A guide to the EU General Data Protection Regulation RegTech · 2020. 9. 25. · RegTech solution, the regulatory challenge, and how the solution addresses the requirements set by

A guide to the

EU General Data Protection Regulation

and the application of

RegTech

How to use RegTech to comply with

GDPR and other Regulations

and

create additional value

AguidetotheEUGeneralDataProtectionRegulationandtheapplicationofRegTech

2

Contents

Foreword..........................................................................................................................3

Introduction.....................................................................................................................4

Chapter1:TheRealOpportunityofRegTech..................................................................5

Chapter2:GDPR=ChallengesandaUniqueChance......................................................7

Chapter3:GDPRandDataSubjectRights......................................................................11

Chapter4:GDPRandOrganizations’Obligations..........................................................17

AFinalWord...................................................................................................................21

About..............................................................................................................................22


3

Foreword

TheGeneralDataProtectionRegulation(GDPR)comesintoforceon25May2018.Itisoneof themostchallengingregulatory initiativesand isgoingtotransformtherulesgoverningdataprotectionandprivacyintheEuropeanUnionandbeyond.

Like GDPR many other new regulations have increased the pressure on financialinstitutionswherecompliancehasbecomeaburdenforthebusinessintermsofcostsandresourcesthatcannotbefacedwithtraditionalmethodsanymore.

Regulatory Technology (RegTech) is often cited as the solution that empowers firmsfrom all industries to deal with these rules. Its true value in our opinion goes waybeyond the view of it as a stopgap solution. RegTech is an opportunity fororganisations to create additional valueand regulatory compliance. It is sometimesdifficult to understand this when we talk about RegTech in abstract terms, so wedecidedtopartnerupwitheccenca,asoftwareandsolutionscompany,toexplaininausecasescenarioinconcretetermstherealsignificanceofRegTech.

ThebookwillprovideanintroductiontoRegTechanditsgamechangingstrategiesandtechnologies. Italsooffersadetailed introduction to theGDPRandthechallenges itbrings.Lastly,usingeccenca’ssolution,wedescribehowthissolutioncanbeusedtoachieve regulatory compliancewhile creating insights into your company you neverhadbefore.

We hope you find this guide useful and look forward to welcome you atwww.planetcompliance.com, the leadingplatform for insights andanalysison FinancialServicesRegulationandInnovation.

PlanetCompliance


4

Introduction

Regulatory Technology aka RegTech is revolutionizing howwe deal with regulation.TheFinancialConductAuthorityoftheUKdefinesRegTechasasub-setofFinTechthatfocuses on technologies that may facilitate the delivery of regulatory requirementsmore efficiently and effectively than existing capabilities. In reality, RegTech is notlimited to financial services alone but rather is applicable in any regulated industry.That’soneof the reasons thatmakes it soattractive. Ithasalreadyhadasignificantimpact in financial services though as it helps to overcome the old ways of spreadsheets in an industry that has come under immense regulatory pressure with amassive amount of new rules coming into force or on the table. Clever start-ups aswellasmoreestablishedplayersuseinnovativetechnologylikeSmartDataAnalytics,Artifical Intelligence or Blockchain to help banks comply with their regulatoryobligations.Itcoversawiderangeofaspectsandoneofthemainareasfordisruptionthrough RegTech is the communication between different systems, be it internallybetweenexistingonesorwithnew systems, or betweendifferent institutions.Mostfinancialinstitutionsworkwithlegacysystemsthathavebeentweakedandamendedover several years tobecome individual configurations that struggle to talk toothersystems.AseniorITcolleagueonestoldmethatovercometheseissueswouldbelikeahearttransplantsurgery,wheretheoldonebasicallyneedstoberemovedfirstbeforethenewonecantakeitsplaceonlythatitwouldbelikereplacingseveralheartsatthesametime.

However, new regulation and notablyMiFID II has brought challenges, in particularwith respect to reporting requirements and themanagement of data for firms andserviceprovidersthathasmadesignificantinvestmentsintechnologyinevitable.

Another key field of application lies in the management and analysis of the hugeamountofdatafinancialinstitutionshold.ComplianceMonitoringforthepurposesoffrauddetectionor suspicious activity fromaMarketAbuse,AMLorCFTperspectiveareareasmadefordisruptionbynewentrantsandoldonesalikeiftheycancomeupwithabettersolution.

KYC and Due Diligence in general are also very popular with RegTech start-ups.Financial institutionshave longbeenwaiting for solutions that allow them toaccessandmanagetheirdatamoreefficientlyandstreamlinethecurrentsetupwhilesavingmoneyandresourcesonwhatisanowcostlyandtimeintensiveprocess.

However,despitealotofattention,whichRegTechhasreceivedparticularinthelasttwelve months, several obstacles have to be overcome. For instance, in order tofurtheradvanceRegTech,itwillbeimportanttocreatefurtherawarenessandbetterunderstanding among the decisionmakers in financial institutions of the benefits itcouldbringtotheindustry.


5

Chapter1:TheRealOpportunityofRegTech

Whenever talk turns to regulatory initiatives and how RegTech can solve thesechallenges, it seems that we do not appreciate the real opportunity of RegTech:Transparencyaboutyourinternalpolicies,processesandtherelateddatascape.Yes,itmayappeartobetheonlywaytogettogripswiththeconstantregulatorychangeandtheenormousobligationsthatcomewithregulationslikeMiFIDIIorGDPR.ButlookingathowRegTechworks inpractice,wediscover that thetruevaluegoeswaybeyondthesolutionofspecificproblems.

RegTechnowandthenThelastyearhasputRegTechinthespotlightandcreatedakindofhypeaboutit,butmanybelievethat2018couldbetheyearwefindourselvesatcrossroads.Withayearfull of regulator challenges in the form of MiFID II, GDPR, PSD 2 and many otherinitiatives becoming applicable, can RegTech live up to its promise? We atPlanetCompliance certainly believe so. Not only because traditional methods andspreadsheetswon’t be able to dealwith the immense demand for information thatauthoritiesaskfor.ItneedsnewwaystoaddressthesechallengeseffectivelyandthisiswhatRegTech is firstandforemostsupposedtodo.WhilemostRegTechsolutionsmight tackle a specific problem though, the real value goes beyond this as they areabletocreateanoriginalandefficientapproach.Effectively,theyofferapplicationinotherusescasesthatcanpresentnewopportunitiesandincreasetheirattractivenessmanytimesover.

Take, for example, compliancewith the General Data Protection Regulation(GDPR).Designed to harmonize data privacy laws across Europe,it presents companieswithimmensechallengestoensurecompliancewithitsrequirements.However,addressingonlytherequirementsofthisparticularact,meansignoringthepotentialtodealwithfutureregulationsinamoreefficientandcosteffectiveway.

AtthebottomoftheproblemWhy?Well,atthebottomofmostofthechallengesthatfinancial institutionsface isdata,ortobemoreprecisetransparencyaboutourdatascapesandthequalityoftheinformation held by organisations. Institutions hold incredible amounts of data, butthisdatacomesfromnumeroussources inmultipleapplications,everythingencodedso that only the respective source application can decode and interpret theinformation.That’swhatmakesthereuseofdatasodifficultandleadsasaresultwithregardtotherequirementsintroducedbytheGDPRtoahighriskofnon-complianceaswell.

This is the point where RegTechs like eccenca can help though: actually, mostinformationkeptinthecodeofapplicationscanbedescribedasdata,and,bydoingso,canberemovedfromthespecificcontextofthesourceprogram,analysedandlinkedatdataleveltocreatesinglecloudsofmetadata,whichinturnthencanbeusedagain.The trick is tomake sure that data isn’t simply copiedover fromone application to


6

anotheroneandduplicated.Inthisway,thedataisreusableforotherpurposes.Thisprocessaddsevenmorevaluewhendataissharedwithexternalsourcessuchastradebodies and industry associations but on a bilateral level, too, since often datastandards coveronly a fractionofdatausage, for instance, the communicationwithexchangesforreportingpurposes.

TheRegTechOpportunityInmostcasesRegTechdoesnotonlypresentasolutionforoneparticularproblem,butconsistsofvaluethatgoeswellbeyondtheapplicationtoasinglecase.AndGDPRisanexcellent example to show how: the problem with complying with data protectionregulationisthatdatasubjectsarescatteredacrossdozens,ifnothundredsofsystemsinanenterprise.Aclientofabankcouldberegisteredforoneproductinonesystemandforanotherproductinanothersystemandsoon.Regularly,financialinstitutionsholdinformationinmanyplacesaboutthesameclient,buthavenoideaaboutwhatand where. The eccenca solution collects metadata from the various systems,consolidates the information and can provide an internal map of personal dataprocessing, alwaysup-to-dateasbasis toanswer subjectaccess requestsaboutdatausagesinaccordancewithGDPR,e.g.whichinformationdoesthecompanyholdaboutthe client, where, why, on which legal grounds, how and when approved, and forwhichpurpose. In thismanner thesolutioncreatesexactly thekindofabsolutedatatransparencyrequiredbytheregulation,withoutduplicatingthedataitself.

Ifyouhavetogothroughthisnotsmallexercise, itstandstoreasonthatyouwouldalso use the results for other purposes. On the condition that permission has beengiven, these insights empower a firm to gain a better understanding of their clientsand,asaconsequence,discoverandexplorebusinessopportunities,oraddressotherregulatory challenges. It is necessary though to appreciate and embrace theseopportunities.Fora firmand itsculture, it requiresacertainmind-setandopennesstowards innovation rather than the intention to find a quick fix, as it doesn’t doRegTech justice. After all, while it is an excellent way of dealing with the constantregulatorychange,itisforemostanopportunitytogainacompetitiveadvantageandseeyourorganisationlikeyou’veneverseeninbefore.


7

Chapter2:GDPR=ChallengesandaUniqueChance

As the firstchapterserved toexplain that forRegTech to fulfil itsentirepotential, itneeds to be something more than an instrument used to simply address isolatedregulatory requirements, it is now time to dive into the practical example:GDPR. Avery demanding new set of rules to say the least, with the right solution you canachieve comprehensible and trustworthy evidence; the solution should bringtransparencyonafirm’scompliancestatus;itshouldalsocreateactionableinsightsinamannerthatiseasytoaccessandeasytounderstand.OnlythenRegTechtrulylivesuptoexpectationsandmakesGDPRcomplianceacompetitiveadvantage.

How do you achieve this though? Well, it’s probably best to use an example of aRegTech solution, the regulatory challenge, and how the solution addresses therequirements set by the regulation as well as creates additional value that goesbeyondtheinitialobjectiveandimprovesafirm’sframeworkseveraltimesover.

So,let’sbeginwiththedetailsoftheregulatorychallenge,theGDPR.

TheGDPRprinciples


8

GDPR:DataProtectionre-inventedProtection of personal data is at thecentre of the regulation. This principle isone of the fundamental rights set out intheCharterofFundamentalRightsof theEuropeanUnion.TheEUfeltthatitisoneof those rights that cannot be stressedenough as you can tell from theregulation’spreamble:

“The processing of personal datashould be designed to servemankind. The right to theprotection of personal data is notan absolute right; it must beconsidered in relation to itsfunction in society and bebalanced against otherfundamental rights, in accordancewith the principle ofproportionality.”

TheEuropeanlawmakersalsofeltthattheexisting framework did not provide thislevel of protection, so they set out toproducenewrulesandafterfouryearsofworktheregulationcameintoforceon24May 2016. The GDPR will apply from 25May2018andsetanewstandardfortheprotection of personal data. With theGDPR the European Commission aims toharmonize and strengthen dataprotection for all individuals within theEuropean Union. A formal organizationalframework will be setup in all memberstates to enforce the adoption of theGDPR. It is not just to secure or to storedata and information, but to care for the data and information of individuals.Companies will have to observe the regulatory environment, the technicalenvironment,andtheprocess-relatedenvironmenttoreallymanagedata.Lastbutnotleast,companieswillhavetoreacttonewupcomingdemandsbythoseaffected.

ItissafetosaythattheGDPRisoneofthemostchallengingregulatoryinitiativesofalltimes as it requires extensive data management, an entire re-evaluation of riskpositions,anincreasetothematurityofprocedures,systemshavetobecompliantbydefaultanddesign,andonehastoprovecompliancewithGDPR.Becauseifthatisnot


9

thecasetheconsequenceswillbesevereaswearegoingtoseeindetailfurtherdownbelow.

TheBasicsAll systems and procedures, which process personal data automatically, are in thefocus of the GDPR. The definition of personal data in various contexts can differsignificantlyandif indoubt,it isadvisabletoratherassumedatatobepersonalthannot.Assomedataareobviouslypersonal,othersmayonlyappeartobesoatasecondglance.Forexample,asset information likeMACor IMEIaddressesaredefinedtobepersonaldata, too.Thesituationbecomesevenmorecomplicatedwhenconsideringthatdatamaybehandleddifferentlyindifferentcontexts.

TheGDPRalsoaddsawholenewdimension intermsofterritorialapplication. ItwillaffectanycompanydoingbusinessintheEUandisapplicabletoallpersonaldataofindividuals,whicharecitizensorresidentsoftheEuropeanUnionregardlesswherethecontroller or processor is based in. Therefore, it is important to acknowledge thatpersonsfromoutsidetheEUmaybelongtotheGDPRregimeaswell.

TheGDPRalsoaimstoprotectdatathroughoutitsentirelifecycle:fromitscollection,to processing, storage, updates, transferals, archive, all the way to its erasure. AlloperationsondataareaffectedbytheGDPR.

Theessentialprinciplesguidingtheregulationare:

• Lawfulness,FairnessandTransparency• Purposelimitation• Limitedstorageperiods• Dataquality• Dataminimization• Accountability• Informationsecurity• Dataprotectionbydesignandbydefault• Legalbasisforprocessing• Requirementsforonwardtransfer

TobecompliantwiththeGDPR,companieshavetobeawarethattheymusthavehightransparencywherepersonaldata is stored,which relationsexistamong thevariousdatastorages,bywhomitisprocessed,andwhoisusingit.Onthatmattercompanieshavetoprovideevidence.Dataflow,datastorage,anddataqualityareessentialtoalltheseareas.

StrictEnforcementOneofthekeyfindingsduringthelaw-makingprocesswasthattheassertionofdataprotectionanditsapplicationhadbeenrelativelyweakinthepast.Withthisregulation


10

accountabilities are enforced by penalties for companies as well as for the actingpeople,namelytopmanagementandtheDataProtectionOfficer.ThestickthattheEUisgoingtouseagainstoffendershastwoends:substantialadministrativefinesandanextendedbasisforclaims.

AdministrativeFinesTheprobabilityofadministrative fineshasdrastically increasedwith theGDPR.Theycanriseupto20millionEurosorupto4%of theworldwideannual turnoverof theoffender. However theGDPR explicitly states that one can lower the fines if effortsarounddataprotectionarecomprehensiblyevident,constructive,andproactive.Datasubjectsmayalsoraiseaclaimfornon-monetarylossandinvolveasyndicatetofileanaction on their behalf. Penalties out of those claims are not already covered byadministrativefinesandwillcomeontopofthefinancialrisk.Theburdenofproofofcompliance with the GDPR lies entirely upon the offending data controller againstwhom a claim has been filed. It is up to the data controller to build a propercontractual frameworkwithother serviceproviderswhichprocess thedata tomakethemliableforanystateofnoncompliance.

ExtendedbasisforclaimsAlong with the reverse burden of proof that now lies with the provider, also theapplicabilityofclaimsiswidened.Eachcontrollerandprocessorcanbemadeliableincaseofdamages.Therangeofthisaccountabilitycoverstheentiredamage.Ifmultipleprocessorsareinvolvedinaclaim,theonewhofullycompensatedforthedamagemayclaim the other processors for compensation. Data controllers as well as dataprocessorshavetobepreparedtobeabletofollowtheGDPR.

ConclusionIftherehadbeenanydoubtsaboutthewidthandimpactoftheGDPRyounowknowbetter.However,sofarweonlyhavescratchedthesurface.Inthenextchapterwewilldelveintothedetailsofthenewrules.Maybemoreimportantlythough,wewillalsoshow you how a challenging regulatory initiative can tackled to achieve compliancewithafirm’sobligationsandachievecostsavingsaswellasacompetitiveadvantagewiththerightsolution.


11

Chapter3:GDPRandDataSubjectRightsFollowingourgeneraloverviewoftheGDPR,wewillnowlookatDataSubjectRights–thechallengestheybringandhowtodealwiththem.

DataSubjectRights–TheChallengeTheGDPRstrengthenstherightsofindividualstobeabletofullycontroltheirpersonaldata.Thoserightswillchangethedailyoperationofdataanddemandsalsoaproperorganizationalsetupandinmostcasesorganizationalchanges.

Asaconsequence,about10coreusecasescanbeidentifiedthatdefineobligationsofanorganizationtowardsdatasubjects:

(Pleasenotethattherearemoredutiesnotdirectlyrelatedtorelationshipswithdatasubjects,focusingonthedutiesofdatacontrollersvs.dataprocessorsandthetransferofpersonaldatatothirdcountries).

SupplyinformationwhencollectingpersonaldataThecontrollerhas toprovide information to individuals relating toprocessing to thedata subject in a concise, transparent, intelligible and easily accessible form, usingclearandplain language, inparticular forany informationaddressedspecifically toachild.Providinginformationintheformofprivacypolicythatareexcessivelylengthyordifficulttounderstandisnotpermitted.

Thescopeofinformationthatneedstobeprovidedisoutlinedinarticles13and14oftheGDPR,butthecontrollermightberequiredtoprovideadditionalinformationiftheparticularsituationmakesitnecessary.

ProvideaccesstopersonaldataonrequestIn accordancewithArticle 15GDPR, individuals have the right of access topersonaldata. This means that the controller has to provide a copy of the personal dataundergoing processing, which needs to be provided free of charge. However, thecontroller can charge a reasonable, administrative-cost fee, in case of repetitiverequests,manifestlyunfoundedorexcessiverequestsorwhereadditionalcopiesarerequested.Thisright isbasedontheargumentthat individualsareawareofandcanverifythelawfulnessoftheprocessing.

ManageconsentforprocessingpurposesifnootherlegalbasisappliesTheprocessingofpersonaldataislawfulonlyif,andtotheextentthat,itispermittedunderEUdataprotectionlawandalldataprocessingactivitiesrequirealawfulbasis,whichcancome in the formofan individual’s consent. If theprocessingofpersonaldata is based on the data subject’s consent, the controller has to be able todemonstratethatthedatasubjecthasgivenconsenttotheprocessingoperation.Thedata subject shall have the right to withdraw his or her consent at any time. The


12

withdrawalofconsentshouldnotaffectthelawfulnessofprocessingbasedonconsentbefore its withdrawal. Prior to giving consent, the data subject shall be informedthereofandithastoaseasytowithdrawastogiveconsent.

ManagerectificationofpersonaldataonrequestAdata subjecthas the right todemand the rectificationof inaccuratepersonaldataconcerning him or her from the controller. In specific cases, depending on thepurposes of the processing, individuals can ask to have incomplete personal datacompleted,ortoaddasupplementarystatement.

ManageobjectionorrestrictionofprocessingofpersonaldataonrequestWhilethedatasubjectdoesnothaveageneralrighttoobjecttotheprocessing,thereareseveralsituationwhereaspecificrighttoobjectexistsuchaswheretheprocessingis carried out for specific purposes, or where the right to object is justified on aparticular basis. These cases include where the processing is for direct marketingpurposes; where the processing is for scientific or historical but which requiresgrounds relating to the data subject’s particular situation unless the processing isnecessaryfortheperformanceofataskcarriedoutforreasonsofpublicinterest;andwheretheprocessingisbasedeitheronlegitimateinterestgrounds(forexample,inacaseofinterestsorfundamentalrightsandfreedomsofthedatasubjectwhichrequireprotection of personal data, in particular where the data subject is a child) or it isnecessary for the performance of a task carried out in the public interest or in theexerciseofofficialauthorityvestedinthecontroller.

Thecontrollermust thenceaseprocessingof thepersonaldataunlessanexemptionapplies, i.e. the controller can demonstrate compelling legitimate grounds whichoverride the interests of the data subject; or where the processing is for theestablishment,exerciseordefenseoflegalclaims.

Manageerasureofpersonaldataonrequest(righttobeforgotten)Therighttoerasureortherighttobeforgottenenablesan individualtorequestthedeletion or removal of personal data where there is no compelling reason for itscontinuedprocessing.Again,thisrightdoesnotconstituteageneralclaim,buttargetsspecificcircumstances,whicharedefinedinArticle17GDPR:

§ Thepersonaldataisnolongernecessaryinrelationtothepurposeforwhichitwasoriginallycollected/processed.

§ Theindividualwithdrawsconsent.§ The individual objects to the processing and there is no overriding legitimate

interestforcontinuingtheprocessing.§ Thepersonaldatawasunlawfullyprocessed.§ Thepersonaldatahastobeerasedinordertocomplywithalegalobligation.§ The personal data is processed in relation to the offer of information society

servicestoachild.


13

Notifythirdpartiesofthoserectification,restrictionorerasureTo address the importance of a data subject’s rights, for instance, in an onlineenvironment,thecontrollerisobligedtoinformothercontrollerswhoareprocessingthe data that the data subject has requested erasure of those data, where thecontrollerhasmadepersonaldatapublic, andwhere it is obliged toerase thedata.The controller has to take reasonable steps and accountmust be taken of availabletechnology and the cost of implementation. The controller must notify any one towhomithasdisclosedsuchdata,ifthecontrollerhastoerasepersonaldataunlessthiswouldbeimpossibleorinvolvedisproportionateeffort.

Givebackpersonaldataonrequestandallowtransfertootherdatacontrollers(dataportability)Where the processing is based on consent or carried out by automated means,individuals have the right to receive thepersonal data concerning them,which theyhaveprovidedtoacontroller, inastructured,commonlyusedandmachine-readableformat and have the right to transmit those data to another controller withouthindrance from the controller towhich the personal data have been provided. Thisright to data portability aims to enable the data subject to obtain and reuse theirpersonaldatafortheirownpurposesacrossdifferentservices.

DonotbasedecisionsaboutdatasubjectssolelyonautomatedmeansAnindividualhastherightnottobesubjecttoadecisionbasedsolelyonautomatedprocessing, including profiling, if the decisions produce legal effects or similarlysignificantlyaffectsthedatasubject.TheGDPRgivestheexampleofanonlinecreditapplicationor e-recruitingpracticeswithout anyhuman intervention. The regulationalso outlines that such processing includes ‘profiling’ that consists of any form ofautomatedprocessingofpersonaldataevaluating thepersonal aspects relating toanaturalperson,inparticulartoanalyseorpredictaspectsconcerningthedatasubject’sperformance atwork, economic situation, health, personal preferences or interests,reliability or behaviour, location or movements, where it produces legal effectsconcerning himor her or similarly significantly affects himor her. Exceptions to therulearepossiblethoughincasewherethedecisionisnecessaryforenteringinto,ortoperform, a contract between the data subject and the controller; the significantautomated processing is authorised by Union or MemberState law to which thecontrollerissubjectandwhichalsolaysdownsuitablemeasurestosafeguardthedatasubject’s rights and freedoms and legitimate interests; or is based on the datasubject’sexplicitconsent.

Communicatepersonaldatabreaches(specificconditionsapply)Data controllers have to communicate a personal data breach to the data subjectwithout undue delay if the breach is likely to result in a high risk to the rights andfreedomsofnaturalperson.Thenotificationneeds tobe inclearandplain languageandexplainthenatureofthepersonaldatabreachandcontainatleastaminimumofinformation such as the name and contact details of the data protection officer or


14

other contact point where more information can be obtained; describe the likelyconsequences of the personal data breach; and explain the measures taken orproposedtobetakenbythecontrollertoaddressthepersonaldatabreach,including,whereappropriate,measurestomitigateitspossibleadverseeffects.

DataSubjectRights–TheSolutionNowthatwehavethedefinedtheobligationsandchallengesoftheGDPRwithregardto the data subject rights, we can think about how to address them. eccenca is aRegTech company whose next generation data management solutions are drivingautomationandrationalizationformetadatamanagement,dataintegration,analyticsanddatadrivenprocesses.

From a purely technical perspective the eccenca Corporate Memory solutioncombined with the eccenca GDPR Solution package addresses the data protectionfunctionbydeliveringagranularmapof thecompletepersonaldata landscape.Thismapcan thenbeused to identifyallpersonaldataofadata subject to fulfil subjectaccessrequests(SAR).

ThesystemcananswerrelevantquestionforeachdatasubjectID:whichpersonaldataitems are there, who is the data controller, who is the data processor of those, inwhich system is eachprocessed,what is the attribute name,what is the processingpurposeandthe legalbasis (e.g.consent).EverythingrequiredtohandleSARandtoprovide full transparency to thedataprotectionofficer,withoutexposinganyactualpersonal data. It does NOT store the values of the personal data, those are onlymanagedintherespectivesystems.

ThecomplexgridofdependencesTheunderlyingtechnologystackisbuiltonRDFgraphtechnology,whichcanquicklybeadapted to evolving requirements. The metadata described is collected from thevarioussourcesystemseitherviaa standardAPIprovided for thisusecaseoras fallbackviaanExcelroundtrip.

There isauser interfacegearedtowardsthedataprotectionfunctiontoexploreandsearchthismapandthereareAPIsandendpointstoaccessitviathirdpartytoolsforanalyticsandreporting.


15

Thecomplexgridofdependences

ArchitectureoftheeccencaCorporateMemory–GDPRSolutionPackageTo internally manage subject access requests the eccenca GDPR solution providesintegrationwithastandardtrackingtool(JIRA)torouteincomingrequestswithintheorganisation.

By doing so, a firm achieves a competitive advantage, increased reliability, andreputation. It also results in simplified data management operations as well as theability to process across company bordersandgetfulltransparencyondatastorage.

This in turnmeans that data processing costs are lowered through simple and fastidentificationof relateddata.Operational riskcostsarereducedby full transparencyand causes a higher turnover based on competitive advantage in personal datasensitivebusinesses.

The picture is similar from the data subject interaction perspective. The dataprotection function of the GDPR requires firms to comply in terms of their duty tosupply information, consent management, and the right to object. The eccencaCorporate Memory tags specific data i.r.o. ‘consent’, ‘objection’, or ‘legitimateinterest’. It sets rules to identify personal data of children for special treatment intermsofchildren’sconsent.Thesolutionrelates‘consent’,‘objection’and‘legitimateinterest’torespectivesystems,procedures/processes,andpurposes.Again,relationsamong semantic identical data are built without causing redundancy. The set rulesidentify data to be of the same kind and generate a report with all relevantinformationsupply.

The value added is both in compliance and financial terms. From a complianceperspectiveitdeliversproofofGDPRcomplianceandcreatesacompetitiveadvantage


16

through increased reliability, and reputation. It builds trust and transparency to thedatasubject.ThefinancialvaluecomesintermsfasterandcheaperandmorereliableprocessingofSARs,ofloweradministrativefinesincaseofnoncompliance,lowerdataprocessingcosts,noredundantinformationandhigherturnoverbasedoncompetitiveadvantageinpersonaldatasensitivebusinesses.

ConclusionTheexampleofthedatasubjectrightsasestablishedbytheGDPRclearlyshowshowachallenging regulatory initiative can be tackled to achieve compliance with a firm’sobligationsandachievecostsavingsaswellasacompetitiveadvantagewiththerightsolution.ThisisnottheendofourguideontheGDPRandtheadvantagesofRegTech.Inthenextchapter,wewilllookatadditionalobligationsoforganisationsassetoutbytheGDPRandshowhowregulatedinstitutionscanbenefitfurtherfromusingtherightRegTechsolution.


17

Chapter4:GDPRandOrganizations’Obligations

It is paramount to understand the data subject rights as defined by the new rules.However,itisequallyimportanttogetagoodgripontheobligationsfororganizations.Wewillthereforeinthisfinalchaptertellyouaboutthechallengesbutalsoexplaintheopportunities for an institution that come with obligations for organizations underGDPR.

Organizations’obligation–ThechallengeSoftware may not be the answer to all questions, but it will help organizations tofollowtheirobligations.Itisobviousthatintimesofmassdataprocessinganefficientmanagementoftherequirementscannotbemetwithoutthesupportbyinformationtechnology.

ProofofComplianceOrganizations actively have to prove compliance with GDPR. In that they have todemonstratetheirabilitytomanagedataprotectionandhavetoshowthattheycanfulfildatasubjects’rightsasastandardoperationaltask.

Processes have to be implemented whose effectiveness is comprehensibly verified.Datamanagementandgooddatagovernancewillbecomeacorecapability toeverycompany.Thereisastrongrelationshipamongthosecomplianceframeworkslikedataprotectionandinformationsecurity(andITsecurity).

TasksoftheDataProtectionOfficerTheDataProtectionOfficer (DPO)no longer hasonly theduty toprovide adviceonmattersofdataprotection,butmustnowactivelymonitorcompliancewiththeGDPRandrelatedrulesandregulation.Tounderlinethemagnitudeofthetask,considerthatnotjusttheregulationitselfisthebasisforthesedutiesbutotheractsaswellsuchastheworkoftheArticle29WorkingParty,whichhasprovidedanumberofdocumentsand guidelines with quasi-binding effect. Thus, companies have to build structures,whichallowtheDPOtofulfilhis/hernowwidenedduties.

TheGDPRspecifiesaminimalsetofdutiesfortheDPO:

• Informationandconsultancy• Supervisionofcompany’scompliancetoGDPR• Supervisionofdataprotectionstrategies• Assessmentofdataprotectionconsequences• Cooperationwithsupervisoryauthorities• Riskassessment

Data governance Compliance with GDPR comes along with the requirement ofdesignatedresponsibilities,functionsandallocatedbudgetfordataprotection.Henceorganizationsareasked to implementawide rangeofmeasures to complywith theGDPR.Someofthoseare:


18

• Dataprotectionbydesignanddefault• Protectionimpactanalysis• Regularauditsandassessments• DataProtectionOfficer• Recordofprocessingactivities• Trainingandawarenessprogram

BreachNotificationIf a breach of personal data has beendiscovered companies have to notify theauthorities without undue delay, latestwithin72hours. If thosedataareclassifiedas‘highrisk’alsothedatasubjecthastobenotified.

Itisobviousthatcompaniesshouldhavetheright procedures at hand to detect, reportandinvestigatedatabreaches.Thismightbea good idea for any sensitive data. In casecompaniesfailtoreportsuchdatabreachestheywillfacesignificantadministrativefinesaswellasfinesforthedamagecaused.

(Joint)AccountabilityCompanies have to prove compliance withthe GDPR. This goes beyond Technical andOrganizational Measures. Obligatorydocumentation requirements apply to allprocedures dealing with personal dataindependent from an external access. It ishighly probable that additionaldocumentation requirements will beimposed.

It is no longer an adequate datamanagementstyleto‘storeandtoforgetaslongasitissecure.’Companieshavetotakecare of personal data. As soon as data areno longer necessary, delete them —permanently. If the environment changes take care that data are treated incompliancewithGDPR.Environmentinthiscontextmightmeanachangeofprocesses,datathemselves,regulatoryrequirements,orevenachangeinsemanticmeaning.

GDPR only differentiates between processors and joint controllers. Therefore, theoutsourcingoffunctionsseemstobestillpossiblebutallpartiesaremadeaccountableincaseofacompliancebreach.Thedatacontrollerasthefirstserviceprovidertothedatasubjectespeciallyisaccountable.


19

Organizations’obligation–ThesolutionSo much for the challenges, but how should you tackle them? As outlined alreadybefore,webelieve it is important to address this to achieve a) compliancewith theregulatoryrequirements,butalsob)createadditionalvalue.eccenca’ssolutionbasedon its Corporate Memory platform, for instance, supports the aspects in termsorganizations’obligationbyprovidingafullmapofgranularmetadataperdatasubject.Thismapcanbebrowsedandsearchedfromanyperspectivetohelpresolvingthenewtasksthatorganizationsface.

Themapincludesthelinksandpointerstothesystemsthatactuallymanagethedataandshowhowthingsareconnected,whattheyareusedfor(purposes),whicharetheunderlying legalbasesandwho isdatacontrolleranddataprocessor.Understandingthe personal data landscape within a company’s data processing fabric is key todemonstratethecapabilitiesrequested.

The value added through this approach comes in many forms: it builds trust andtransparency to the supervisory authorities. It creates transparency on the dataprotection risk situation and can serve as a nucleus to improved data governancebeyondpersonaldata.Firmsachievehigherabilitytomanagedataprotectionandtheresponsetimetoauditrequestsiseasiertomanage.

In financial terms, the value added comes in the form of faster, cheaper andmorereliableprocessingofSARslowerdataprocessingcosts,lowercostsofrisk.

ArchitectureoftheeccencaCorporateMemory–GDPRSolutionPackage

Organizations’opportunitiesFrom an internal perspective GDPR can serve as a wake up call to good datagovernancepractisebeyond the scopeof personal data. The internal project canbe


20

designed to resolve a much broader scope of issues than only personal datamanagement. The regulation asks controllers and processors to knowwhat they doandwhattheyhaveintermsofdata.Thisisavaluablegoodpracticethatcanimprovetheagilityoforganizationsonalllevels.Marketschangefasterthanever.Beingabletoadapt requires a critical level of introspective capabilities. If a company wants tochangeprocesses, itneedstochangesystemsandrelateddata, too.Thebetterdatagovernanceandinturndatamanagementare inshape,thehighertheprobabilitytosuccessfullymanagethegeneraldigitalizationchallengethatallsectorscurrentlyface.

Fromanexternalperspectivedemonstratinggoodpersonaldatamanagementisevermoreimportanttowinandkeepthetrustofcustomers.WithGDPRthesensitivitytogooddataprotectionwillkeepgrowingontheconsumerside.Companiesthatfailtoaddress this aspect will sooner than later notice that their customers were given apowerfulsticktobeatback,theyneverhadbefore.Ontheotherhand,companiesthatdemonstrate that they actively care for data protection will see a competitiveadvantage, because data protection will be perceived as important by a growingsegmentoftheirtargetgroups.

ConclusionTheGeneralDataProtectionRegulationputstherightsofthedatasubjectinitscoreofrequirementsaddressedtodatacontrollersanddataprocessors.Datacontrollersanddata processors aremade accountable to care for personal data. It is obligatory tocompanies to know each and every step of data’s lifecycle and the impact of dailybusiness on data management. Now that companies also have to prove beingcompliantwiththenewrules,itisimportantthattheyknowwhichdatamanagementprocessisaffectedbywhichspecificGDPRarticles.


21

AFinalWord

TheobjectiveofthisbookwastoshowthetruevalueofRegTechinapracticalsetting.The new rules introduced by the GDPR are a perfect example for a use case thatexplains the opportunities of a RegTech solution rather than talk about RegTech inabstract terms. We have seen that our RegTech example, eccenca’s CorporateMemory, supports key functions of personal data management by operating acomprehensiveframework,whichrelatesdatatoprocedures,systems,andregulation.We’veseenhowinnovation intheformofsemantictechnologyhelpstosignificantlyreduce and effectively manage complexity, simplifies management of data, reducesoperations’costsandcostofrisk.Theoutcomeisimpressive:transparency,reliability,trustandperformancewillincreaseorganizations’competitiveadvantage.Besidestheobligation to adhere to the GDPR eccenca’s technology opens up opportunities tosupportabroaderrangeofdatagovernanceanddataalignmentinitiatives,beyondthemerescopeofGDPR.

GDPRisoneofthemostchallengingregulatoryinitiativesofrecenttimes.Whendoneright, it is a huge opportunity to win trust of customers, creating a substantialcompetitiveadvantageinacrowdedfield.


22

About

PlanetCompliance is the leading platform for insights and in-depth analysis onFinancial Services Regulation and Innovation. It’s the go-to-source for everyoneinterested in FinTech, RegTech or Blockchain and how compliance impacts businessandviceversa.Formoreinformation,gotowww.PlanetCompliance.com

eccenca is a software and solutions company. eccenca’s next generation datamanagement solutions are driving automation and rationalization for metadatamanagement,dataintegration,analyticsanddatadrivenprocesses.Byturning‘stringsinto things’, eccenca is creating meaningful and machine interpretable knowledgegraphs that allow the integrative interpretation of previously siloed data across theenterprise or even throughout value networks. To find out more, go towww.eccenca.com

©PlanetCompliance,2018.Allrightsreserved.

This publication represents the views and interpretations of the authors and editors, unlessstatedotherwise.Thispublicationshouldnotbeconstruedtobealegalorotheradvice.

Documents

A guide to the EU General Data Protection Regulation RegTech · 2020. 9. 25. · RegTech solution, the regulatory challenge, and how the solution addresses the requirements set by