is the solution?
As data storage grows and becomes increasingly complex, a highly scalable solution becomes ever-more important. GDPR is not a one-hit wonder, it is here to stay. The amount of data that organisations store is continuing to grow at an exponential rate, and
you’ll need the ability to track and in theory, delete, all of a customer’s personal data pertaining to GDPR, at any time. Additionally, the relationships between the stored data are ever-increasing, as customers often have dozens of different touchpoints
and interactions with a business.
For the purposes of GDPR and data management, as a general rule, relational databases are no longer fit for purpose - they are far less scalable, particularly as the number of relationships between each data point in the database increase. Graph databases
are usually much more scalable by design, and often have the ability to handle billions of interrelated data points.
In conclusion, it’s vital to find a GDPR solution that is:
- An overlay to existing technology, so that it can be implemented quickly and at relatively low cost.
- Can handle data in multiple different formats, across multiple different locations.
- Enables Data Protection Officers to quickly and easily measure and manage compliance and customer data.
- Is highly automated, reducing manual processing time and effort.
- Is secure and highly scalable.
- Can connect to your cybersecurity systems to quickly alert you to data breaches.
- Enables you to track and audit all information pertaining to each individual customer.