This page contains a Flash digital edition of a book.
In Focus Risk


Left-right: Alan Brown; Andrea Baker; Atul Vadher; Charlie Moore; Christian Jacob


How do data protection rules and considerations currently impact upon your work and how do you expect this to change under the GDPR? MP: It depends on the type of business you are in. One company where I implemented a GDPR project was a motor dealership and, being a sales organisation, the challenge is maintaining the marketing database when new permissions are required and not falling into the trap a couple of other firms did by e-mailing their clients to ask for permission, as this was itself deemed to be marketing. This resulted in these companies being fined. The other challenge was building the register of databases, in actually managing to identify exactly where the data was transferred to and from as most companies utilise a number of linked databases where the data transfers between. Behind this is the subject of maintaining these systems as this is often outsourced. I remember reviewing an outsourced contract in the past where it was proposed the databases where maintained from India and, therefore, data accessed from there, which would include the ability to access personal data. What do you really know about our maintenance contracts?


AB: All new vendors and customers are passed through the Credit Risk team, this ensures we do not contract with any party whose financials are not strong enough to sustain not only the business with us, but the governance needed to run their own companies in a way which reflects our values and standards. Credit risk people are naturally nosey – if we sense there are operational risks borne out of our analysis of the financial risks, this will affect the decision to go forward or not. This, of course, applies to data processers as well as any other business partner.


38


CJ: Data privacy is not new, just today it is incorporated within GDPR. Let us not forget that data-protection rules have been around for a long time. So, in terms of how you build your framework and how you manage your data, it is about your interested parties and your need to make sure that everything is logged and customers are notified; you need to run your business correctly and compliantly. But we should not be sat here wondering what we should do to be compliant for 25 May; if we are, then it is way too late. We should have already designed our rules engines and tested our data flows. We are entrusted by our clients to receive their data and we are expected to diligently transform it, then to outsource it to our partners. It is our purpose to understand what is happening to the data provided to us on a daily basis, this relates to every single activity. That takes a massive amount of work, we have been working on the GDPR part of our process for the past 18 months, but we have been working on data protection for much longer.


How will you handle the new rights – and perceived rights – to be informed, access, and erase data? TC: There is also an aspect of potential customer detriment. For example, there has always been a question over how long you can reasonably retain customer data for. Given the fear and hype that surrounds GDPR, a lot of companies are now going down the path of absolute record purge after a set timeframe, but if, for example, the regulator were to come to us in the near future with a problem very much reminiscent of PPI and state that we had been charging interest incorrectly, our response may end up being that we have anonymised everything, so cannot proactively now contact former customers in order to rectify the situation. It plays on my mind as a potentially detrimental aspect of this, where the material reality renders the lenders in an ivory tower of mitigated responsibility. In a situation like this, it would be the customer’s responsibility to provide proof, so how good is your record keeping? There are some circumstances where the retention of information can be in the customer’s best interests. There is clearly a balance to be struck


All new vendors and customers are passed through the Credit Risk team, this ensures we do not contract with any party whose financials are not strong enough to sustain not only the business with us, but the governance needed to run their own companies in a way which reflects our values and standards


www.CCRMagazine.com


here, perhaps a customer-only-accessible encryption layer around the sensitive aspect of a given facility would have been a better way forward.


CJ:We are allowed to anonymise the data, and we are allowed to reverse it as and when it is necessary, we simply have to be very careful in terms of the controls and when we bring such data back. I think that a lot of people are quoting time limitations and past these dates we have to delete everything. This is not the case and legitimate interest must be taken into consideration.


May 2018


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52