Dr. Karsten Kinast - Preparing for GDPR: Key Aspects and Best Practices for Financial Services

Thank you for the warm welcome for reading the reliable source that's on YouTube judge. I was asked to give a keynote today on the key aspects and best practices for financial services. I probably will not be able to complete that task because there is so many things to say to do. There are so many tasks to fulfill. If you're a band, if you're any financial service in this changing environment, but I'm trying to give you some thoughts on what is still true.

What probably was true when no one else talked about it and what probably will be true in the future and what you should not forget overall, when thinking about the GDPR is that everything needs to be in relation to whatever you do. So if someone keeps telling you what you have to do, and there is no choice, rethink it, and question yourself, question what you are doing and then put it into relation, whatever that means for GDPR, for the particular point. Many people keep forgetting that, and they're looking for abstract guidance. That's true for everyone. This does not exist.

So it's about rethinking your data flows and acting in accordance with what's your personal aid and your personal purposes while working with your personal data. Having said this, I would like to bring this back to some basic thoughts first and develop some further ideas that you maybe find helpful first, for those who haven't thought of really a lot about GDPR and now are starting to understand that it's really a hype that will not probably seize around may, but much later.

Some, some ideas why this seemingly is, was important to have as a piece of law, we have had data protection on a European level since around the year 2000, but it was not really truly harmonized, even though back then, they tried to tell us it was more and more throughout the last years, we realized that throughout the whole European union and the completely a rules were so very different.

So the EU harmonization was the major goal that we had the businesses outside, the EU that we wanted to bind because we realized that even the next legislators realized that finally data's flowing all around the world in a fairly good speed and in a good, transparent manner. And as part of globalization, the businesses outside the EU certainly had to be captured at the latest when the safe Harbor fell some years ago. I think it was the point when this really became a major point to speed. This whole GDPR legislation initiative up let's strengthen the existing data protection standards.

That's a very general idea, but certainly that's still the aim. This is what the legislature wants.

We, they want to be stronger and stricter on it. And I will be talking about finances as everyone has been doing it, but this is real idea behind it because there was a law and there was some effort, but it wasn't harmonized. And it wasn't really a big effort of the economical societies and of all players around there, including the authorities that were understand and still are today. So this is on the agenda now, and this is the first point that has been reached by the GDPR. This is a mere interest that has been already reached in before may and then the adaption to digitization.

If we're talking about agile banking, which is a big task that I have to work and find out lot about these days from a legal perspective, GDPR, as hindering as it may appear sometime for businesses, it will help us to survive visualization of banks in general and of other businesses. Of course. So I have been working on it and I see complete completely what can be hindering for businesses, but for meeting digitization requirements, GDPR is really a lucky source. So the key aspects of the GDPR are after all.

And why we are talking about this today is probably why there is a larger scope of application and draconian fines with regard to the scope of application. I think this is somewhat a political issue as well. We have had so many acts deriving from the us that where, and are still applicable on many areas of the world, including the EU. And this has never happened the other way around. So with the GDPR, maybe by analytical coincidence, it could have been any other field of law where this would have happened with the GDPR.

We have the first piece of law that aims as of aims to being applied wherever, as soon as European data is held or used or reported or whatever, it may be handled in a general way, this GDPR will have to apply. Certainly there will be difficulties in mitigation and practical mitigation and legal mitigation and enforcement, but this is the aim. And I think this will keep us busy for the longest time because areas around the world need and, and trade zones around the world will have to comply with the GDPR. And they're not having had yet a very good guidance on this.

I believe we have started to receive more guidance by the authorities in December only non EU businesses after all are therefore subject of the, the GDPR. And I think this is the major change. The first customers we had as a law firm on GDPR, where now your customers, I guess that was for the draconian fines. And you have heard about this more than once, but I need to explain for maybe the one person hasn't heard, it's 4% of the annual turnover. That's the one and only good reason to work with GDPR for many people. So this is probably why we are here too. I've tried to gather some rules.

What rules should we apply when being compliant or trying to become compliant with the GDPR? We have to assure transparency. I think everyone's talking about privacy by design privacy, by default, that is old rules with new terms, it's old wine and new bottles German saying says, so we have a short transparency and transparency is only there. If there is knowledge, if you know what you're doing, you can grant transparency. So the reason why transparency according to the European lawmaker is that important is because they had the impression that people don't know literally what they're doing.

What kind of information is there? How is it being used? What's the purposes? How long will I be able to keep it? And this is why transparency is the real change on GDPR. That's a very broad task, obviously, and it's really different. And this is what my introductory note was about. It's very different. It means something completely different for all of you, even though the law is the same, you have to question yourself, where does my data derive from? Where did it derive from in the past? And what am I doing with it now and in the future and how will I maintain it transparent.

And how am I staying ready to answer question on where did I get this data from? And what did I do with it? And where did I report it to? And who had it, who had, who has access to? So I understand what you're doing. Documented. The documentary part is evident. The core aspect of transparency, because if there is no documentation, there will no not be a transparency in the understanding of the law. And at the end, make it transparent where even necessary. If it's not necessary, there is an obligation. And if you make your data flows transparent, then it may harm yourself.

Obviously it may even be a decade protection bridge. If you, if you're being too transparent in the wrong places, document documentation obligations. According to article 30, GDPR has been strongly recognized by all different businesses for a bank. That's really different for everyone in the financial sector. That's really difficult, excuse me, because it's about understanding everything that's on your it applications and the difference too, before. And some of the jurisdictions had something similar to this in Europe.

The difference to the situation before is that now you have to make evidence how your work stream is the whole data circle and the lifetime circle of data must be made transparent. It must be changed. If this has changed, if your behavior changes, you need to change documentation. So if I was an authority checking on you, I was probably first thing coming up to you and wondering if you had documented all your applications, and then you have questions like what's an application, where does this start? Where does it end? This is not anything we should lose too much time about the D part.

It's important to make the, these, these authorities understand what are you doing and why are you doing it? Why do you believe this is okay? And elicit action. Where do you have this information from? And which application is it? And where is it being brought to afterwards? And an agile transformation. This may be even more difficult because it's not as definable and as obvious, but it must be part of the definitely process. If you change your business business terms and business processes, then transparency is important. Also for the consent.

The consent is something I would hardly try to hardly ever to rely on. Cause the consent is withdrawal without any reasons at any point of time. So if you have a consent, it may be withdrawn today or tomorrow and you must follow it right now. So consent. If you base your data, transferring it on your data, handing on it is a very weak situation. There's alternatives. There is contracts, there's legitimate interest. Other things like that that you always can use as a source, but I would never work on a consent if that was not necessary. Transparency is also important.

If you are talking about the information of processing and this is next to the general transparency idea, something that people really need to understand information on processing means, again, you need to know, and you need to tell, and anyone can ask you every day. What are you doing with my information to a very large extent and to a very deep understanding. So everything must be very clear front, but if someone asks, it must be even more in detail. So these are things that are to be said about transparency. Second rule would be the capture of third party vendors legislation.

And the next venture has understood that no one these days does anything else, but it's core capacity and it's core activity. And even that is outsourced. Sometime things are outsourced. There is a work bench all around the world and the third party band used to be a black hole. And this is why this is so important. The black hole needs to be enlightened. Understand who's doing what for you and understand that there is a contract and use it because you also understand that there is a liability and a strong liability.

Now for your managers, if you don't change your contracts, you will stick with liability on the GDPR terms. If you remain with the old contracts that will not help a lot. So have those written agreements in place may be your form or the form probably is not the decisive question.

Rule, number three, detect and react. If all of this has worked, if you don't have your transparency mind, if you haven't taken care of your vendors and all the other issues that I could have mentioned for this detect and react, because authorities are institutions that you can talk to, they understand the situation that there is a transformation. That business is running really fast, especially in banks.

I do realize that really there are understanding of the needs of the markets, but if you don't have measures in place to detect what's wrong with your organization, and why did you have that data breach? Why were you hacked here? Why did you have something else not going right? Why did you send information to the wrong person? Why was there anus that shouldn't have been there? You must react. And don't question yourself. You bring this to the attention of the authority, even though potentially this is nothing that the law requires you to do.

You do this data protection, you wouldn't do it in other fields, but you interact because you never know if you know the whole mountain of bridge. And if there's maybe an iceberg in the article, that's even lowered below and very big, and you have already had an accident with it. If you've seen little things, you start to communicate this at an informatory level and you built up a relation. So that's probably because everyone possibly has a breach. The most important thing to notice. So notifications must be within 72 hours. If there is holistic breach, that's really fast.

I don't know if a single organization would say that's easy. Everyone struggles that. So this is why to maintain a good relationship before maybe 70, 73 hours. And you still are okay, because you have been in good terms with it.

This is, this is really true. Even the law appears to be stricter. So we have those three rules, which I would like to highlight the transparency, third party vendors and the detect and react policy. How to realize it. You must control your data. And probably that's a very simple message, but it's a message that I find not to be understood wherever. I see so many organizations in the banking environment and beyond it, people don't control their information.

They're trying to do checklists for the GDPR and have policies, which is nice, but they don't control their information on towards third party vendors and vendors and inside the organization. So GDPR compliance means control. If you're don't control the information, you will never comply to GDPR. So it's about transparency towards yourself after all, not only towards third parties. So how should I do that?

Some examples out there data masking would be an excellent idea because if you anonymize information and anonymization is only true, if you cannot regain the relation between information and person, that's only then anonymization, otherwise it's automatization. If you anonymize, you're out of scope, you're not even in GDPR. Many people struggle with that definition. So it's the contrary to PII to personally identify that information.

If you're anonymizing information, if you test, if you profile, if you score just anonymized, that does work in many cases and you are out of GDPR scope and it's something you maybe wanted to be doing for half a year until you have another solution for it. And you have a data minimization principle installed, but if you are anonymized or sophisticated, you may do things that you can not do. Otherwise alternative would be information, lifecycle management or an additional thing to, to ensure you need to document classify, secure and delete safely.

All the information that guarantees privacy by design privacy, by control and elsewhere in control. So it's a sort, it's a key figure, or it's a key action for many of the master data management is something, all organizations I know don't pay enough attention on you need data quality. If your data quality isn't correct on your customers, you will not succeed to be GDPR compliant. So this data is stable.

The, the very basic information on customer supplies and others is stable information. It doesn't change all the time and people don't manage to keep well, keep well informed on this lot identity management system. I need to mention, of course, that's something for access controls. I've been keep talking about it for a long time and the GDPR. This is a must have.

If you don't have that, you will not succeed to direct all the necessary access rights and that's core because if someone sees something that he shouldn't see, that's a core breach of the GDPR, and this is something evidently to be in scope for all businesses. Other data control measures are out there further security measure. Any security measure on encryption, for example, would be certainly data control measure, any legal control, measure, contracts, policies, also HR measures, trained staff, make people understand, even though if people are committing errors, that's just fine.

If you have training go, and if you have had rules, process measures like quick, escalation of data breaches will save your life. Even though this sounds very basic and very easy. If you think you still have homework for the last three months, you will be busy after not only 25th of many of the GDPR, if on, in 2018 and 19, the E privacy director, who's the sister of the GDPR and covers all this we're discussing now for the online segment.

So if you're becoming agile at 2019 as a bank or wherever the financial sector, the EPRI directive will come up and we don't know what it brings yet, maybe experiences from the GDPR will cover whatever is necessary to be understood here. And we have standard contractual process. So the international data transfer rule by the European point of justice in 2018, 19 also also privacy shield will be revised. So there will be a lot of disruption from the lawmakers and we continue to stress the business from the legal side. Thank.