Customer Data Protection Temenos module for the General Data Protection Regulation (GDPR)
Contents Glossary 03 GDPR Geographical Scope 03 GDPR implementation status 03 Overview of GDPR 03 Financial Institutions and the GDPR 04 Main areas of the GDPR 05 GDPR Applicability 06 DPD and GDPR 07 Strategy from Temenos for GDPR 08 Customer Data Protection 09 Contacts 10 2
Glossary GDPR = General Data Protection Regulation DPD = Data Protection Directive DPO = Data Protection Officer GDPR Geographical Scope The GDPR directly affects organisations established inside the European Union. Any institution based within the EU must recognise that personal data is to be processed in accordance to the GDPR. However, the scope of the Regulation also extends to businesses established outside of the EU; if they are providing services to, or monitoring the behavior of individuals within the EU. GDPR implementation status: 4 th May 2016 Adopted 25 th May 2018 To be enforced Overview of GDPR The European Parliament and the Council of the European Union have published the GDPR to replace the outdated terms of the Data Protection Directive from 1995, with updated regulations that reflect the advancement of modern technology. A focal point of the GDPR is the processing of personal data. In banking, large amounts of personal data held and processed for business purpose such as; financial transactions and marketing. Going forward the Regulation will ensure the lawfulness, accuracy and legitimacy of all personal data that is stored and subsequently processed by businesses. The GDPR tightens a number of rights for individuals and allows them to have a greater control over their personal data. The regulation provides a framework for businesses to ensure a consistent approach to data protection across the EU. The legislation will be in force from 25th May 2018 and there is an expectation that financial institutions already have a solid data protection policy in place due to the previous and existing data protection legislation. However, the GDPR brings a number of new challenges banks will need to overcome to be compliant as of May 2018. 3
Financial Institutions and the GDPR The overview of the GDPR project is summarised by the following analysis, answering the four important questions: WHAT does this mean for banks? Financial Institutions process huge amounts of personal and sensitive data. Personal data held on customers who are bound by contract (both current and former) are pertinent. However, the safeguarding of data is also relevant to individuals who may not be direct customers of the bank, but have shared personal information, for example on platforms such as online chat-bots or other channels. The method of collecting personal data (and its ongoing processing) is to be reformed under the Regulation. Customers have the right to know exactly what data their bank stores about them, the purpose it is being held or processed and, if applicable, who this information is shared with. It is a legal obligation for businesses to process data in accordance with the Regulation or face penalties of up to 20 million or 4% of global annual turnover, whichever is the greater amount. Breaches are to be notified to the supervisory authority by the data controller within 72 hours. Large penalties and potential reputational damage could be detrimental to businesses, so it is key for banks to maintain good reputation for data protection, and more importantly, retain customer trust. 4 WHO is affected? The GDPR affects all businesses that process data of EU citizens. Therefore, all banks and financial institutions are required to comply with the Regulation. Any bank providing services within the European Union or to individuals within the EU, will need to consider their customers as data subjects within scope of the Regulation. WHEN will the Regulation be enforced? The General Data Protection Regulation will be in force from 25th May 2018. It is essential that organisations are compliant with the GDPR, with adequate policies in place, prior to this date to avoid hefty penalties. WHY is this regulatory change needed? Digital growth has caused an influx of data creation. Recent technological advances have left the previous Directive s past terms outdated and inadequate in proportion. Technology considered fundamental in banking today did not exist at the time the previous Directive was enacted; combining this with the expansion of FinTech; an updated Regulation is required to accommodate this evolution of technology. In the age of EU wide digital data flows the GDPR gives data subjects confidence in the free movement of data. The regulation comes into direct effect within each country of the EU, so standardizing the approach to data protection in all EU member states.
Main areas of the GDPR The Regulation sets out a number of rights for data subjects. Right to... Be Informed Access Erasure (forgotten) Rectification Restrict Processing Data Portability Object Rights Related to Automated Decision Making and Profiling The Right to be Informed Banks are required to inform their customers exactly what data is stored on them, how it is processed, and who it is shared with. The Right to Access A customer is able to submit a Subject Access Request to request for a copy of all their personal data that is held by the bank. The Right of Erasure (Right to be Forgotten) A bank must erase personal data held on a customer or individual when there is no longer a lawful purpose for holding the data. The Right to Rectification If there is a concern regarding the accuracy of personal data held on a customer, the customer has the right to request these inaccuracies are investigated and rectified. The Right to Restrict Processing If a customer believes data held is being processed illegitimately, a restriction to data processing can be applied until its processing is validated. The Right to Data Portability Banks are required to provide a customer with data previously provided to the bank by the customer, free of charge and in a commonly used machine readable format. This should be provided directly to the customer or ported by the controller externally on request of the data subject. The Right to Object A customer is able to object to certain processing of their data. Objections should be logged and exercised if appropriate, but can be overridden by the bank in the case of legitimate reasoning. Rights Related to Automated Decision Making and Profiling Automated decisions are not definitive and can be queried by customers if the result can legally or significantly affect them in any way. Recording Consent Where the bank is processing data on the basis of consent (E.g. for direct marketing purposes) the consent must be unambiguous and specific, separately given from other matters and use clear, plain language. The consent must be recorded. Transfer of Data Outside EU Banks may only transfer personal data outside the EU if they comply with the requirements of the Rregulation and thereby ensure there are adequate safeguards in place to protect the data. 5
GDPR Applicability Data Minimization Privacy Impact Assessments Appoint Data Protection Officer Customers= Data Subjects Personal Data BANK Processing is based on Yes Legitimate, In Scope of the GDPR Legal, Consent or Yes Contractual purpose? GDPR Enforced 25 th May 2018 Start Based in EU (Data Processors and Data Controllers) BANK Providing services or monitoring the bahaviours of data subjects within the EU or relating to data subjects within the EU Privacy by Design No Storing or processing data is illegal Based outside EU No Not in Scope of GDPR processing This is a high level overview of the applicability of GDPR and is not intended to be relied upon. Banks must take their own legal advice on the applicability of the GDPR. This is not legal advice and is provided for illustrative purposes only. Any Financial Institution must do its own investigation to understand the applicability of the Regulation to its business. Customers have the right to; Access Be Informed Portability Rectification Erasure Object Restrict Processing Rights related to Automated decision making and profiling Lawful Processing under GDPR
Key differences between the DPD (1995) and GDPR Area Data Protection Directive General Data Protection Regulation Directive VS Regulation Personal Data definition (and other terminology) Rights (and consent) Breach notification and fines Liability on Data Controllers and Data Processors Privacy by Design, Privacy Impact Assessments and Accountability Geographical Impact The Directive set a generic level of data protection principles to be achieved. Each Member State devised its own laws and sanctions; meaning procedures and implications were inconsistent throughout the region. The definitions and terminology; such as personal data ; are broad, unspecific and outdated. A number of rights outlined for individuals. As a result of the Directive, EU Member States published their own terms for breaches and fines; with no limit or guidelines as standard. Only data controllers could be held accountable for breaches. No defined strategy for general approaches to data protection or governance within organisations. Extended only to EU Member States and is no more expansive in its territorial reach. The Regulation is a binding legal legislation coming into affect within all EU Member States. This means data protection laws should be harmonised across the EU. However, it is worth noting there still remains areas of derogation for each member state (e.g. law enforcement) Definition of personal data is expanded upon to be more relevant to current technology; i.e. the inclusion of IP addresses and biometric data as personal identifiers. The specificity of definitions within the document are modernised. A number of rights are highlighted and enhanced for data subjects. A higher requirement of consent is cited throughout. Pre ticked boxes or silence do not signify consent. All data controllers are required to inform the relevant supervisory authority of any data breach within 72 hours. Harsher fines sanctions are imposed to act as a more serious deterrent of misconduct; fines of up to 4% annual global turnover or 20 million can be sanctioned for breaches. Processors can also be held accountable for data breaches a contract is required with the data controller to process data. A Data Protection Officer (DPO) is required to be appointed within organisations (when specific conditions are met). Companies must adopt practices to ensure processes give greater assurance in relation to the privacy of individuals. For example, privacy impact assessments must be undertaken prior to commencing processing, pseudonymisation and encryption must be considered.. Systems must be designed with privacy in mind, with settings defaulting to maximize privacy. EU law affecting any company that provides services to or monitors the behaviours with the EU or its citizens. Adequate levels of data protection are required when transferring data to countries outside of the EU. If there is uncertainty, specific authorisations may be required. 7
Strategy from Temenos for GDPR How Temenos Can Help? Applying our functional and technical understanding of the rules of data protection and our experience of working within the financial sector, we are able to assist clients to analyse business models to help them understand the practical and financial implications of the new Regulation and develop strategies for dealing with such implications within their usage of Temenos products. With the arrival of the GDPR, it is more important than ever to plan for the impact of regulatory rules and design an efficient response. Temenos can assist with our knowledge and experience. Our experience in developing and implementing regulatory solutions at various banks across the globe will benefit our clients; assisting clients to meet regulatory obligations with limited disruption to their business. Key offerings as part of the Customer Data Protection module in Temenos Products Temenos aims to provide a system that will assist a company s capability in maintaining personal data and complying with the Regulation. Enabling the rights of data subjects to be performed in a simple and intuitive way. New functionality will be provided that addresses potential gaps identified in data protection impact assessments our clients may recently have undertaken. The Customer Data Protection module will provide clients more functionality, and therefore more control, of personal data and processing throughout the systems. Privacy by Design is fundamental to implementing banking solutions that manage personal data. The module will include; Definition of Personal Data Temenos functionality allows the bank to set a customisable definition of personal data permitting the bank to manage and track such data. A predefined list of applicable fields holding personal data; including name, location data etc. will be provided and can be tailored per client; to be inclusive of company specific or local data that will be affected. Recording Consent The module will provide a configurable consent management system, allowing different levels and types of consent to be recorded. Data Erasure The module will enable the logical erasure of personal data which clients can decide is no longer legitimately required to be held from the Temenos system(s). Reporting Customisable reports will be available, their output able to be exported into machine readable formats to satisfy Subject Access Requests, and allow data portability. GDPR Processing Additional functionality will be available to assist regulatory compliant processing; such as exercising objections or restrictions. A data request management tool will be provided to log and track rights requests made by data subjects. 8
Customer Data Protection module Recording data? What data do we store, where and why? What actions do we need to take if a subject right is exercised? How is that carried out in each Product? Data Capture Identify Personal Data Define Action Implement The purpose and basis of processing; consent or otherwise. A metadata model that defines personal data within Temenos systems. A set of processing rules for when data subject s rights are invoked. Provision of specific tools that implement the requirements within each product. Temenos Customer Data Protection module The Temenos Customer Data Protection module will provide the tools and functionality to assist a financial institution s compliancy to the General Data Protection Regulation. It is the responsibility of the Financial Institution itself to ensure internal policies and procedures are in place across all systems to ensure compliancy. 9
Contacts For any further queries and interest in getting the Customer Data Protection Solution in Temenos Core Banking, please get in touch with: Peter Ryan Product Manager Temenos UK Ltd 5th Floor, 71 Fenchurch Street, London EC3M 4TD, UK T: +44 20 7423 3700 D: +44 7766 088896 E: pryan@temenos.com Rachel Vardon Business Analyst Temenos UK Ltd 5th Floor, 71 Fenchurch Street, London EC3M 4TD, UK T: +44 20 7423 3700 D: +44 20 7423 3749 E: rvardon@temenos.com 10
TEMENOS is a registered trademarks of Temenos Headquarters SA 2017 Temenos Headquarters SA - all rights reserved. Warning: This document is protected by copyright law and international treaties. Unauthorised reproduction of this document, or any portion of it, may result in severe and criminal penalties, and will be prosecuted to the maximum extent possible under law.