2. Soft or hard Brexit, GDPR is coming into force on 25 May
2018 and firms need to prepare…
Marjane Moghimi Nov 2017
The Queen’s Speech has confirmed that the General Data Protection
Regulation will form part of UK law following the country’s withdrawal from
the European Union. The Speech noted that “Over 70% of all trade in
services are enabled by data flows, meaning that data protection is critical
to international trade.” 22 June 2017
3. And after Brexit ?
Marjane Moghimi Nov 2017
• On 21 June 2017 the UK Government revealed its legislative programme for the
coming two years. As well as pressing ahead with the UK’s withdrawal from the
European Union, the Government has confirmed its intention to bring the EU
General Data Protection Regulation (the “GDPR”) into UK law, ensuring the
country’s data protection framework is “suitable for our new digital age, allowing
citizens to better control their data.”
• Therefore it seems that the after Brexit rules will be compatible and aligned with
the EU GDPR.
► But some of the EU based clients may ask for the localisation of databases in EU.
► So where the data (server, data centre, cloud) is stored needs some reflexion.
4. UK
Marjane Moghimi Nov 2017
UK Current
• Current legislation
• DPA 1998
25 May 2018
• Future legislation
• GDPR
Map
• Cross Map the change from current law to new regulation
• Will give you the picture of ‘As is’ and ‘To Be’
5. GDPR overview
Marjane Moghimi Nov 2017
Data
Controller
Data
Processor
Data
Subject
Aim is to protect a natural
person living in the EU
(include EEA) by expanding
the definition of personal
data and giving more
rights to privacy
Impose new duties
and obligation on
6. Initial assessment
• Data Controller
– Is in direct contact with Data
Subject
– It is ultimately responsible for
the application of Data
Protection principals
– Must provide privacy notice
when collecting data
– Must inform the data subject in
case of data breach
• Data Processor
– Has direct responsibility under
GDPR
– Must assure the security of
processing operations,
– Must name a Data Protection
Officer,
– Must notify any breach of data
protection obligations to the
Data Controller.
Marjane Moghimi Nov 2017
7. New rights of Data Subject
• The aim is to give to Data Subject the ownership of their own data
• the data subjects' rights :
– right to be informed,
– right to object to the accuracy of the information
– right of access (free)
– right to be forgotten (exceptions do exist)
– right to give consent and withdraw it easily
– The consents need to specific for each usage of data
– Right to be informed if a data breach occurred without undue delay
– Etc.
Marjane Moghimi Nov 2017
8. What is the new definition of Personal Data ?
• The GDPR broadens the definition of “personal data.”
• Sensitive data such as biometric and genetic data will be subject to a
higher standard.
• Under the terms of GDPR, personal data refers to anything that could be
used to identify an individual, such as :
– name,
– email address,
– IP address,
– social media profiles
– Phone numbers
– Social security numbers
– Etc.
Marjane Moghimi Nov 2017
9. GDPR for HR
• Your past, current and future employees are Data Subject
• Under GDPR they have extended rights such as: right to rectification and erasure, right of
portability of their data and subject access request (without fee )
• Action points, data audit:
– What data you have?
– Where it is located?
– Why such data is collected? Is it up to date?
– To and From where is transferred (in the company, outside 1/3 parties, outside EU and
EEA)? Which data points are transferred?
– How long is kept?
– On which basis ? Legitimate business ? If not erase.
– Consents need to be reviewed
►Data mapping and flow charts help to have a global view of the flow of Data from and into
various systems
►A gap analysis will highlight areas of concern you need to look at.
Marjane Moghimi Nov 2017
10. Data audit
What Staff data
do you have
Where is come
from?
Where /How is
stored?
What happens
with it in your
organization?
When/How is
it deleted?
Is it up to date?
It is transferred
outside the
firm?
Identify the
Stakeholders
HR
Finance
Payroll
Third parties
Etc.
Marjane Moghimi Nov 2017
Expand on each point
till you have a clear
picture and cover it
completely
11. Personal Data mapping -1
Why a firm is
processing
personal data?
1- Staff administration
2- Client administration
3- For safety and security
4- To meet legal obligation
5- To provide service to 1/3 parties
6- To improve services/businesses
7- For direct marketing
8- Etc.
Marjane Moghimi Nov 2017
12. Personal Data mapping -2
For each reason
defined, you
need to precise
each activities
that it covers
1- Staff administration
Recruitment (recruitment agency, reference etc.)
Payroll
Benefit (pension, private medical health, insurance etc.)
Appraisal
Record of attendance, leave, holidays
Correspondence related to the employment
Etc.
Marjane Moghimi Nov 2017
13. Personal Data mapping -3
Then define
each category,
sub category of
data you collect
Examples:
Job candidates
Current staff/contractors
Former staff/contractors
Emergency contact/relatives
Third party benefit providers
Contacts at suppliers
Etc.
Marjane Moghimi Nov 2017
14. Action list for compliance with GDPR
After the Data mapping:
1. Run a GDPR compliance gap
– Run a review of all of your data entries ( online, 1/3 parties etc.)
– Analysis of your operations, IT, processes, systems, procedures
• Data flow (in, out, from, to)
• Vendors and 1/3 parties data review
2. Create a GDPR Risk Register
3. Define areas for change: Processes, People, Technology
– Prioritize work according to the Risk Register
– Plan communication with data subject (consents, breach notification)
– Update your data protection compliance procedures
– Keep an audit trail of all your activities in order to comply with the regulation
4. Highlight and act on areas overlapping with other regulations (if applicable to
your industry)
Marjane Moghimi Nov 2017
16. Certification
• GDPR recommend certification schemes
Certification is voluntary. Currently there is no official certification body for GDPR
• ISO 27001 is such certification
– Is an information security management standard
– Follow international best practices
– Focus on information security (firms and their customers)
– Based on formal risk assessment
– 3 aspects to information security
• People
• Processes
• Technology
– Data protection arrangements and processes are similar to GDPR
recommendation
– It can be used as a reference on complying with GDPR regulation
Marjane Moghimi Nov 2017
17. We already comply with DPA 1998, what more should we do?
• Cross-map GDPR to DPA 1998:
– Focus your action to area of changes
• If you choose to apply ISO 27001:
– Cross-map GDPR to DPA 1998 and ISO 27001
– Highlight areas of changes
– Highlight high risk areas
– Prioritize the work on the most sensitive areas
• Change Management needs to cover
– People
– IT
– Processes and Procedures
– Training for staff
– Communication about GDPR and raising awareness about data security
Marjane Moghimi Nov 2017
18. GDPR in others European countries
If you have activities in EU you need to be aware of local GDPR application:
• France : CNIL is in forefront of GDPR application
– https://www.cnil.fr/
– https://www.cnil.fr/fr/node/15798
• Luxembourg
– https://cnpd.public.lu/en.html
• Offshore Isle of Man, Jersey, Guernsey (Third Country) have secured a Adequacy
status
– http://ec.europa.eu/justice/data-protection/international-
transfers/adequacy/index_en.htm
Marjane Moghimi Nov 2017
19. GDPR in Financial industry
• GDPR is overlapping with other regulation such as MIFID 2, PRIIPS, PSD2
• Firms need to separate 3 sort of data:
– Employees, professionals clients, non professional clients (under the definition
of MIFID 2)
• Personal data of employees
• Personal Data of professional clients and Non professional clients
• Personal Data of retail clients
• Interactions between various IT systems (backups systems are in the loop too)
• While banks and other financial firms are familiar with various regulations,
adhering to GDPR requires the collection of large amounts of customer data,
which is then collated and used for various activities, such as client on-boarding,
KYC, relationship management, trade-booking, accounting, etc.
• During these processes, customer data is exposed to a large number of different
people, systems at different stages, and this is the challenge.
Marjane Moghimi Nov 2017
20. Regulation Overlap: MIFID II and GDPR
MIFID II (3 Jan 2018)
• RTS 4 and ESMA Q&A Oct 2017:
The requirement to identify the clients and
clients of clients in transaction and position
reporting can not be waived.
• For natural persons, the important
identifiers are: passport number and
CONCAT code combining nationality, first
name and surname of position holder.
• If a person is used, that person must be
identified by their ID number, passport
number, tax or national insurance number,
depending on their nationality.
• In the absence of this information, a
concatenated code can be used consisting
of date of birth, the first five characters of
first name and the first five characters of
surname.
GDPR (25 May 2018)
• Under GDPR investments firms are Data
Controller.
• Under MIFID II they are required to report
disaggregated (i.e. Client, Client of Client
etc.) reports.
• Firms need to take steps to ensure that
the data they report is accurate, and that
appropriate consent is obtained to using
individual’s data as part of transaction
reporting, in a way that meets data
protection requirements.
• The safety, security and confidentiality of
clients information stay with the
investments firms
Marjane Moghimi Nov 2017
21. Regulation Overlap: MIFID II and GDPR
MIFID II
The name and date of birth in both side
of the trade are mandatory part of trade,
transaction and position reporting duties
• Buyer
• Buyer Decision Maker
• Seller
• Seller Decision Maker
GDPR
• Employees information are held in HR
database
• Counterparties information in
Counterparty Data base.
• Clients information in Client database
►You need to have specific consent from those data subject concerned by MIFID II
►Consents from all 1/3 parties are necessary if you have a legitimate interest in
collecting their data
Marjane Moghimi Nov 2017
22. e-privacy
• Is a Regulation coming into force the same date as GDPR
• Will replace the current Directive
• Its aim is high level of privacy and data protection
• The new regulation will bring significant changes:
– concern to all providers of electronic communication services
• Include Facebook Messenger, Whatsapp, etc.
– will apply to content and meta data
– Simpler rules regarding cookies and spam
– Needs for specific and free consents ; which can easily withdraw.
– Put the emphasis on confidentiality of electronic communications data
including while in transit and cover storage providers (including ’cloud’)
• The regulation is still not finalised so some changes may come into light later.
Marjane Moghimi Nov 2017