legal and regulatory dp challenges for the financial services sector
TRANSCRIPT
Legal and Regulatory Privacy Challenges for the Financial Services Sector
Michael Spadea
Head of Privacy, Barclays Wealth
19 January 2010
2
Disclaimer (otherwise knows as the exciting stuff)
The statements and contents of this presentation are my own and do not necessarily represent Barclays Wealth’s positions, strategies or opinions.
Barclays Wealth is the wealth management division of Barclays and operates through Barclays Bank PLC and its subsidiaries. Barclays Bank PLC. is registered in England and authorised by the Financial Services Authority (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions.
No part of this presentation constitutes legal or tax advice.
3
Subjects we will be covering
Overview of the EU data protection requirements
What is “personal data”?
Current and Future Challenges
4
EU Data Protection Directive
EU Data Protection Directive (95/46/EC) “Whereas data-processing systems are designed to
serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy…” (Directive, Preamble, Para. 2.)
Stated Objectives: 1) “In accordance with this directive member states shall protect the fundamental rights
and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data,” and
2) “Member States shall neither restrict nor prohibit the free flow of personal data between member states for reasons connection with the protection afforded under paragraph 1.” (Directive, Preamble, Article I.)
“’Personal Data’ shall mean any information relating to an identified or identifiable natural person…”
5
EU Data Protection Directive (95/46/EC) Highlights
Art. 2 Definitions: Processing is defined as “any operation or set of operations which is performed
upon personal data…such as collection, recoding, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking erasure or destruction”
Art. 7: Criteria for Making Data Processing Legitimate
Art. 8: Special Categories of Processing
Ch. IV Transfer of Personal Data to Third Countries
Art. 25 Principles
Art. 26 Derogations
6
What is personal data?
Directive: “'personal data' shall mean any information relating to an identified or
identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”
UK Data Protection Act “personal data” means data which relate to a living individual who can be
identified— (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to
come into the possession of, the data controller,
EU v. UK (ICO v. Court/Tribunal)
7
Current and Future Challenges
International Transfers Banking Secrecy Adequate technical and organisational measures Incident Response across jurisdictions Access to Personal Information (data subject requests, litigation
holds, records management) Employee and client screening Incident Management Conflict of Laws
Conflict between the Directive and Member State Law Conflict between EU Member States and other countries
US Law (discovery and blocking statutes, internal investigations, reporting requirements)
The Future of Privacy (WP 168) Demonstrating Global Compliance
8
Demonstrating Global Compliance
Ensuring compliance with external regulations and internal policies. Key Takeaway Point 1: Know the standards you are held to, where you are
in relation to those standards, what you need to do to get there.
Potential business risks and the strategies to help overcome these risks. Key Takeaway Point 2: If you can’t measure it, you can’t manage it.
Risk Vs. Cost: What is the best strategy for your business? Key Takeaway Point 3: Point 1 must be BAU.
9
Stating the Obvious:
Ensuring compliance is not easy Thousands of employees. Variety of business lines. Huge volumes. International presence. Significant IT and process change programmes running continually. Increasing dependencies on third parties.
To successfully run a privacy change program, you need: Senior management support. Funding. Clear understanding of BUSINESS AS USUAL end result. Clear definition of the baseline requirements for your organization;
comprehensively covers the legal/regulatory obligations; usable by the business.
Make sure you have the right people with the right skills. Stakeholder involvement & pilots. Divide into manageable segments & a flexible approach.
10
Where do you start? What are your risks? Prioritize . . . Detail is important:
What are your risks? Some factors
Types of data. Volumes of data. Geography. Internal or external.
Segment the programme and business to pinpoint accountability.
Tools Data capture sheets. Questionnaires - for the business and for vendors.
Questions mapped to local legal requirements mapped to baseline. Gap analysis with actions and owners and dates.
Captures everything - ongoing risks and one-off fixes.
11
Data Capture Sheet
Data Stream Sub-Data Stream
Data Capture Questions
Ref. Number Brief Description
Data Capture Sheet QuestionsData Stream (Team)Sub-Data Stream (Streams within the Team)Reference NumberBrief descriptionIs data collected at this point or used?Corporate confidential data?Personal Data?Sensitive Personal Data?Employee data?
IT Organisation and ManagementCollected from or available on the Internet?Collected from or available on the intranet?Data used for marketing?Transferred or accessed in another country?Data transferred or accessible by a third party?Name of third party Do you have any data that requires special consideration?
Approximate volumes Where is data received from? Where is data sent?Which jurisdiction is data stored in?What format?Name of systemBusiness contact nameTechnology contact nameCaptured by CCTV?
12
Privacy QuestionnaireBaseline Baseline
Requirement
Equivalent Local Law
Brief Description of Local Law
Questions
UK DPA \ Principle 1UK DPA \ Principle 2UK DPA \ Schedule 2Dir 95/46/EC \ Article 6.1aDir 95/46/EC \ Article 6.1bDir 95/46/EC \ Article 7
For processing of personal data to be fair and lawful, legitimate reasons for processing the data must be identified. In the UK, these are set out in Schedule 2 of the DP Act (Dir 95/46/EC Article 7)
HKDPOPrinciple 1 ver 1
Personal data shall not be collected unless: (a) the data are collected for a lawful directly related to a function or activity of the entity who will be using the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data is not excessive in relation to that purpose. Personal data shall be collected by means which are lawful and fair.
(-) Have you identified on what basis you are able to lawfully process the personal data? (+) When you collect personal data, do you disclose the purpose of use to the data subject?
UK DPA \ Principle 1UK DPA \ Principle 2UK DPA \ Schedule 3Dir 95/46/EC \ Article 6.1aDir 95/46/EC \ Article 6.1bDir 95/46/EC \ Article 8
If sensitive personal data is processed, further conditions must be met to do this, for example obtaining explicit consent for the processing
In the UK a Data Protection Act Schedule 2 and 3 condition is required to process sensitive personal data (Dir 95/46 EC Article 8)
N/A Under the HKPO there is no separate concept of "Sensitive Personal Data".
(-) Are you processing sensitive personal data? Defined as personal data relating to:(a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union, (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
13
BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU Operating model- Don’t get hung-up on the detail.
Privacy Policies DPCs
Each jurisdiction and/or each business. Incident Management Policy
Escalation criteria, communications plan Incident Management Committee for the big ones (Legal, PR, Compliance, HR, IT Security, Risk)
Litigation hold committee (technology, risk, accountable executive, internal and external counsel)
Annually refresh Legal requirements. Policy Risks and Controls MI
Push out to each business line and jurisdiction through the DPCs. Train your DPCs so they are the front line for the basic queries. Training and Awareness - all staff get the basics (tie into your gaps,
key themes).
14
Selection of Privacy Risks
Failure to inform individuals about the collection and use of their information.
Privacy registration requirements are not complied.
Failure to have a lawful basis for processing personal information.
Privacy is not incorporated into the expansion into new markets and jurisdictions or the acquisition of new entities.
Personal information transferred to and processed by vendors is not adequately protected.
The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures.
Responsibilities and accountabilities for the management of privacy are not appropriately defined, agreed, or implemented.
Incidents, including those originating with third party suppliers, are not effectively identified and reported or managed and resolved in a manner that protects both the individual and Wealth.
15
Controls (what works for us may not work for you)
Some Privacy Controls:
• The privacy SME approves the collection and use of personal information of staff, customers and 3rd parties (e.g., shareholders, prospects).
• Individuals receive an up-to-date privacy notices that includes full disclosure of how personal information is processed, including cross-border transfers and disclosures to third parties.
• Material changes in the processing of personal information (including that of vendors) are captured and approved by the relevant SME.
• Information and process owners ensure the minimal amount of personal information is processed (e.g., collected, stored, disclosed) by having privacy SME sign-off.
• Compliance with local records retention policies and ensure the need to retain each category of personal information is necessary.
• Ensure business process to receive, capture and action marketing supression requests to local supression lists.
•RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues.
Some Records Management Controls:
• Accountable Executive responsible for Records Management is in line with Group requirements.
• Appropriate senior stakeholder forum across all key Wealth business lines (UKPB, IPB, Stockbrokers and Direct, BWI and WI, Wealth Advisory and IPO) is in place to address and progress Records Management issues.
• Methodology for Records Management contains key roles and responsibilities for all stakeholders.
• Records Management Policy aligned with Group Records Management Policy is in place and is updated annually.
• Attestation process is in place for the Records Management Policy.
• Attestation is completed by key Wealth staff annually and reviewed by Compliance for completeness.
•A refresh process exists for the key policy and guidance available for Records Management.
• A destruction policy and process has been developed and exists for Wealth. An annual refresh is completed for policy documents.• Adherence to disposal holds can be evidenced to IRM.
16
Putting it together
(Principle) Risk
Control Risk Owner (Local v. Central)
Overall Risk RAG Rating
Evidence Remediation Actions
Remediation RAG Rating
The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures.
Conformance testing is conducted on a regular basis to ensure that personal information is processed in accordance with the Wealth Privacy Policy and all controls are operating effectively.
Boba Fett Amber Identify area of testing.
Green
Develop and implement.
Green
Analyse results. Amber
Remediation plan.
Red
MI is reported regularly and reviewed and challenged to ensure that it reflects the activity and status of privacy controls and to evaluate privacy risk.
The Emperor
Green Obtain. Green
Use Jedi mind trick.
Amber
Receive update. Green
Execute under-performers.
Green
RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues.
Darth Vader
Amber Inspect the stormtroopers.
Amber
Check they are using the RCA to inspire fear.
Amber
Validate results with the locals.
Amber
17
Dashboard mock-up
Not Real Data
18
Records Management audit report issued in draft with a Satisfactory Rating for Wealth and 2 Medium audit points
Phase one of the RM/DP Assessment/Remediation project now complete with all high risk teams action plans QA’d and remediation underway with the assistance of project staff.
Current State Assessment action closure increasing following active chasing by IRM – 58% closed at end June.
IRM RM SME fully engaged with USA PIM business to embed Wealth RM policies
BAU Schedule for RM management activities in place.
Management of RM/DP project actions integrated with existing CSA action management system.
Focus: Records Management – June 2009
Current State Residual RiskCommentary
1,217 Current State Assessment actions were given a default due date of end Apr 2009. IRM actively chasing owners for the newly overdue actions to establish expected due dates.
Activities to date have reduced the overdue actions with further focus being applied in July.
RM/DP Remediation actions are increasing as the project team are completing team reviews - expectation is for a high volume of identified actions as the project progresses.
Exception Commentary
Cumulative Achievements
Improved BU team refresh process to be proposed and implemented if agreed
Continued engagement with RM audit action owners to ensure coherent plans and funding are in place to address.
Refresh Retention Schedules in conjunction with Group and Legal.
Launch phase two of the assessment programme beginning with Jersey and Guernsey
Major Activities next month
RM SME resource departed mid June
Technology resource for shared drive analysis/remediation no longer exists in Wealth – conversations underway with BarCap to acquire resource.
Risks Identified to DateNot Real Data
19
Lessons we have learned
There is a global shortage of privacy/records management professionals so the approach had to work with project managers and business analysis without a technical privacy/records management background.
Quality assurance of the ouput is vital and should be integral to the process.
Training should be little and often. Link in with key stakeholders, e.g., internal audit, compliance, IT,
internal comms, financial crime, etc. Awareness & training is a long-term exercise and cannot be fixed
overnight. Too much detail on some of the question sets. BAU
Awareness Material
Awareness Material
Awareness Material
Awareness Material
24
Help with Training & Awareness
Some of the Training & Awareness materials developed will be available on the ICO website for use on 28 January 10.
Private Consortium Multiple industries. For a fee you can access all material developed. Newly created material must be made available to other members. Currently administered by Barclays, but expectation is that other group
will take over in the near future. If you are interested, please contact me.
25
It works! Barclays won the 2009 IAPP Award for Privacy Innovation by a large
organisation (toot toot)! Data viewed as an asset. Significant increase in
Compliance;
Engagement of the privacy and records management SMEs at early project stages;
Employee and vendor awareness; and
Number of breaches reported.
Measuring compliance and awareness. Inventory of processing and data. Identification and remediation of supplier contract and processing
gaps. Reduction of reputation and fines risks. Improved regulatory relationships. Change in culture. Global Operating Models.
26
The End
Michael SpadeaBarclays Wealth1 Churchill PlaceLondon, E14 5HP
(Email me for a copy of this presentation and a sample questionnaire.)