Legal And Regulatory Dp Challenges For The Financial Services Sector
Upcoming SlideShare
Loading in...5

Legal And Regulatory Dp Challenges For The Financial Services Sector






Total Views
Views on SlideShare
Embed Views



2 Embeds 7 6 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • “ data” means information which— (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; Opinion 4/2007 on the concept of personal data Opinion 1/2008 on data protection issues related to search engines Log Files, IP Addresses, Cookies
  • Project managers, consultants, internal and external lawyers.
  • Data Capture sheet- next slide Questionnaire- two slides
  • Why questionnaire and then RCA? Because you needed to know where your risks are first!

Legal And Regulatory Dp Challenges For The Financial Services Sector Legal And Regulatory Dp Challenges For The Financial Services Sector Presentation Transcript

  • Legal and Regulatory Privacy Challenges for the Financial Services Sector
    • Michael Spadea
    • Head of Privacy, Barclays Wealth
    • 19 January 2010
    • [email_address]
  • Disclaimer (otherwise knows as the exciting stuff )
    • The statements and contents of this presentation are my own and do not necessarily represent Barclays Wealth’s positions, strategies or opinions.
    • Barclays Wealth is the wealth management division of Barclays and operates through Barclays Bank PLC and its subsidiaries. Barclays Bank PLC. is registered in England and authorised by the Financial Services Authority (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
    • The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions.
    • No part of this presentation constitutes legal or tax advice.
  • Subjects we will be covering
    • Overview of the EU data protection requirements
    • What is “personal data”?
    • Current and Future Challenges
  • EU Data Protection Directive
    • EU Data Protection Directive (95/46/EC)
      • “ Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy …” (Directive, Preamble, Para. 2.)
      • Stated Objectives:
        • 1) “In accordance with this directive member states shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data,” and
        • 2) “Member States shall neither restrict nor prohibit the free flow of personal data between member states for reasons connection with the protection afforded under paragraph 1.” (Directive, Preamble, Article I.)
      • “’ Personal Data’ shall mean any information relating to an identified or identifiable natural person…”
  • EU Data Protection Directive (95/46/EC) Highlights
      • Art. 2 Definitions:
        • Processing is defined as “any operation or set of operations which is performed upon personal data…such as collection, recoding, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking erasure or destruction”
      • Art. 7: Criteria for Making Data Processing Legitimate
      • Art. 8: Special Categories of Processing
      • Ch. IV Transfer of Personal Data to Third Countries
        • Art. 25 Principles
        • Art. 26 Derogations
  • What is personal data?
    • Directive:
      • “ 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”
    • UK Data Protection Act
      • “ personal data” means data which relate to a living individual who can be identified—
        • (a) from those data, or
        • (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
      • EU v. UK (ICO v. Court/Tribunal)
  • Current and Future Challenges
    • International Transfers
    • Banking Secrecy
    • Adequate technical and organisational measures
    • Incident Response across jurisdictions
    • Access to Personal Information (data subject requests, litigation holds, records management)
    • Employee and client screening
    • Incident Management
    • Conflict of Laws
      • Conflict between the Directive and Member State Law
      • Conflict between EU Member States and other countries
        • US Law (discovery and blocking statutes, internal investigations, reporting requirements)
    • The Future of Privacy (WP 168)
    • Demonstrating Global Compliance
  • Demonstrating Global Compliance
    • Ensuring compliance with external regulations and internal policies.
      • Key Takeaway Point 1: Know the standards you are held to, where you are in relation to those standards, what you need to do to get there.
    • Potential business risks and the strategies to help overcome these risks.
      • Key Takeaway Point 2: If you can’t measure it, you can’t manage it.
    • Risk Vs. Cost: What is the best strategy for your business?
      • Key Takeaway Point 3: Point 1 must be BAU.
  • Stating the Obvious:
    • Ensuring compliance is not easy
      • Thousands of employees.
      • Variety of business lines.
      • Huge volumes.
      • International presence.
      • Significant IT and process change programmes running continually.
      • Increasing dependencies on third parties.
    • To successfully run a privacy change program, you need:
      • Senior management support.
      • Funding.
      • Clear understanding of BUSINESS AS USUAL end result.
      • Clear definition of the baseline requirements for your organization; comprehensively covers the legal/regulatory obligations; usable by the business.
      • Make sure you have the right people with the right skills.
      • Stakeholder involvement & pilots.
      • Divide into manageable segments & a flexible approach.
  • Where do you start? What are your risks? Prioritize . . .
    • Detail is important:
      • What are your risks?
        • Some factors
          • Types of data.
          • Volumes of data.
          • Geography.
          • Internal or external.
        • Segment the programme and business to pinpoint accountability.
      • Tools
        • Data capture sheets.
        • Questionnaires - for the business and for vendors.
          • Questions mapped to local legal requirements mapped to baseline.
        • Gap analysis with actions and owners and dates.
          • Captures everything - ongoing risks and one-off fixes.
  • Data Capture Sheet Data Stream Sub-Data Stream Data Capture Questions Ref. Number Brief Description Data Capture Sheet Questions
      • Data Stream (Team)
      • Sub-Data Stream (Streams within the Team)
      • Reference Number
      • Brief description
      • Is data collected at this point or used?
      • Corporate confidential data?
      • Personal Data?
      • Sensitive Personal Data?
      • Employee data?
      • IT Organisation and Management
      • Collected from or available on the Internet?
      • Collected from or available on the intranet?
      • Data used for marketing?
      • Transferred or accessed in another country?
      • Data transferred or accessible by a third party?
      • Name of third party
      • Do you have any data that requires special consideration?
      • Approximate volumes
      • Where is data received from?
      • Where is data sent?
      • Which jurisdiction is data stored in?
      • What format?
      • Name of system
      • Business contact name
      • Technology contact name
      • Captured by CCTV?
  • Privacy Questionnaire Baseline Baseline Requirement Equivalent Local Law Brief Description of Local Law Questions UK DPA Principle 1UK DPA Principle 2UK DPA Schedule 2Dir 95/46/EC Article 6.1aDir 95/46/EC Article 6.1bDir 95/46/EC Article 7 For processing of personal data to be fair and lawful, legitimate reasons for processing the data must be identified. In the UK, these are set out in Schedule 2 of the DP Act (Dir 95/46/EC Article 7) HKDPO Principle 1 ver 1 Personal data shall not be collected unless: (a) the data are collected for a lawful directly related to a function or activity of the entity who will be using the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data is not excessive in relation to that purpose. Personal data shall be collected by means which are lawful and fair. (-) Have you identified on what basis you are able to lawfully process the personal data? (+) When you collect personal data, do you disclose the purpose of use to the data subject? UK DPA Principle 1 UK DPA Principle 2 UK DPA Schedule 3 Dir 95/46/EC Article 6.1a Dir 95/46/EC Article 6.1b Dir 95/46/EC Article 8 If sensitive personal data is processed, further conditions must be met to do this, for example obtaining explicit consent for the processing In the UK a Data Protection Act Schedule 2 and 3 condition is required to process sensitive personal data (Dir 95/46 EC Article 8) N/A Under the HKPO there is no separate concept of "Sensitive Personal Data". (-) Are you processing sensitive personal data? Defined as personal data relating to: (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union, (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
    • Operating model- Don’t get hung-up on the detail.
      • Privacy Policies
      • DPCs
        • Each jurisdiction and/or each business.
      • Incident Management Policy
        • Escalation criteria, communications plan
        • Incident Management Committee for the big ones (Legal, PR, Compliance, HR, IT Security, Risk)
      • Litigation hold committee (technology, risk, accountable executive, internal and external counsel)
    • Annually refresh
      • Legal requirements.
      • Policy
      • Risks and Controls
      • MI
    • Push out to each business line and jurisdiction through the DPCs.
    • Train your DPCs so they are the front line for the basic queries.
    • Training and Awareness - all staff get the basics (tie into your gaps, key themes).
  • Selection of Privacy Risks
    • Failure to inform individuals about the collection and use of their information.
    • Privacy registration requirements are not complied.
    • Failure to have a lawful basis for processing personal information.
    • Privacy is not incorporated into the expansion into new markets and jurisdictions or the acquisition of new entities.
    • Personal information transferred to and processed by vendors is not adequately protected.
    • The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures.
    • Responsibilities and accountabilities for the management of privacy are not appropriately defined, agreed, or implemented.
    • Incidents, including those originating with third party suppliers, are not effectively identified and reported or managed and resolved in a manner that protects both the individual and Wealth.
  • Controls (what works for us may not work for you)
    • Some Privacy Controls:
    • The privacy SME approves the collection and use of personal information of staff, customers and 3rd parties (e.g., shareholders, prospects).
    • Individuals receive an up-to-date privacy notices that includes full disclosure of how personal information is processed, including cross-border transfers and disclosures to third parties.
    • Material changes in the processing of personal information (including that of vendors) are captured and approved by the relevant SME.
    • Information and process owners ensure the minimal amount of personal information is processed (e.g., collected, stored, disclosed) by having privacy SME sign-off.
    • Compliance with local records retention policies and ensure the need to retain each category of personal information is necessary.
    • Ensure business process to receive, capture and action marketing supression requests to local supression lists.
    • RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues.
    • Some Records Management Controls:
    • Accountable Executive responsible for Records Management is in line with Group requirements.
    • Appropriate senior stakeholder forum across all key Wealth business lines (UKPB, IPB, Stockbrokers and Direct, BWI and WI, Wealth Advisory and IPO) is in place to address and progress Records Management issues.
    • Methodology for Records Management contains key roles and responsibilities for all stakeholders.
    • Records Management Policy aligned with Group Records Management Policy is in place and is updated annually.
    • Attestation process is in place for the Records Management Policy.
    • Attestation is completed by key Wealth staff annually and reviewed by Compliance for completeness.
    • A refresh process exists for the key policy and guidance available for Records Management.
    • A destruction policy and process has been developed and exists for Wealth. An annual refresh is completed for policy documents.
    • Adherence to disposal holds can be evidenced to IRM.
  • Putting it together (Principle) Risk Control Risk Owner (Local v. Central) Overall Risk RAG Rating Evidence Remediation Actions Remediation RAG Rating The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures. Conformance testing is conducted on a regular basis to ensure that personal information is processed in accordance with the Wealth Privacy Policy and all controls are operating effectively. Boba Fett Amber Identify area of testing. Green Develop and implement. Green Analyse results. Amber Remediation plan. Red MI is reported regularly and reviewed and challenged to ensure that it reflects the activity and status of privacy controls and to evaluate privacy risk. The Emperor Green Obtain. Green Use Jedi mind trick. Amber Receive update. Green Execute under-performers. Green RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues. Darth Vader Amber Inspect the stormtroopers. Amber Check they are using the RCA to inspire fear. Amber Validate results with the locals. Amber
  • Dashboard mock-up Not Real Data
  • Focus: Records Management – June 2009 Not Real Data Records Management audit report issued in draft with a Satisfactory Rating for Wealth and 2 Medium audit points Phase one of the RM/DP Assessment/Remediation project now complete with all high risk teams action plans QA’d and remediation underway with the assistance of project staff. Current State Assessment action closure increasing following active chasing by IRM – 58% closed at end June. IRM RM SME fully engaged with USA PIM business to embed Wealth RM policies BAU Schedule for RM management activities in place. Management of RM/DP project actions integrated with existing CSA action management system. Current State Residual Risk Commentary 1,217 Current State Assessment actions were given a default due date of end Apr 2009. IRM actively chasing owners for the newly overdue actions to establish expected due dates. Activities to date have reduced the overdue actions with further focus being applied in July. RM/DP Remediation actions are increasing as the project team are completing team reviews - expectation is for a high volume of identified actions as the project progresses. Exception Commentary Cumulative Achievements Improved BU team refresh process to be proposed and implemented if agreed Continued engagement with RM audit action owners to ensure coherent plans and funding are in place to address. Refresh Retention Schedules in conjunction with Group and Legal. Launch phase two of the assessment programme beginning with Jersey and Guernsey Major Activities next month RM SME resource departed mid June Technology resource for shared drive analysis/remediation no longer exists in Wealth – conversations underway with BarCap to acquire resource. Risks Identified to Date
  • Lessons we have learned
    • There is a global shortage of privacy/records management professionals so the approach had to work with project managers and business analysis without a technical privacy/records management background.
    • Quality assurance of the ouput is vital and should be integral to the process.
    • Training should be little and often.
    • Link in with key stakeholders, e.g., internal audit, compliance, IT, internal comms, financial crime, etc.
    • Awareness & training is a long-term exercise and cannot be fixed overnight.
    • Too much detail on some of the question sets.
    • BAU
  • Awareness Material
  • Awareness Material
  • Awareness Material
  • Awareness Material
  • Help with Training & Awareness
    • Some of the Training & Awareness materials developed will be available on the ICO website for use on 28 January 10.
    • Private Consortium
      • Multiple industries.
      • For a fee you can access all material developed.
      • Newly created material must be made available to other members.
      • Currently administered by Barclays, but expectation is that other group will take over in the near future.
      • If you are interested, please contact me.
  • It works!
    • Barclays won the 2009 IAPP Award for Privacy Innovation by a large organisation (toot toot)!
    • Data viewed as an asset.
    • Significant increase in
      • Compliance;
      • Engagement of the privacy and records management SMEs at early project stages;
      • Employee and vendor awareness; and
      • Number of breaches reported.
    • Measuring compliance and awareness.
    • Inventory of processing and data.
    • Identification and remediation of supplier contract and processing gaps.
    • Reduction of reputation and fines risks.
    • Improved regulatory relationships.
    • Change in culture.
    • Global Operating Models.
  • The End
    • Michael Spadea
    • Barclays Wealth
    • 1 Churchill Place
    • London, E14 5HP
    • [email_address]
    • (Email me for a copy of this presentation and a sample questionnaire.)