RegTech

Are you ready for GDPR?

Share this post:

The countdown clock to GDPR – the General Data Protection Regulation of the European Union (EU) – is being closely followed by business leaders in Europe and around the world as it moves towards its May 25, 2018 deadline. While this harmonized data protection law was designed to give EU citizens more control over their personal data, there is no doubt that GDPR is having a more widespread effect due to the fact that many corporations are global in nature. If obliged to meet a regulation for some affiliates in the EU, many companies will be poised to adopt it global if needed, and may just do so for the sake of stakeholder trust and good governance.

In a recent IBM Algo FIRST newsletter, we looked at ramifications for financial services firms of non-compliance to GDPR. With reference to the example of the recent Equifax privacy breach, the Algo FIRST research team delineated key implications of GDPR for businesses in Europe and around the world. GDPR features stricter rules – on consent to hold and use personal data, and the individual “right to be forgotten” – including:

  • The concept of ‘privacy by design’ for new products, where the premise of privacy is a feature of the development of a product, rather than something that is added as an afterthought
  • A new requirement to document evidence of compliance with the GDPR
  • The reporting of significant data breaches to the regulator within 72 hours
  • Maximum fines for non-compliance with the GDPR increasing to 4% of annual turnover, or €20 million, whichever is greater.

Rethinking business and product development in this new light (i.e. ‘privacy by design’) clearly opens a perspective on how our data can and should be used. For example, in the case of Equifax much of the information was passed to them to create individual credit rating histories. Unfortunately over the years, a person’s Social Insurance number has become the de facto key to much of this information, especially in situations where credit is extended. This means that if a security breach occurs, the data at risk is of a type that could be used to put the data owner at risk for account takeovers and identity theft. When we consider recent significant data privacy breaches – for example, at Equifax, Home Depot and Target – we can see that the impact of GDPR on business will be transformative.

Privacy regulations are increasingly reshaping business today. Would it surprise you – as a consumer – to know that in many cases when you fill out forms or submit information through online forms, there are ‘small print’ terms embedded on the site which are designed to protect not the consumer but that organization from legal action? Enter a variety of regulators, like the Consumer Financial Protection Bureau (CFPB), who contend that consumers often do not  understand what they are opting-into and, moreover, that consumers have a right to understand exactly what they are agreeing to. Today, these regulators are moving to put in a variety of safeguards for consumers in this regard.

For corporations seeking to manage their GDPR ‘readiness’ in this rapidly-changing regulatory environment, most are looking to track their processes and systems to limit or better understand the kinds of private data that they retain. Solutions such as IBM OpenPages offer a capability to configure and send questionnaires to business line stakeholders, enabling an institution to assemble an inventory of the systems that are required to keep this type of critical data. Regular assessments are used to track how well they are managing against these processes.

It will remain to be seen if some the legislation (like that proposed by the CFPB) will be passed in the USA and have the same impact as GDPR has for the EU, but regardless, those companies choosing to do business in the EU or hold private data for EU citizens will need to ensure that they are prepared to address the issue of ‘privacy by design’.

Learn how Algo FIRST’s daily updates can provide your business with the insights it needs to be prepared for external risk events.

Head, GRC Offering Management

More RegTech stories

In conversation: Laura Polak and Christophe Delaure

IBM RegTech Innovations. Innovating AI in user experience (UXD) to empower the first line of defense The potential applications of rapidly evolving artificial intelligence (AI) across industries continues to dominate the headlines. Opportunities for smarter solutions and more efficient applications present decision-makers with new choices in their technical strategies. One area includes the role of […]

Continue reading

IBM wins at RegTech 2018 Awards for innovations in IBM Watson Regulatory Compliance

Today, IBM proudly accepted two distinguished RegTech Awards 2018 for our innovations within IBM Watson Regulatory Compliance: “Best AI Solution for Regulatory Compliance” “Best Regulatory Alert Management Solution” We are thrilled to be recognized by both the readers and the Financial Institutional members of Intelligent Trading Technology and Data Management Review. With these awards, what is […]

Continue reading

IBM and Promontory: Looking for a needle in a haystack with Watson

Carrying out Know Your Customer (KYC) due diligence is a delicate balancing act. On one side you’re always looking to streamline your customer’s onboarding process with quick and painless client verification and due diligence. On the other, you need to observe ever-changing regulations, manage voluminous amounts of structured and unstructured data, and perform often repetitive […]

Continue reading