The deadline for implementation of the General Data Protection Regulation (GDPR) – 25 May – is fast approaching.
While much of the focus may be on achieving basic compliance at the moment, over the medium-term operational risk executives should be aware that this piece of EU rulemaking could have a significant impact on the risks their firm is exposed to.
The following are six key operational risks teams should look at more closely, in relation to GDPR:
Front and centre is the size of the fines that could be imposed for failure to comply with GDPR – the penalties can be as high as €20 million, or 4% of a company’s annual global turnover. These are hardwired into the regulation itself.
The UK’s Financial Conduct Authority (FCA) has said it plans to review of firms’ use of data during the 2018/2019 year in its annual business plan. Operational risk teams need to be sure that the correct policies and processes are in place, as well as adequate training.
Under GDPR, individuals have a range of new rights, including the right to be informed about the data a firm holds, the right of erasure, the right to data portability, and the right to not be subject to automated decision-making, including profiling.
Given the sensitive nature of much of the data processing financial services firms do on individuals, it’s likely that early on some firms will be tested for GDPR-compliant personal data handling by consumer groups and others. Operational risk teams should flag the risks to the firm’s reputation if it fails to perform GDPR personal data requests correctly, and seek to put in place communication and remediation strategies in case such a challenge arises.
Firms should already have in place the right procedures to detect and investigate a personal data breach, but operational risk teams may wish to review these in light of GDPR.
Operational risk teams should also make sure the firm has the right procedures in place to notify the authorities in their jurisdiction of data breaches when required to do so under GDPR. It is important that GDPR is woven into the appropriate parts of a firm’s business continuity and disaster recovery plans.
Human resources risk
Personal data doesn’t just exist in customer databases – it is held within the Human Resources function as well. Op risk teams should make sure that all of the GDPR requirements are implemented within the Human Resources’ handling of employee and applicant data.
It’s important to identify potential risks that could result from data handling in this area – for example, the right of an employee who has been dismissed to see the data the company holds on them – and to create processes for handling those risks.
Firms that operate in a number of non-EU jurisdictions should seek to understand if local regulations could potentially conflict with any of GDPR’s requirements.
There are also potentially places within the EU regulatory framework where GDPR may be tricky – for example, when it comes to know-your-customer programmes under anti-money laundering (AML) and anti-terrorist financing regulations. Op risk should work with compliance teams to examine any regulatory frameworks that require firms to obtain, process and hold personal data in a certain way.
New product risk
GDPR now makes it a legal requirement for firms to adopt a privacy by design approach in new product development. Firms must carry out a Data Protection Impact Assessment (DPIA) as part of new product development programmes in many circumstances.
Operational risk teams need to ensure processes are baked in to new product development processes and that the risks are being managed. Guidance produced by the UK Information Commissioners’ Office can help op risk teams identify how DPIAs should be linked to risk management.
It may make sense for firms to tag GDPR-related risks and loss events in their GRC systems, so that they can track and manage these risks more effectively – as well as report on them to senior management and the board. Understanding these risks may also help inform discussions with regulators.