Author: Marijan Bračić, Data Privacy Director @ Poslovna inteligencija

The successful implementation of any GDPR project should result in an increase of the level of personal data protection. Enhanced personal data protection involves greater data security and a higher level of data privacy.

Practice shows that the Bank goes through several projects while complying with GDPR, while the scope and the goal of these projects are defined by analyzing the GAP analysis results.

GAP analysis is usually carried out at the beginning of the compliance process. Which projects will be implemented after the GAP analysis and to what extent, is determined according to the estimated risks.

It is important to note that projects are usually divided into organizational and technical projects.

Organizational and technical compliance measures

The first group represents a complex project that can generally be described as introducing organizational measures for the purposes of compliance with the GDPR which includes:

  • Privacy policies conformance
  • Estimation of the risk of processing data according to individual processing activities,
  • Conformance of partners and/or client contracts,
  • Conformance of employee contracts,
  • Extraction of consents from contracts,
  • Introduction of continuous education programs,
  • reorganization of employee roles and their responsibilities in handling data etc

The second group of projects represents the introduction of technical measures and includes:

  • data categorization,
  • data mapping,
  • data protection,
  • data minimisation,
  • pseudonymization and anonymization of data in IT systems,
  • introduction of the centralized consent management system,
  • automation of data retention and data destruction policies,
  • automation of data subjects’ rights fulfillment
  • introduction of a self-service portal for consent and preference management

It is important to note that both groups of measures are an indispensable part of the compliance project and are interdependent, and it is critical to define the order of project execution, taking into account the risk analysis and the fulfillment of the necessary performance prerequisites.

For example, prior to the introduction of anonymization and pseudonymization, it is necessary to map and classify the data, but also clearly define the purpose of these technical measures.

This requires at least partial implementation of the organizational measures, creating records of processing activities, data retention, and data destruction policies, and necessary processing estimates.

The Bank is a complex organization processing large volumes of personal data for a number of different purposes. For that reason, the Bank needs to orchestrate a large number of organizational units and employees, ensuring that all changes coordinately contribute to the common goal of GDPR compliance.

GDPR compliance challenges

The most common challenges that occur during project execution is the lack of cooperation between Data Protection Officers, Legal Services, IT and Marketing. This is understandable given the complexity of Regulation and the variety of functions of different organizational units that have diverse knowledge.

Data Protection Officers are Privacy pros and usually have either IT or legal background, but not both. Regardless of their profession, it is almost impossible for one person to have continuous insight into the legal, regulatory segment and the data segment of all the business processes of the Bank.

For this reason, with the introduction of GDPR, a Data Privacy Manager software platform was created, linking the Regulation and data, providing Data Protection Officers with an easy way to manage compliance at the Bank level and link them to Bank’s IT systems and data.

On the other hand, Data Privacy Manager frees IT of the deep understanding of GDPR and orchestrates clear rules for the proper execution of technical measures and automation of compliance rules over data processed by the Bank.

This division of responsibilities is the key for fast and proper implementation of any compliance project. Each organizational unit must have clearly defined responsibilities that are realistic and consistent with the competencies of the department.

Experience shows that GDPR compliance project is carried out the most efficiently by banks who implement a decentralized data privacy management model in which the Data Protection Officer remains in the supervisory and advisory role, while IT, marketing, human resources, and other involved organizational units assume their part of the responsibility for compliance. A concise example is managing the Records of processing activities using the Data Privacy Manager.

Records of processing activities in Data Privacy Manager

When creating records of processing activities, the most common mistake is relying on MS Excel. There is nothing wrong with the Excel, and the GDPR only defines the information that needs to be kept in the Records and not the manner in which these records are kept.

The GDPR also signifies the implementation of defined policies in accordance with the principles of data protection, meaning that all information from the Records need to be aligned with business processes and IT systems, and all policies should be applied to the information contained in those IT systems.

Data Privacy Manager enables centralized Records of processing activities through the user interface with the efficient collaboration of all relevant organizational units.

Usually, the Bank has about one hundred or more records of processing activities and about 30 and more employees who have the responsibility to regularly maintain them.

In order to have successful collaboration, Data Privacy Manager supports decentralized data privacy management model so that the Data Protection Officer has insight into all processing activities and any changes to them, and other roles depending on the defined rights can create and edit and (de)activate processing activities.

Also, each processing activity has its organizational owner, an employee of the Bank responsible for updating information related to the processing itself. Moreover, some Banks have defined updating policies for the Records by which the owner is obligated to update the processing activities twice a year.

In order to truly follow this model, Data Privacy Manager allows the Data Protection Officer to create tasks and supervise their execution.

The biggest difference between Excel and Data Privacy Manager is the ability to link the Records of processing activities with other processes and IT systems. For example, the Records of processing activities contain information about retention policies that calculates the time for archiving of personal data.

During the GDPR compliance process, one of the tasks of the Legal Service and the DPO is to take into account other legal obligations, such as the archiving law, and to define data retention policies for different data categories. However, when you enter the data into the Excel table it does not allow the application of those policies on the correct data set.

On the other hand, through data integration, Data Privacy Manager takes into account different business processes of the bank and IT systems where data are processed and creates and propagates the archiving schedule and data removal with technical information about data location.

This way it is possible to automate the entire personal data lifecycle, which is the only way for the Bank to successfully engage in the compliance process, given the amount of data and the number of IT systems in which data is processed.

Managing Records of processing activities is just one example of how the Data Privacy Manager can help the Bank with the compliance process and is usually the first module implemented by the Bank as it is the baseline for automation of all other Privacy related GDPR processes.

Consent and Preference Management

One of the processes that Banks usually implement at the beginning of the compliance project is the introduction of Consent Management accompanied with a self-service portal as a customer-oriented application for privacy preference management.

The processing that is based on consent, unlike any other processing, must be in accordance with the wishes of a data subject that can change over time. The Banks often use consent as the lawful basis for marketing communication.

The data management strategies typically differ between the industries and one of the ways to classify them is as an offensive or defensive data strategy.

While offensive strategy means intense personal data processing in terms of monetization including segmentation and profiling of data subjects and aggressive marketing, while defensive strategy is based on minimization of risk and data exposure.

Offensive strategies are typically found in industries that are less regulated with larger competition, such as retail. While defensive strategies are more suitable for highly regulated industries that handle special categories of data, such as healthcare.

Banking industry falls somewhere in the middle because they operate in a highly competitive environment, but are also subject to strictly defined regulatory frameworks.

The Bank cannot operate without marketing, while it must comply with GDPR. The standard today is a centralized consent and preference management platform that provides automated control over marketing activities and transparent communication with customers.

Its main purpose is to serve as a single point of truth for all consents while providing an administration interface for all consent-based processing, demonstration of the collected consents, and mechanisms for consent withdrawal.

When implementing the consent and preference management system, the Bank usually integrates front-end channels such as web pages, E-banking, and M-banking applications and the core systems. Front-end channels are used for collecting Data Subject’s data and consent preferences and can be divided into digital channels and paper forms collected in the Bank.

The Data Privacy Manager has a wealth of integration functionality that enables the Bank to easily integrate with all front-end channels, DMS systems, and includes an interface for the entry of consents collected in a paper form.

Additionally, the Data Privacy Manager integrates with marketing automation platforms. The introduction of the consent and preference management platform allows continuous communication with individuals respecting their preferences and assures a proper division of responsibility between the Marketing division and the Data Protection Officer.

Self-service portal for consent and preference management

According to Gartner’s report by 2020, a third of the B2C organization will introduce a self-service and customer-oriented portal with the purpose to increase transparency and meet regulatory requirements.

A large number of Banks decided to introduce a self-service portal as one of the front-end consent management channels together with the consent and preference management platform.

Usually, it is integrated in order to utilize the security settings of existing applications without the need for additional authentication systems for individuals.

The Privacy Portal – is the Data Privacy Manager module that provides such functionality through a standalone Web application that enables deployment on the Web servers of the Bank or in the Cloud.

The Bank also ensures easy access to the Privacy Portal in its marketing communications throughout all digital channels to increase transparency towards their clients and other individuals whose data is processed.

Privacy 360 °

The processing of personal data by the Bank relies on other lawful bases, like contracts or legal obligation.

In order to gain insight into all processing activities, it is necessary to clarify and document the purposes and lawful bases for processing that rely on the centralized Records of processing activities. After the implementation of the Records of processing activities the Bank can continue with modeling the Data flows. Data flow is an entity tightly connected with a business process, but with the focus on the processing of personal data.

Firstly, Data Privacy Manager integrates with data flows of credit and debit lines of products and then with secondary data processing for non-clients.

There are several methods of data flow integration, most commonly through simple data integration in DWH, bypassing the core system of the Bank to reduce the burden on the production systems and to simplify integration.

The integration results with a 360° view of every data subject whose data is processed by the Bank, providing the basis for compliance monitoring, quick response to potential complaints, automation of data subjects rights fulfillment, and data retention and data deletion processes.

This approach enables the Bank to properly manage personal data lifecycle of all individuals and operationalize all GDPR privacy principles. Also, automation enables a proper division of responsibilities between organizational units, saves the time for Data Protection Officers and IT Services and ensures minimal risk of a human error when handling personal data.