Is your universe of contributed data ready for GDPR?

Non-compliance can result in fines of up to 4% of a company's annual global revenue

Sheena Clark, Director, CJC Regulatory Services


No sooner has the deadline for MiFID II passed than another regulation looms into view. The EU General Data Protection Regulation (GDPR), legally enforceable on 25th May 2018, is designed to harmonize data privacy laws across Europe, protect and empower all EU citizens’ data privacy and reshape the way organisations across the region approach data privacy. Those organisations in non-compliance after the deadline will potentially face heavy fines.

Most companies are fully ensconced in their regulatory projects and GDPR will undoubtedly fall into the ‘next big thing’ category. However, not all banks have considered how their contributed data might be impacted by this regulation.

Banks will have to ensure that GDPR and resolution clauses are written into their contributed data contracts with vendors and customers. Contributors will have to audit the personal information in all contribution pages belonging to them: Desk Name & Contact, Location, Email Address, Telephone Numbers etc. and state how this data should be processed.

Conversely, the data vendors (“processors”) must also agree new contractual terms for accepting contributions, making transparent to the contributing source whether their data is permissioned for Public/ALL TO SEE, Private/NONE TO SEE or Unrestricted/FREE TO SEE, dependent upon each vendor's terminology.

CJC Regulatory Services has conferred with Nick Murphy of NDM Data Consultants Ltd., an experienced GDPR practitioner, to verify how GDPR will affect a bank's contributed data. Nick has commented: “Contributed data feeds will contain current and historic Personal Identifiable Information (PII) – names, contact details etc. This data needs to be auditable, accurate and amendable to comply with GDPR. Failure to comply is not an option.

GDPR will apply to all EU member states. Even if contributors and processors are based outside the EU, the regulation will still apply to them, so long as they're dealing with data belonging to EU residents.

It's the controller's responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR – up to 4% of a company’s global revenue. 

That is why the “sources” of contributed data must undertake a full audit of all their pages, records and chains they contribute to every data vendor/processor.

The “processor” must also agree new contractual terms for accepting contributions, making transparent whether the source data should be made public, private or remain uncontrolled and unrestricted.”

CJC’s Contributions Monitoring Service (CMS) is designed to support the important first phase of discovery and analysis of contributed data, to show what and where the personal data is held within the contribution publishing process. 

CMS can demonstrate to the relevant regulator how Privacy Impact Assessments (PIA) were conducted and audit how and where the data is collected, stored, used and who has access to it.

In summary, to comply with GDPR by May, banks will need to know that their contributed data is in line with GDPR and to do that, banks will need to know exactly what is being contributed and by whom.