GDPR: The Next Big Regulation

All eyes are on January 3, 2018. That, of course, is the day that the second iteration of the Markets in Financial Information Directive (Mifid II) takes effect. It’s a behemoth of regulation, a rule that has been causing consternation and colloquy for seven years now.

But from a regulatory perspective, 2018 will be remembered for more than just Mifid II, as it’s also when the General Data Protection Rule (GDPR) takes effect. Mention GDPR to people outside of the European Union, and you will likely to get a blank stare. But for those who have had to prepare for its May 25 implementation date, there’s just as much—if not more—cause for concern than there is with Mifid II.

“We dealt with Mifid and all the other regulations at JPMorgan Asset Management, but one of the hardest things is GDPR,” says Dessa Glasser, former chief data officer of JPMorgan Asset Management, who left the firm in October 2016 to become co-owner of Briter Consulting. “Out of all the regulations—and we looked at this pretty early on—this is the one that concerned me the most because it was not as well defined and it was extremely far-reaching.”

Daniel André Pauly is a partner at law firm Linklaters and focuses on technology law, specifically as it pertains to IT and data privacy. While he’s been working with companies of all stripes to prepare for the regulation—and not just capital markets firms—he fears that most are nowhere near ready for May 2018.

“They all underestimated the scope of the project. Almost all projects are now behind schedule or have not yet started because they need to find the budget, and they need to figure out who is responsible for the project within the organization. Do they need lawyers and consultants, or only lawyers or only consultants?” he says. “What we’re telling our ‘protection’ clients is that they need to hurry up. It’s a major project and those who have already started, they all underline that it is their biggest project in 2017 and 2018—it’s massive.”

GDPR is seen as a revolution and an extension of a data security movement that’s been unfolding now for several years. There are legal and technological hurdles that firms are having to address, including—but not limited to—the right to be forgotten, data portability, repapering legal contracts, and the idea of a one-stop shop for regulation. Waters spoke with several industry participants to discuss these issues and what firms can do to prepare for next year’s deadline.

The New Regime

In 1995, the Data Protection Directive was adopted by the EU to regulate the processing of personal data within the region. For its time, it was a privacy landmark.

Also in 1995, the global internet was in its infancy, email was still called electronic mail, and “social media” meant taking out a classified ad. Two decades ago, information was delivered and consumed vastly different than it is today. With the litany of data breaches that we’ve seen in just 2017 alone, it’s understandable that the regulators in the US and Europe have taken a more hands-on approach to oversight.

In April 2016, the European Parliament approved and adopted GDPR in order to significantly expand the 1995 directive, which lacked teeth. Organizations can now be fined up to 4 percent of their annual global turnover for breaching GDPR or a maximum of €20 million ($23.5 million), while authorities must be notified of a data breach within 72 hours and they must tell affected individuals “without undue delay.”

What has surprised many firms outside of the EU is just how far-reaching its tentacles are, as it applies to any company that offers “goods or services to, or monitors the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of subjects residing in the European Union, regardless of the company’s location,” according to the official website set up by the EU to serve as an FAQ source. Personal data consists of any information that can be used directly or indirectly to identify a person—which is fairly all-encompassing.

One senior executive at a global systemically important bank (G-SIB) based in the US tells Waters that it still hasn’t gotten its head around how GDPR ties to BCBS 239—the Basel Committee on Banking Supervision’s set of principles for risk data aggregation and reporting—and to the other cybersecurity rules that the bank already has to adhere to.

“The big question is around data risk and how the regulators view managing the governance and protection of what GDPR requires, what 239 requires, and what any G-SIB would normally address from a cyber perspective because they all in some way overlap—so isn’t it overkill?” asks the executive. “Do we really need multiple programs to cover these regulations? Can we take an umbrella approach for ‘data’ as the vertical and allow the regulation to be horizontal so that anytime a new reg pops up we can cover it under the ‘data umbrella’? What if our consumer strategy changes and we are subject to more GDPR scope? How should we address it?”

While GDPR is prescriptive, there are still a number of vagaries both in the rule itself—for example, the European Commission, the European Parliament and the European Council all have different interpretations of the rule’s data portability section—and it is unclear whether GDPR takes precedence over other laws.

Gone, Not Forgotten

One section of GDPR that has caused the greatest pushback is around the rule’s right to erasure—or right to be forgotten—article, which states that the data subject “shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”

Pauly says that this is challenging because databases are not built for that purpose. “IT systems are simply not prepared for entirely deleting information when it comes to databases,” he says. Additionally, there isn’t clarity around specific forms of data retention methods, such as how banks have tapes in their archives to back up information. Do they need to monitor and delete those because of the right to be forgotten? “From the letter of the law, it’s all included,” Pauly says, although he explains that while there are some uncertainties, as long as a firm has legal grounds to retain data, it won’t have to delete that information.

The chief data officer of a G-SIB bank based in the EU tells Waters that there are record retention rules already in place that require financial firms to record and archive client information and, additionally, banking prudential regulations stipulate that institutions hand over information for financial crimes such as money laundering. “Both of those supersede the right to be forgotten,” says the CDO.

While speaking at a Waters event this summer, Nicole de Santis, associate general counsel at Rabobank, said that she has questions as to whether or not this piece of the regulation will pertain to its US-based operations.  

“It’s been interesting for our businesses in the US because as a regulated entity of the OCC [Office of the Comptroller of the Currency] we see real doubt as to whether they could sanction us. The law is still developing with two recent court cases for and against in Japan and Spain…. In the US there is more of a priority on the ‘need to know,’ while in Europe there is more of a focus on privacy, with a right to erase and even revoke consent to retain information at any time, barring a legal exception,” de Santis said. “When you acquire banking businesses, you acquire information on multiple databases and systems, and now you have to be sure you can erase everywhere. This should have big implications for data lineage going forward.”

The Vast Expanse

While financial firms have improved their ability to properly identify, tag, store and retrieve information, there’s still a long way to go, Glasser notes. “This whole idea of the right to be forgotten, once that’s traveled throughout the organization, that’s going to be very, very difficult to enforce,” she says. “So the lineage of data is going to be critical to enforce.”

She says this rule will force firms to reexamine their data definitions—how do they define a “client”, for example—create clear guidelines for handling and storing data, and improve their overall data governance processes. This has been an ongoing task for banks and asset managers for some time now, but this will force them to kick into a higher gear.

“What this will do is push companies to have traceability and lineage,” she says. “The more they can get organized up front and make sure they have the definitions down, the better position they’ll be in to do that.”

One CDO at a large European bank says the rule is expansive when it comes to identifying what personal data is. According to the rule, personal data consists of any information that can be used directly or indirectly to identify a person. “Obviously, data has become key over the last 10 years. My position didn’t even exist [at the bank] in 2007. But our focus has been on risk and analytics, at making sure we have AML covered, at data governance, but not as much the personal stuff that the EU Parliament is looking for, as I understand it. It really is a nightmare to identify all of that,” says the executive.

This is scary because the data portability section of the rule states that the data subject “shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”

Industry participants worry that this piece of the mandate could prove costly from a time and resources perspective. And when handing over that information, they also have to make sure that they aren’t breaking laws by handing over other people’s information tied to that account or by giving away proprietary information, Pauly says.

“Finding that data and preparing that data for the handover to the requester is, indeed, a challenge,” he says. “They’re not supposed to produce data that belongs to other individuals at the same time—this is prohibited. They have to try to avoid any disclosure of trade secrets, which could be included in that data if the data is structured in a certain matter—such as if the data has information about how the bank calculates risk.”

The CDO at the aforementioned G-SIB says the bank has leveraged best practices from the retail side of the institution to help adhere to this piece of the rule, as well as for other sections. But there are still areas that require greater attention.

“As it pertained to data subjects’ rights, we were already very well versed in the retail side of our business because we’ve been doing that for quite a while,” says the CDO. “The challenge was that GDPR drove us to look at the natural person in terms of people within the vendor space and the natural person as our employee, so we had to expand that coverage to see where the data subjects’ rights existed above and beyond what we were already fairly well used to within European regulation. We took the learning from the retail and embedded it in a somewhat different set of processes for the wholesale, but we managed to make that work.”

Mind the Gap

While banks have looked to scale back on the number of their vendor relationships in recent years, most still employ a flotilla of third parties. So, as with any new rule, companies have had to conduct a gap analysis for GDPR to see where they are deficient in their compliance methods.

To do this, firms must first start by identifying the data processing landscape within the institution. Then they must ensure that the data subjects’ rights are in order to determine the gaps—either because the firm is missing processes or because the processes need alteration, or they may find that they have inadequate consents or are missing consents.

“For us, the gap analysis was relatively easy within the natural person for retail, a little harder when it came to getting the employee understanding right, and pretty messy when it came to understanding the gap for our vendor side,” says the CDO, noting the sheer number of vendors being used to run the bank’s various endeavors.

After all that is completed, then comes the triage to ensure that the bank complies by May 25. That means prioritizing what has to be completed by the 25th, and what can be kicked down the line. “That’s where you come down to some of the niceties of interpretation,” says the source.

The niceties of interpretation, indeed—that’s been the standard for most every major regulatory overhaul, from Dodd–Frank to Mifid II and now to GDPR. But this one really does appear to be sneaking up on many financial institutions because of the breadth and scope of its definitions, from who it affects to what constitutes personal data.

For all the talk of Mifid II, GDPR may prove to be a more challenging beast to tame in 2018.