Following publication in the Official Journal of the European Union in May 2016 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR – General Data Protection Regulation), the need for in- depth examination of the principal new elements and their potential impact on the banking sector has been addressed by various ABI Lab and ABI round tables.
It is a widespread opinion that the processes of implementation of the new regulation could lead to a considerable increase in the attention focused on and commitment to methods managing company information, with major repercussions on processes, architectures and aspects of governance of information.
The recent developments in regulations may also be viewed as an opportunity for banks which are working to improve and establish good practices and efficient management models in various areas. With this in mind, many banks have been working rapidly over recent years to improve monitoring of security and management of IT risks, developing models which could serve as a solid foundation in adapting to recent developments in regulations.
It is also worth considering that the processes and organizational set-up already established for Privacy (with a view to compliance with regulations prior to the GDPR) provide the foundations and a valuable element for identifying working priorities and assisting the adaptation processes.
In the final analysis, implementation of the GDPR could serve as the catalyst in rapidly capitalizing use of the Data Governance techniques and models on which banks have been working over recent years.
Consideration of the implementation processes has led, in many cases, to simultaneous examination of multiple aspects of assessment, particularly if the wide scope of the Regulation and its overarching and pervasive features are considered.
Together with the synergies with the Data Governance area, it is important to reiterate that Data Protection processes can also be developed on the basis of processes and practices developed over time on multiple fronts, such as the area connected with assessment and management of IT risks or security-related aspects in general.
The importance of Process Management is particularly evident, as a key factor in allowing affinity between a series of interrelated elements (processing, purposes, responsibilities, etc.). Starting with design of the processes and focusing efforts on the process management paradigm allows the Regulation to be implemented more specifically, in addition to the Data Governance aspect as the driver in organization of the project.
It is equally useful to consider how the regulations, techniques and practices of Data Governance methods could be used, with differing intensity and modulation, in several of the basic principles indicated by the new European regulation.
Another cornerstone in development of implementation processes is the principle of Accountability, which could be interpreted as the underlying layer on which Data Protection implementation logic rests. A model centered on the principle of Accountability does, in fact, involve the need to move simultaneously in different directions, considering not only the governance aspects, but also the monitoring and auditing mechanisms.
At the same time, particular attention must also be focused on the principles of Privacy by Design and Privacy by Default, which require further reflection on all information management activities. This not only encourages a review of the paradigms on which Run mechanisms are based, but also has an impact on aspects related to Change processes.
A third key aspect relates to the organizational model. In particular, it could be important to reflect on the framework of roles and responsibilities, partly with a view to seeking equilibrium between the different players involved.
Several important organizational set-ups and processes identified and organized over the years, particularly in the areas of Privacy, Security and IT Risk Management, could be a starting point for improving appropriate governance measures and logics.
A further aspect on which to focus attention is the role of the Record of processing activities, which may be interpreted as a central component and cornerstone of the entire Data Protection system from multiple viewpoints.
In fact, if it is considered how the GDPR encourages data and management processes to be viewed in synergy, it is fairly natural to view the Record of processing activities as a basic connecting and integrating element. This is not simply a regulatory requirement, but a genuine means of management, comprehension and self-analysis.
The Record of processing activities also forms part of the Process Management logics mentioned and is a key element in directing the conversion processes.
A final aspect which may be considered as a key aspect, for good reason, is the centrality of issues relating to comprehensive management of security components. A substantial focus on improving logics centered on risk and impact assessments emerges in particular.
The concept of risk should be considered: the GDPR focuses heavily on the individual and on the different types of risk to which they are subject, not on the organization. The need for a partial change in approach to risk assessment and analysis is therefore highlighted, in a certain sense.