GDPR Readiness Survey Results
With GDPR now upon us, Sia Partners have conducted a survey across banks of varying sizes to understand the progression of their GDPR compliance journey. Conducted on the eve of the regulation going live, the survey aimed to provide insight on 4 main themes:
- GDPR Readiness
- Consent & Data Subject Rights
- Third-parties & International Data Processing
- DPO & Deadline Day Expectations
1. GDPR Readiness
We asked participating banks about their current state of readiness with respect to GDPR, in addition to understanding the main areas of implementation work they are focussing on. As illustrated below, the majority of respondents are in the implementation stage, which is an encouraging indication of readiness now that the regulation has been adopted. On the other hand, one fifth of the respondents are still in the gap analysis stage, signalling their late adoption of a GDPR compliance initiative and perhaps a lack of clarity on what “good” looks like.
Which stage of the GDPR programme/project is your organisation currently at?
20% Are still within the gap analysis stage, which signals the potential late adoption of their GDPR compliance projects
60% Are currently in the implementation stage of their GDPR compliance journey
Which area of the GDPR implementation plan is your organisation currently working on?
Regarding areas of focus, banks are tackling multiple areas simultaneously, with the topics identified below attracting the most attention.
Only 33% of respondents are working on consent collection. This is likely due to “consent” being one of the regulation’s grey areas, and firms intending to process data under other lawful grounds.
2. Consent & Data Subject Rights
One of the aims of the survey was to identify how banks are addressing GDPR requirements towards collecting consent from data subjects, fulfilling key data subject rights and recording data processing activities. Based on the responses, we discovered that many banks are not going down the consent collection route. Those that have decided to however, are taking a manual approach to consent collection and fulfilling subject rights, rather than implementing automated systems or processes. This highlights the industry’s reliance on dealing with consent withdrawals or subject access requests on a case by case basis rather than having the technological infrastructure in place. As a result, banks may end up having to deal with potential resource capacity issues when facing a high volume of requests, as their data frameworks often rely on complex legacy infrastructures. This could lead to increasing costs and the risk of processing errors after the GDPR deadline, attracting unwanted regulatory scrutiny.
Do you intend to implement systems and processes to allow for data subjects to consent to, access, and terminate the use of their personal data?
58% Do not intend to implement automated systems to facilitate obtaining consent and fulfilling key subject right requests.
Which of the following best describes your organisation’s approach to documenting and classifying the personal data held?
Additionally, regarding data processing records, the survey identified that banks are developing data processing registers to respond to the GDPR’s obligation towards understanding and recording data processing activities. The manual approach adopted by a large number of respondents in creating the register could lead to potential issues with respect to ongoing maintenance and ensuring the register remains relevant, up to date and not just a one-off “point in time” exercise.
43% Are adopting a manual approach to documenting and classifying their data processing operations
33% stated their recording process is still ongoing
3. Third-party Data Processing & International Transfer
The GDPR outlines specific guidelines around understanding and recording an organisation’s third-party data processing operations. Again, many banks are opting for a manual approach, in this case to develop third-party data processing registers to address these requirements.
How is your organisation documenting and classifying the use of personal data shared with third-party organisations?
60% of respondents are developing a third-party data documentation register, but this is still in progress.
20% are taking a manual approach towards completing their third-party data registers.
The remaining respondents are either taking an automated approach towards completing their third-party data registers or are allocating the task to the associated third-party.
Does your organisation have any data sharing agreements with third-parties and have they been updated to reflect the GDPR requirements?
The regulation also requires organisations to utilise data sharing agreements with their third-parties to ensure that the personal data being shared is processed in a compliant manner. These agreements can be viewed as the only line of defence against any punishable mishandling of personal data carried out by third-party processors. As a result, more than half of the banks polled are in the process of changing their data sharing or service agreements with their third-party vendors to guarantee protection and compliance, while only one fifth have already completed their updates.
20% of respondents have already completed their data sharing agreements
55% of respondents are in the process of updating their data sharing agreements
Which of the following best describes your organisation’s international data processing and storage operations?
Internationally, the regulation allows for the safe transfer of data to countries outside of the EU, provided those countries have 1. appropriate safeguards (“privacy shield contract”) in place or 2. possess adequate data protection laws as classified by the European Commission. Countries such as the USA, Canada, New Zealand, and Argentina, among others, are present in both permitted categories. However, most banks have stated that they currently transfer data to countries outside of both categories, potentially leaving them exposed. Subsequently, polled banks that operate in countries outside of the EU have chosen to adopt a risk-based approach towards compliance, as they plan to prioritise their compliance actions based on their corresponding levels of risk.
If you are operating in countries outside of the EU, how are you approaching GDPR compliance within these locations?
58% of respondents operating outside of the EU are taking a risk-based approach
4. DPO & Deadline Day Expectations
Data Protection Office (DPO) allocation has been a hot topic heading into the pre-deadline period of the regulation as organisations have struggled to assign a suitable and adequately skilled DPO, while also avoiding any reporting conflict of interest. More than half of the banks believed that the DPO should sit within the Compliance department. This was also the viewpoint of the majority of our financial services clients, most likely due to their existing skillset and regulatory background.
Where does your organisation believe the Data Protection Officer (DPO) should sit within your organisational structure?
62% of banks believe that the DPO should sit within the Compliance department
What level of compliance does your organisation expect to be at by the regulation’s deadline of May 25th?
As you can see from the figure below, almost half of the banks are mostly compliant and nearing the end of their implementation phase. Conversely, a quarter of the respondents are partially-compliant with significant and on-going work still outstanding. The deadline day expectations of the polled banks represent the industry’s approach to GDPR compliance – that while banks hold a considerable amount of personal data, they have also become accustomed to responding to new regulations which ensured that GDPR was on their agendas early. However, numerous grey areas still exist within the regulation, such as: consent vs alternative lawful grounds; fulfilling data subject rights (e.g. the right to be forgotten); and third-party data processing liability, which is likely to be clarified after the regulation’s deadline, once enforcement cases have been applied.
6% of respondents believe that they will be significantly far from compliance with substantial work needed with unknown end date
25% of respondents believe that they will be partially compliant with significant activity planned well into Q3 and potentially Q4
44% of respondents believe that they will be mostly compliant with full compliance to be achieved by the end of Q2/early Q3
25% of respondents believe that they will be fully compliant by the regulations deadline
This survey has confirmed both the banking industry’s uncertainty towards specific aspects within the regulation, and the wide adoption of a risk-based approach in tackling its key requirements. Now that the regulation is effective, it will be interesting to see how banks will continue to deal with the risks posed by the regulation’s grey areas and subsequent enforcement. Regarding GDPR, it is safe to say that there are no absolutes!