The General Data Protection Regulation (GDPR, EU Directive 95/46/EC) which is coming into force on 25 May 2018, will standardize and increase the protection of personal data throughout Europe. Its overriding goal is to return the control of personal data to EU citizens and residents, and at the same time imposing significant sanctions for non-compliance (up to EUR 20m or 4% of the total worldwide annual turnover).
GDPR significantly increases the existing data protection requirements by extending the territorial scope, the rights of individuals and the specific obligations of financial institutions:
We have previously published a more detailed introduction of the GDPR scope, its major implications and changes for financial institutions as well as a recommendation for a three-step implementation approach on this platform (see: https://www.bankinghub.eu/banking/finance-risk/general-data-protection-regulation).
For financial institutions with complex interrelated systems, timely GDPR compliance will pose a major challenge. In fact, most institutions have already launched initiatives to identify to identify GDPR gaps and to define the required measures for achieving compliancy. One of the major challenges for each institution, however, is to define its individual target compliance ‘level’, since the regulation leaves a wide scope for interpretation and recommends a tailored approach, taking into account the results of a privacy impact assessment.
Therefore, each institution has to address many individual issues in the course of the GDPR implementation. This article focuses on how to implement the ‘right to erasure’ (also referred to as ‘the right to be forgotten’).
Right to erasure
GDPR Article 17, paragraphs 1 and 2 state the specific grounds for the right to request erasure of personal data. Of these, points (a) – (c) of paragraph 1 in particular, are applicable to financial institutions:
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay… where one of the following grounds applies:
(a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) The data subject withdraws consent…
(c) The data subject objects to the processing…”
Within the same article, point b of paragraph 3 refers to other regulations, which may overrule the right to be forgotten:
“Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a)…; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller…”
This does not only oblige institutions to manage and control the purpose and consent of processing personal data for every individual in all relevant cases, but also to be aware of further GDPR-related laws and associated retention phases. The main reasons for keeping personal data lie in the codes of commercial law, yet there are many other exemptions, which overrule the right to be forgotten, at least for a specific period.
The simple example of customer ‘John Doe’ who holds several active bank accounts and is asking for erasure of his personal data, illustrates this challenge:
This example shows that the simple classification of data belonging to a ‘current account’ or to ‘marketing data’ does not provide sufficient information for a decision on whether the data must or can be erased immediately or not, as there might be an overlap. The data of transactions belonging to the current account might be used to analyse the behaviour of John Doe and thus (in combination with other data) support individual marketing offers, as highlighted in green in the next figure:
In this example, the information of a withdrawal or a credit card transaction is used for marketing purposes. At the same time, it is crucial for a financial institution to retain this information for the length of the retention period, hence to be able to prove the integrity of its balance sheet and of the processed transactions. Furthermore, this information may be required for other purposes, such as the prevention of money laundering, fraud detection, etc. As a result, because the customer has revoked his consent and asked for data erasure, processing of personal data for marketing purposes is no longer allowed, but due to other obligations or longer retention periods, the data itself cannot be erased just yet.
The example shows that GDPR requires institutions to achieve a much deeper understanding of the purpose for which personal data is kept. In order to do this, each item of information will need to be classified, not only by its purpose but also by the source from which it has been collected. These data classes then need to be validated against the applicable law and related retention phases.
We finalise this short example by outlining a high-level data erasure process in the following figure:
To implement an effective data erasure process, institutions need a comprehensive end-to-end view of all processes and systems dealing with personal data, while keeping in mind that this regulation is not only another regulation to deal with, but also a piece of the customer experience puzzle, i.e. an opportunity to demonstrate that the institution is one of the ‘best in class’ in dealing with customer requests. In order to keep the customer as one main asset, institutions need to implement appropriate channels to capture requests and to keep the customer informed, especially about which data have been deleted and any exceptions, including the reasons. At the same time, details of customer requests need to be managed, the relevant data items and their location need to be made transparent, the checks on whether the data can be erased or not need to be carried out; and all this before any data can be erased. If exemption rules are identified, this may delay the erasure of data. Where third parties are involved, they must be informed of the erasure request and confirmation needs to be provided by them as well. Each of these execution steps can be very time-consuming and cause significant manual effort if the institution has no adequate tools to support the process.
Most institutions will not have implemented an „ideal„ supporting tool before May 2018. Therefore, they will have to use manual processes for data erasure. Looking into the future, new systems (either 3rd party or internally designed) to provide APIs to support data erasure should be available. The more challenging part, however, seems to be the collection (and maintenance) of all the meta data required to compile the list of relevant data items affected in combination with the exemptions. To do so, financial institutions need to implement a comprehensive view of all data belonging to individuals (e.g. as part of an extended business glossary according to BCBS239) as well as the data location and its purpose. Furthermore, they must include the information on whether individuals have given or revoked their consent to process and keep data.
This list of meta data can be enhanced to provide information on user access, data breaches, third party interfaces, etc.
GDPR clearly has the potential to keep financial institutions busy for a while, not only with achieving compliance by May 2018, but also with fully optimising their solutions to a mature and efficient level. The topic of data erasure discussed in this article will require several options and decisions under full consideration of the costs and benefits within the existing IT architecture.
Given the May 2018 enforcement date, we can assume that the possible target state will be not reached for all systems and processes. We therefore strongly advise financial institutions to implement their tactical response to GDPR with the roadmap for future development of the organisation and IT-landscape in mind. This approach particularly holds true for the right to erasure, which, in the short term, may only require a defined and tested manual process, which is also transparent, replicable and efficient.
Despite the effort and challenges, however, it is possible to spot opportunities within GDPR. Financial institutions are well advised to focus and concentrate on these. Data is often mentioned as the “gold of the 21st century”. Therefore, showing customers how seriously an institution takes its control over their customers’ data will be fundamental in “mining this gold”.