GDPRNice be acquainted with!
New rules for the processing and protection of personal data took effect on May 25, 2018; the EU Regulation 2016/679 of April 27, 2016, or GDPR (General Data Protection Regulation). This directive is a direct-action law and it is automatically introduced into the national legislation of all country-members of the European Union. However, this legal norm is extraterritorial and affects not only the companies located in the EU territory, but also all the companies that collect and process the data of EU residents and EU citizens. Russian companies should carefully consider the new rules, if their services are focused on the European market. Even if a Russian company does not directly provide a service, but only processes data (if, for example, it provides analytical services for segmentation of marketing campaigns aimed at EU residents), the client company of the services may require the data processing company to confirm its compliance with GDPR to continue further cooperation.
Clearly, the issue of the direct enforcement of this law for Russian companies, that are guided by Russian legislation on the protection of personal data, is very controversial. An European client of a Russian bank may demand the exercise of his rights in accordance with the GDPR, but if the bank does not violate the national legislation, then the probability it can be sanctioned for GDPR violation is quite low.
GDPR introduces many requirements to ensure the rights of private individuals: the right to access, the right to information, right to rectification, right to be forgotten, the right of data portability, the right to object and the right to object to automated processing.
To keep it simple, without use of legal terminology, banks need to have complete control over the data of the individuals they process. After all, one of the postulates of the GDPR is the requirement to process personal data only for defined purposes and for a defined period. Companies are required to dispose of the personal data of individuals as soon as this period expires. It is important to understand that the GDPR extends to the data of all individuals that the company processes and it is not limited to only the customers of the bank, but also its employees, founders, contractors and subcontractors.
Let's describe what the bank should do to comply with the new rules of data processing.
First, it is necessary to understand the categories of individuals whose data is processed by the bank, and describe the purposes for which personal data are collected and processed. It is important to do it from the very beginning to allow for correct and gradual change of the internal processes and to determine the impact on the information systems. For sure, the main categories are current and potential customers of the bank, that get into databases from different sources - internal (for example, leads from the web site or mobile application) and external (third-party databases). It is also important to understand that data processing of current customers does not require their consent, as it is based on a service or product contracts, whereas potential customers almost always must give a distinct consent to the processing of their data (consent must have certain parameters: opt-in instead of opt-out, mandatory end date, etc.). It is also important not to forget about the smaller category of individuals that must also be protected - these are employees and representatives of contractors. Usually the data of these categories are processed in completely different IT-systems, and the requirements for the terms of their data storage are very different from the requirements for terms of data storage of the bank's customers and prospects.
For each segment of people, it is required to determine the purpose of data collection and the basis for its processing. Here, a simple rule of thumb comes to the rescue: if there is a contract or signed consent with an individual that is consistent with the objectives described, no additional basis for the data processing are required. If there is no agreement, then one should consider whether such data can be used without infringing the rights of individuals. GDPR defines the legitimate interest of the company in the use of data as a sufficient basis, but the use of the telephone number of a person who has nothing to do with the bank to conduct a marketing campaign would hardly fall within this definition. From our practice, we see that the lawyers of the banks are trying to exclude this basis and strongly recommend the management to get consent forms signed.
Secondly, it is necessary to determine what the personal data of individuals actually includes? In this matter, it is necessary to preserve common sense, so that there is a possibility to introduce the new rules into information systems. The fact is, GDPR speaks about personal data in a rather blurry way and the text uses the term "personally identifiable data", which is, data that is not by itself personal, but can, in certain circumstances, identify an individual. For example, in the banking sector, a serious discussion was caused by the definition of personal data derived from money transfer codes (reference number) used by customers for make payments. Often, in these codes unique identification numbers of citizens of the European Union are completely or partially used. You could also look at the combination of nonpersonal data that can determine a person very accurately: for example, a combination of a city of residence with a small population and a rare car brand owned by that individual. Thus, the information that a client from the Czech city Louny with a population of 20 thousand people owns the "Ferrari", refers to a specific identifiable person: because there is only one such a person in this small city. From our practice we derived the following conclusions:
Direct Personal Data
All data indicating the client or the way of communication with him/her (names, contacts, addresses of all kinds), internal identifiers (document numbers, identification numbers, tax and state identifiers), system identifiers (internal IDs in information systems), cookies and GPS tags;
indirect Personal Data
All other data that can be associated with direct data, for example, the payroll of an employee often contain the employee's internal codes, and having his/her payroll statement and the access to the accounting system, you can easily find out who this statement belongs to
After determining what relates to personal data, it is necessary to do a very difficult and unpleasant procedure of data mapping in information systems to understand where and in what structures there are in any personal data. Mapping should be comprehensive and include all the information systems and databases that the bank uses for operation. Many companies avoid doing data mapping, checking their data models only, however this solution is suitable only for those who have the data fully described and have no gray areas where personal data may be found. Until now, banking analysts, who copy raw data into their own parts of the databases for their analyses and models of which only a limited number of people are aware, have often been found guilty of creation of the grey areas. In the case of an audit, such hidden parts of the systems may entail sanctions from the auditee (the body for the protection of personal data).
GDPR grants the supervisory authorities broad powers, including:
• Information request;
• Demand of an audit;
• Warnings issue of a possible violation;
• Order issue to eliminate violations;
• Restriction of data processing;
• Suspension of data transfer;
• Imposition of fines (up to 20 million euros or 4% of the global turnover depending the one is higher).
The result of the first two steps is a clear personal data map, for which the retention period of data usage and the way of its disposal must be defined; that is defined in the business rules for personal data. This is a necessary third step for the implementation of GPDR.
Determining the retention period for the use of data requires the joint efforts of lawyers, who know legislation requirements about the minimum time for data storage, and business representatives, who are able to describe the relationships between the business processes. It is vital to determine in which processes the personal data are used and what is the minimum necessary time to store it, in a way not to lose the data that are needed in some other processes. Then, the lawyers match the terms that the business requires with the terms prescribed in the regulatory acts, and establish a so-called retention period. Practice shows that most banks tend to keep everything for a long time and react very aggressively to the requirement to delete or anonymize some data.
Also at this point it is necessary to determine how to process the data after the expiration of the retention period: deletion or anonymization. When data is deleted, it is easy to prove to the regulator that the data is no longer processed. On the other hand, after anonymization it is still necessary to prove that personal data has been changed in such an irrecoverable way that it is impossible to match them with a person.
Reporting could represent another problem. Methods of report preparation can be very sensitive to data deletion. For example, imagine a report of the number of customers by year after the bank has decided to permanently delete data of inactive customers at the expiration of five years following the end of the contract. Clearly, the team responsible for BI and bank reporting should also be involved in a decision about anonymization or removal.
The decision whether to delete or anonymize the data varies widely from company to company; although it can be said that most administrators prefer the data deletion method, this is most likely due to the fact that technically implementing data deletion is most cost-effective.
Another aspect to consider while establishing business rules is that such rules should be set not only for structured data, but also for unstructured data, such as electronic documents, scanned documents, logs and, of course, ordinary paper documents, which, paradoxically, are often very well-organized and compliant with the legal standards for storage, therefore they do not require as much attention as digital ones. In a sense, the digital world is behind the paper world in terms of order and compliance.
Once all three steps are completed, the company can begin to implement all the necessary business rules in all its information systems and thus begin to gradually reduce the volume of their personal data. We can say that most of the banks in Europe are currently implementing GDPR, as this phase can take from 6 to 18 months depending on the complexity of the solution.
One of the solutions for the implementation is the centralization of data and the application of the principles of MDM (master data management), when a single database of all client and non-client records is created with a description of what data of an individual and in what systems are available in the bank. This is often used by the banks that have multiple decentralized systems. This way they not only solve the GDPR problem, but also improve their systems for better CRM and reporting.
The implementation of changes related to the requirement of compliance with the GDPR standards is seen by many market participants as an imposition. Therefore, they try to minimize the costs associated with its implementation, checking the processes and systems just formally and by creating a few formal documents related to personal data management policies. The implementation of real changes associated with the reconfiguration of information systems requires a long time. However, the GDPR can be considered not just as another administrative problem hampering business development, but also as an opportunity to improve and strengthen control over the data, clean and correct them, change reporting approach and the storage structures for analysis, and implement a system of Golden Records. Then the GDPR can bring benefit not only in the form of formal compliance with the new requirements by the law, but also in the form of improving the bank's operational efficiency.
In case of interest in a topic, please do not hesitaet to contact our in-house GDPR experts.