Author: Marijan Bračić, Data Privacy Director @ Poslovna inteligencija
During the process of compliance with GDPR, Bank goes through several projects which are usually divided into organizational and technical projects.
The operationalization of the GDPR in the Banking industry usually starts with GAP analysis, and the results of the analysis determine the scope and the goal of these projects. Which projects will be implemented after the GAP analysis and to what extent, is determined according to the estimated risks.
Organizational and technical compliance measures
The first project can generally be described as introducing organizational measures for the purposes of compliance with the GDPR, which include:
• Privacy policies conformance
• Estimation of the risk of data processing,
• Conformance of partners and/or client contracts,
• Conformance of employee contracts,
• Extraction of consents from contracts,
• Introduction of continuous education programs,
• Reorganization of employee roles and their responsibilities in handling data, etc
The second group of projects represents the introduction of technical measures and includes:
• Data categorization,
• Data mapping,
• Data protection,
• Data minimization,
• Pseudonymization and anonymization of data in IT systems,
• Introduction of the centralized consent management system,
• Automation of data retention and data destruction policies,
• Automation of data subjects’ rights fulfillment
• Introduction of a self-service portal for consent and preference management
It is important to note that, both technical and organizational measures, are an indispensable part of the compliance project and are interdependent. It is critical to define the order of project execution, taking into account the risk analysis and the fulfillment of the necessary performance prerequisites.
The Bank is a complex organization processing large volumes of personal data for a number of different purposes, therefore it needs to orchestrate a large number of organizational units and employees, ensuring that all changes coordinately contribute to the common goal of GDPR compliance.
GDPR challenges in the banking industry
The most common challenges that occur during project execution are the lack of cooperation between DPO, Legal Service, IT, and Marketing. This is understandable given the complexity of Regulation and the variety of functions of different organizational units.
Data Protection Officer is usually a privacy professional with either an IT or legal background, but rarely both. Regardless of profession, it is almost impossible for one person to have continuous insight into the legal, regulatory, and data segment of all the business processes in the Bank.
With the GDPR, along came privacy software (just like Data Privacy Manager) linking the Regulation and data, providing DPO with an easy way to manage compliance at the Bank level and link them to Bank’s IT systems and data.
Privacy software also helps you free the IT of a deep understanding of the GDPR. It orchestrates clear rules for the proper execution of technical measures and automation of compliance rules over data processed by the Bank.
This division of responsibilities is the key to the fast and proper implementation of any compliance project.
Each organizational unit must have clearly defined responsibilities that are realistic and consistent with the competencies of the department. Experience shows that the GDPR compliance project is carried out the most efficiently by banks who implement a decentralized data privacy management model.
The decentralized model means that the DPO remains in the supervisory and advisory role, while IT, Marketing, HR, and other involved units assume their part of the responsibility for compliance. A concise example is managing the Records of processing activities using the Data Privacy Manager.
Maintaining and creating the Records of processing activities
When creating Records of processing activities, the most common mistake is relying on MS Excel. There is nothing wrong with using Excel, and the GDPR only defines the information that needs to be kept in the Records, and not how to manage it.
The GDPR also signifies the implementation of defined policies following the principles of data protection. Meaning, all information from the Records needs to be in line with business processes and IT systems, and all policies should be applied to the data in IT systems.
Using privacy software enables centralized Records of processing activities through the user interface with the efficient collaboration of all relevant organizational units.
Usually, the Bank has about one hundred or more records of processing activities and about 30+ employees who have the responsibility to maintain them regularly.
In order to have successful collaboration, Data Privacy Manager supports decentralized data privacy management model.
This means that the Data Protection Officer has insight into all processing activities and any changes to them. Other roles depending on the defined rights, can create and edit and (de)activate processing activities.
Also, each processing activity has its organizational owner, an employee of the Bank responsible for updating information related to the processing itself.
Moreover, some Banks have defined updating policies for the Records by which the owner is obligated to update the processing activities twice a year.
To truly follow this model, Data Privacy Manager allows the Data Protection Officer to create tasks and supervise their execution.
The most significant difference between Excel and Privacy software is the ability to link the Records of processing activities with other processes and IT systems.
For example, the Records of processing activities contain information about retention policies that calculate the time for archiving personal data.
During the GDPR compliance process, one of the tasks of the Legal Service and the DPO is to take into account other legal obligations, such as the archiving law, and to define data retention policies for different data categories.
However, when you enter the data into Excel, the table does not allow the application of those policies on the correct data set.
Through data integration, Data Privacy Manager takes into account different business processes of the Bank and IT systems where data are processed and creates and propagates the archiving schedule and data removal with technical information about data location.
This way, it is possible to automate the entire personal data lifecycle, which is the only way for the Bank to engage in the compliance process successfully, given the amount of data and the number of IT systems in which data is processed.
Managing Records of processing activities is just one example of how the Data Privacy Manager can help the Bank with compliance. Records of processing activities are usually the first module implemented by the Bank as it is the baseline for automation of all other Privacy related GDPR processes.
GDPR in Banking industry: Consent and Preference Management
One of the processes that Banks usually implement at the beginning of the compliance project is the introduction of Consent Management accompanied by a self-service portal as a customer-oriented application for privacy preference management.
The processing based on consent must be in accordance with the preferences of an individual that can change over time. Banks often use consent as the lawful basis for marketing communication.
The data management strategies typically differ between the industries and one of the ways to classify them is as an offensive or defensive data strategy.
While offensive strategy means intense personal data processing (including segmentation and profiling of data subjects and aggressive marketing), a defensive strategy is based on the minimization of risk and data exposure.
Offensive and Defensive data strategy
Offensive strategies are typical for industries that are less regulated with larger competition, such as retail. While defensive strategies are more suitable for highly regulated industries that handle special categories of data, such as healthcare.
Banking industry falls somewhere in the middle because they operate in a highly competitive environment, but are also subject to strict regulatory frameworks.
The Bank cannot operate without marketing, while at the same time, must comply with the GDPR. The standard today is a centralized consent and preference management platform that provides automated control over marketing activities and transparent communication with customers.
Its primary purpose is to serve as a single point of truth for all consents and provide administration interface for all consent-based processing, demonstration of the collected consents, and mechanisms for consent withdrawal.
When implementing the consent and preference management system, the Bank usually integrates front-end channels such as web pages, e-banking, and m-banking applications and the core systems.
Front-end channels are used for collecting Data Subject’s data and consent preferences and can be divided into digital channels and paper forms collected in the Bank.
The Data Privacy Manager has a wealth of integration functionality that enables seamless integration with all front-end channels, DMS systems, and includes an interface for the entry of consents collected in a paper form.
Additionally, the Data Privacy Manager integrates with marketing automation platforms. The introduction of consent and preference management platform allows continuous communication with individuals respecting their preferences and assures a proper division of responsibility between the Marketing and the DPO.
Self-service portal for consent and preference management
According to Gartner’s report by 2020, a third of the B2C organization will introduce a self-service and customer-oriented portal to increase transparency and meet regulatory requirements.
A large number of Banks decided to introduce a self-service portal as one of the front-end consent management channels together with the consent and preference management platform.
Usually, it is integrated in order to utilize the security settings of existing applications without the need for additional authentication systems for individuals.
The Privacy Portal – is the Data Privacy Manager module that provides such functionality through a standalone Web application that enables deployment on the Web servers of the Bank or in the Cloud.
The Bank also ensures easy access to the Privacy Portal in its marketing communications throughout all digital channels to increase transparency towards their clients and other individuals whose data is processed.
GDPR in Banking industry: Privacy 360 °
The processing of personal data by the Bank relies on other lawful bases, like contracts or legal obligations.
Gaining insight into all processing activities is necessary to clarify and document the purposes and lawful bases for processing that rely on the centralized Records of processing activities. After the implementation of the Records of processing activities, the Bank can continue with modeling the Data flows.
Data flow is an entity tightly connected with a business process, but with the focus on the processing of personal data.
Firstly, Data Privacy Manager integrates with data flows of credit and debit lines of products and then with secondary data processing for non-clients.
There are several methods of data flow integration, most commonly through simple data integration in DWH, bypassing the core system of the Bank to reduce the burden on the production systems and to simplify integration.
Data Flow integration results in a 360° view of every data subject whose data is processed by the Bank. This provides the basis for compliance monitoring, quick response to potential complaints, automation of data subjects rights fulfillment, data retention, and data deletion processes.
This way the Bank can properly manage the personal data lifecycle of all individuals and operationalize all GDPR privacy principles. Also, automation enables a proper division of responsibilities between organizational units, saves time for Data Protection Officers and IT Services and ensures minimal risk of a human error when handling personal data.