Are You Prepared for the EU General Data Protection Regulation (GDPR)?
Prashant Mehta is the Vice President of Compliance at VITEOS. Since May 2018, all VITEOS applications and processes dealing with personal data have been GDPR compliant. Through this article, we intend to share useful advice and tips on GDPR. If you have any GDPR related queries, we can help you out. Contact our Compliance Officer at Compliance@viteos.com
What is GDPR?
General Data Protection Regulation (GDPR) is a data protection law that applies to personal data collected across Europe. Effective since 25th of May 2018, the GDPR is based on the concept of data protection “by design”, which means that data privacy risk and compliance must be built into systems, processes, and procedures across the entire organization. GDPR will replace the current Directive, EU Data Protection Directive (95/46/EC) and will be directly applicable in all Member States without the need for national legislation.
How GDPR Protects the Personal Data of EU Residents
With the GDPR in place, users know how their personal information is used by organizations, giving individuals greater control over their online data. Personal information includes any data that can be used to identify a person, either directly or indirectly.With the enforcement of GDPR, organizations must clarify to users how they process personal data. Companies must explain the specific purpose for obtaining any user data, the duration for which the data will be stored in the system, and any circumstance that allows data to be transferred to others.Under the new law, organizations can only hold personal data if users consent either by statement or affirmative action. Users must be allowed to withdraw their consent at any time. If they do not have current user permission to store data, companies must have procedures in place to erase it immediately. Any organization dealing with personal data of EU must explicitly provide their users the right to access, modify or erase their data.
How GDPR Affects Financial Firms Within and Outside the EU
GDPR is not just for the EU. GDPR applies to any organization, regardless of geographic location, that controls or processes the data of an EU resident. The GDPR includes in its coverage all data controllers and processors outside the EU whose processing activities relate to the offering of goods or services or monitoring behavior (within the EU) of EU data subjects. These conditions must be met is regardless of whether the company’s goods and services are paid or free of charge.Banks and financial firms deal with large volumes of sensitive customer data. Often, this data flows through multiple applications, vendors, and people. When there is greater risk of data breach, there is a greater need for an effective and transparent mechanism to deal with data. It is crucial for financial companies to align their legal framework, business model, technology, and people to protect against security vulnerabilities they face to be GDPR compliant.
The Penalty for Organizations that Fail to be GDPR Compliant
Any organization that collects data of EU residents is expected to be GDPR compliant from 25thMay 2018. Those who fail to comply will be fined substantial penalties. Depending on the severity of breach, companies may be fined up to 4% of their global turnover or 20 million Euros, whichever is higher.Any breach of security including unauthorized disclosure or use of personal data must be reported to the appropriate authorities and the affected users within 72 hours of the time the company becomes aware of such a breach.Companies, especially those in the financial sector, must review and address the key data privacy challenges that they face.
How VITEOS Became GDPR Compliant
At VITEOS, we formed a compliance team in early March 2018 to be ready for the GDPR. The team consisted of members from Business, Technology, Legal and Marketing. We also formed a GDPR Steering committee that met on a weekly basis to cover various aspects of data privacy. We conducted multiple training sessions for all managers to familiarize them with their responsibility and obligations, regardless of whether they have access to clients’ personal data. Here ‘s a list of specific actions Viteos took to become GDPR complaint:
Legal Aspect: Interpretation of Legal Framework
We translated all the data privacy requirements into internal policies and external communication frameworks to comply with the new legislation. The key aspects covered were:
- Data protection framework
- Explicit Consent
Business Model: Business Impact Assessment
By looking at Viteos’ business models and outsourcing contracts, we assessed all the possible ways the company’s business model would be affected by the new law, addressing questions such as:
- What data streams are still permitted?
- How does GDPR affect our hosted/outsourced activities?
- How does GDPR impact our revenue streams?
To secure data privacy, a company must have strong yet flexible technology. The chosen solution should help control the data at all times. We built a technology solution for internal use that addressed data security aspects such as:
- Data portability
- Data minimization
- Right to be forgotten
- Data breached
- Third party management
Data Privacy as an Organizational Value
We set up checks and balances to ensure the company remained compliant throughout the process, and we assigned responsibility for data privacy to a specific group within the organization.We approached data privacy as a company imperative, focusing on issues that ensure privacy remains an important part of our operations and culture, including:
- Using Privacy by Design Methodologies
- Instituting Privacy Impact Assessments
- Appointment of a Data Protection Officer
By integrating the legal framework, business model, tools, and people, VITEOS gained greater control and confidence in the use and management of data, Viteos has been fully GDPR complaint since May 2018.The answer to the data privacy challenges faced by today’s financial sector lies in the integration of the right technology and the right process. Success will come most easily to those who have the skill and the domain expertise to address the specific challenges.
How VITEOS Helped its Customers to Become GDPR Compliant
During VITEOS’s journey towards GDPR compliance, we reviewed each client’s portfolio of investors to determine if the GDPR applied. Once we determined that it is appicable, proactively contacted them and assisted them in fulfilling their obligations as defined in GDPR. This process included conducting Privacy Impact Assessments, reviewing existing processes, evaluating technology capabilities, creating policies for Data security and breach notification, defining ‘Privacy by Design’concepts, designing consent forms, and so on. Because of its far-reaching privacy requirements, even companies operating in Non-EU countries were affected by GDPR.
If you believe you might benefit from working with our Compliance team to help determine if the GDPR is applicable to you, please do not hesitate to reach out to us at firstname.lastname@example.org.