In a recent post, we highlighted that for RegTech to fulfil its entire potential, it needs to be something more than an instrument used to simply address isolated regulatory requirements. Take the GDPR, for instance: with the right solution you can achieve comprehensible and trustworthy evidence; the solution should bring transparency on a firm’s compliance status; it should also create actionable insights in a manner that is easy to access and easy to understand. Only then regtech truly lives up to expectations and makes GDPR compliance a competitive advantage.
How do you achieve this though? Well, it’s probably best to use an example of a RegTech solution, the regulatory challenge, and how the solution addresses the requirements set by the regulation as well as creates additional value that goes beyond the initial objective and improves a firm’s framework several times over.
So, let’s begin with the regulatory challenge, the GDPR.
GDPR: Data Protection re-invented
At center of the regulation is the protection of personal data. This principle is one of the fundamental rights set out in the Charter of Fundamental Rights of the European Union. The EU felt that it is one of those rights that cannot be stressed enough as you can tell from the regulation’s preamble:
“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”
The European lawmakers also felt that the existing framework did not provide this level of protection, so they set out to produce new rules and after four years of work the regulation came into force on 24 May 2016. The GDPR will apply from 25 May 2018 and set a new standard for the protection of personal data. With the GDPR the European Commission aims to harmonize and strengthen data protection for all individuals within the European Union. A formal organizational framework will be setup in all member states to enforce the adoption of the GDPR. It is not just to secure or to store data and information, but to care for the data and information of individuals. Companies will have to observe the regulatory environment, the technical environment, and the process-related environment to really manage data. Last but not least, companies will have to react to new upcoming demands by those affected.
It is safe to say that the GDPR is one of the most challenging regulatory initiatives of all times as it requires extensive data management, an entire re-evaluation of risk positions, an increase to the maturity of procedures, systems have to be compliant by default and design, and one has to prove compliance with GDPR. Because if that is not the case the consequences will be severe as we are going to see in detail further down below.
All systems and procedures, which process personal data automatically, are in the focus of the GDPR. The definition of personal data in various contexts can differ significantly and if in doubt, it is advisable to rather assume data to be personal than not. As some data are obviously personal, others may only appear to be so at a second glance. For example, asset information like MAC or IMEI addresses are defined to be personal data, too. The situation becomes even more complicated when considering that data may be handled differently in different contexts.
The GDPR also adds a whole new dimension in terms of territorial application. It will affect any company doing business in the EU and is applicable to all personal data of individuals, which are citizens or residents of the European Union regardless where the controller or processor is based in. Therefore, it is important to acknowledge that persons from outside the EU may belong to the GDPR regime as well.
The GDPR also aims to protect data throughout its entire life cycle: from its collection, to processing, storage, updates, transferals, archive, all the way to its erasure. All operations on data are affected by the GDPR.
The essential principles guiding the regulation are:
- Lawfulness, Fairness and Transparency
- Purpose limitation
- Limited storage periods
- Data quality
- Data minimization
- Information security
- Data protection by design and by default
- Legal basis for processing
- Requirements for onward transfer
To be compliant with the GDPR, companies have to be aware that they must have high transparency where personal data is stored, which relations exist among the various data storages, by whom it is processed, and who is using it. On that matter companies have to provide evidence. Data flow, data storage, and data quality are essential to all these areas.
One of the key findings during the law-making process was that the assertion of data protection and its application had been relatively weak in the past. With this regulation accountabilities are enforced by penalties for companies as well as for the acting people, namely top management and the Data Protection Officer. The stick that the EU is going to use against offenders has two ends: substantial administrative fines and an extended basis for claims.
The probability of administrative fines has drastically increased with the GDPR. They can rise up to 20 million Euros or up to 4% of the worldwide annual turnover of the offender. However the GDPR explicitly states that one can lower the fines if efforts around data protection are comprehensively evident, constructive, and proactive. Data subjects may also raise a claim for non-monetary loss and involve a syndicate to file an action on their behalf. Penalties out of those claims are not already covered by administrative fines and will come on top of the financial risk. The burden of proof of compliance with the GDPR lies entirely upon the offending data controller against whom a claim has been filed. It is up to the data controller to build a proper contractual framework with other service providers which process the data to make them liable for any state of noncompliance.
Extended basis for claims
Along with the reverse burden of proof that now lies with the provider, also the applicability of claims is widened. Each controller and processor can be made liable in case of damages. The range of this accountability covers the entire damage. If multiple processors are involved in a claim, the one who fully compensated for the damage may claim the other processors for compensation. Data controllers as well as data processors have to be prepared to be able to follow the GDPR.
If there had been any doubts about the width and impact of the GDPR you now know better. However, so far we only have scratched the surface. In the next part we will delve into the details of the new rules. Maybe more importantly though, we will also show you how a challenging regulatory initiative can tackled to achieve compliance with a firm’s obligations and achieve cost savings as well as a competitive advantage with the right solution.
This concludes the first part of our three-part series on the GDPR, its challenges and the opportunity that comes with it. This post is the result of our collaboration with eccenca, a software and solutions company. eccenca’s next generation data management solutions are driving automation and rationalization for metadata management, data integration, analytics and data driven processes. By turning ‘strings into things’, eccenca is creating meaningful and machine interpretable knowledge graphs that allow the integrative interpretation of previously siloed data across the enterprise or even throughout value networks. To find out more, go to www.eccenca.com You can meet eccenca showcasing their data management solution at the 2018 Chief Data Officer Exchange and the Marcus Evans 4th Annual Data Quality and Consistency in Banking to find out how they use it to help with the challenges of GDPR.
Planet Compliance only publishes sponsored content from companies whose products and services we think our audience will find valuable or interesting. For additional information about we handle partnerships and content production, please have a look at the PlanetCompliance Disclosure Policy, which you can find here.