On May 25th, 2018, a mere eight months away, the biggest overhaul of EU data protection law will come into force for all EU Member States with the introduction of the General Data Protection Regulation (GDPR).
GDPR will impose substantial financial penalties on firms who fail to meet the new rules on the management of personal data of EU residents. Under the new regulation, banks could see fines of up to €10m or 2% of their global turnover or up to €20m or 4% of global turnover (or whichever is greater) depending on the gravity of the offence.
Banks are particularly affected by GDPR due to the vast volumes of data and documentation collected, held, stored, processed and used relating to private individuals; the majority of which are deemed to be confidential and sensitive in nature. For this reason, banks may find themselves in the immediate line of sight for regulators seeking to set an example with an early fine or two.
In terms of client offboarding, banks will need to implement technical and organizational measures to allow them to respond to requests for erasure and right to be forgotten from data subjects in an adequate and timely fashion.
Data controllers and processors will be required to keep internal records of the processing they carry out – including name and contact details for processors, controllers and joint controllers. The regulation includes an exemption for organisations with fewer than 250 employees, specifically in relation to record-keeping.
To automate this process, systems should be capable of extracting raw data which, in turn, can be used to generate MI reporting. In a Client Lifecycle Management solution, any client data held will be easily traceable, providing a full audit history, MI reports, single client view and linked associations.
If a client requests access to records of personal data held and processed on them, banks must be able to comply efficiently and quickly and present the data in a usable, machine-readable format.
Banks are fast moving into a digitalized world offering digital contracts, digital signatures and contract lifecycle management processes. Paper contracts are now even digitized with OCR technologies.
Data should be tagged and indexed appropriately to ensure easy searching. Documentation must also be saved to the individual client’s record, as well as being available in a document management system. This will aid the easy identification and location of personal information relating to data subjects.
Erasure and Right To Be Forgotten
To comply with these new obligations, banks must decide how they will handle these type of requests and deletions. In the instance where the bank does not have a legal obligation or legitimate purpose to retain the data, or where consent has been withdrawn, then banks will need to institute a process to delete the data, potentially offboard the client, provide confirmation of deletion to the client/individual and demonstrate overall compliance to the regulator.
If a data subject decides to withdraw consent, requests erasure of their data and instigates their right to be forgotten, where there is not legitimate basis for their details to be held, then the bank will need to offboard the individual’s details.
Client offboarding is defined as the proactive management and removal of redundant, obsolete or incorrect information held on clients, accounts and assets.
As a process, it can be quite a data and document-intensive process. Banks must ensure that every piece of relevant data and documentation pertaining to a data subject is identifiable across numerous data repositories and ensure this is erased and confirmed with the data subject in a timely fashion.
The only way to manage this process efficiently is to introduce automation. Client Onboarding/Client Lifecycle Management solutions should provide the capability to offboard clients and/or their data:
a) Assess request
Once the request is received from a data subject, the bank must assess the request and determine if it has legal basis to hold onto the data. If not, then the bank must aim to identify all the repositories and systems that contain this personal information on the data subject.
b) Determine the impact of offboarding on reliant parties
If it is decided to offboard the data, then it is important to check for any interdependencies on the data that may impact other clients, accounts, departments etc. For example, if the data subject is associated with a parent company, other companies or other accounts in different roles (e.g. guarantor). Once a full understanding of the data subject’s associations and activities is gained, the process to disassociate reliant parties can commence, e.g. IM funds.
c) Offboarding the data
To ensure full auditability of the process, the user must add in a reason why offboarding is taking place (e.g. request for erasure by data subject). The offboarding process must be approved by a senior manager before being marked as complete.
d) De-activating from IT systems
The final step in the offboarding process involves ensuring that the information cannot be used by the bank. Given the record keeping rules outlined in the 4MLD (as explored earlier), banks may not be permitted from erasing all data. However, they may be able to perform a soft delete process or mask the data, whilst holding records in a back-end repository that has specific user access rights and entitlements. This should be accompanied by a notification that the data has been successfully offboarded or quarantined from all related systems.
e) Confirm erasure of data
The final step involves a confirmation to the data subject that the data has been effectively erased or quarantined from all internal systems in compliance with their request under GDPR. 7. Breach Response To comply with this requirement within the specified timeframe, banks will need to revisit or enhance their end-user controls and internal reporting processes. Banks must report a breach “without undue delay and where feasible no later than 72 hours once a breach has been identified, except where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
In a Client Lifecycle Management process, banks may opt to include details of instances where a breach report has been raised to ensure full client record maintenance.
GDPR constitutes the biggest overhaul in EU data protection rules since its predecessor was introduced over two decades ago. At the very core of this new regulation is the recognition that the ownership of data resides with the individual, not with the data controllers/ processors. This will certainly have a significant impact on Client Lifecycle Management activities, increasing the regulatory requirements related to client and counterparty data protection for banks. Banks now need to undertake a root-and-branch review of how they handle, process and govern the use of client data across their business lines, jurisdictions and organization. If you would like to learn more about best practice guidelines for achieving GDPR compliance, download our dedicated GDPR whitepaper.