GDPR and data security by design

In exactly one year, the General Data Protection Regulation (GDPR) will apply across the European Union, yet firms are struggling to prepare for new data security obligations due to the sheer quantity of regulations due to be enforced in 2018.

With the current date of MiFID II being 3 January 2018 and PSD2 due 10 days later, firms are having to juggle preparations for these new obligations –  a feat compounded by also having to comply with increasing international obligations, such as SSAE 16 SOC 1 and ISO 27001, which add to the demands on already overburdened firms.

The consequences for non-compliance are severe.  Infringement of the rights enshrined in GDPR will result in a fine of 4% of global annual turnover or 20 million euros, depending on which is greater.  The severity of these fines has set off alarms for firms and highlighted the requirement to comply.  But the monetary dimension is not the only concern.  A widely reported data breach could bring enormous reputational repercussions for firms that fail to comply.

How do we navigate the data security spaghetti junction?  JWG held its first Data & Security Special Interest Group (DSS) on data security on 11 May 2017.  Our focus was to demonstrate how GDPR, MiFID II, and PSD2 overlap and to facilitate a discussion to discern the best compliance approach and technical solutions.

After a fruitful discussion, we gained some key insights into where firms need to focus and how vendors can capitalise upon this regulatory opportunity.  It became apparent that firms need to create an overarching plan to ensure all their applications and operations comply with new regulations.  This article will draw out the key insights from our discussion surrounding this area.

Establishing the data security framework

One of the key questions that we considered is who has control of data within an organisation.  GDPR plans to implement an explicit recognition of the concepts of “privacy by design” and “privacy by default”.  Firms must now consider data privacy at the initial design stages of a product as well as the sustainability of that design.

This focus on design ties into the Senior Manager’s Certification Regime (SMCR) and requirements from MiFID II on corporate governance.  The requirement under GDPR to appoint a data protection officer, if a certain level of data is being handled, will mean that firms can no longer take a non-siloed approach to data security.

These data protection officers will need to be heavily involved in the data security ramification of any new projects.  The obligations can only be met with significant organisational change, where departmental barriers are broken down and the exercise is perceived as an opportunity for increased interconnectivity within a firm.

Evidence of compliance

Another important consideration is the crossover between data security obligations and the Senior Managers and Certification Regime (SMCR).  It is not only acceptable for firms to allocate responsibility, as they must also demonstrate that they have taken “reasonable steps” to comply with the regulation.  What does this mean in the context of data security regulation?

As previously mentioned, GDPR requires firms to produce designs for how they plan to ensure data security and privacy.  It is not clear, however, whether it is the initial design or the continuous functionality of that design that is being tested.  Whilst the initial design might be compliant with data security regulations, it might not provide the flexibility to demonstrate continuous evidence of compliance.

Ensuring explicit consent is received

Both GDPR and PSD2 use the term “explicit consent” and require it to be given for certain types of data.  For ordinary non-sensitive data, GDPR requires that consent is “unambiguous”.  If the data is sensitive personal data, then “explicit” consent is necessary.  In GDPR, consent should be given “by a statement or by a clear affirmative action”.

The obvious question is how do you differentiate between “unambiguous” and “explicit” consent in the context of a “clear affirmative action”?  Well, if I tick a box with ‘I consent’, then that is explicit affirmative action.  On the other hand, if I fill out a form and there is an optional box for email address, which includes a disclaimer underneath to receive information about products and service we think will interest you, then this consent to receive these products is unambiguous, but implied.

Firms will have to assess which data requires explicit consent and which data requires consent to be unambiguous.  This issue will require a complete overhaul of the metadata and the adoption of innovative technological solutions to ensure compliance and firms must offer clients the ability to withdraw consent.

Where do we go from here?

It is apparent that there is a current lack of planning within firms to correctly allocate responsibility for data and to ensure that data security is treated to the same level that money is protected.  Whilst GDPR, amongst other regulations, is looming around the corner, there is still time for firms to adapt and prepare.

Preparation must be guided by greater collaboration between regulators, firms and vendors.  With regards to the latter, it is inevitable that firms will have to adopt the innovative solutions that RegTech vendors offer, but these solutions must be situated within an institutional framework.

If you would like further information about this group, or would like to participate in our special interest group, please contact us at  In addition, to learn about the latest developments in financial regulation and receive our in-depth analysis, you can subscribe to our newsletter or follow us on Twitter and our DSS-specific LinkedIn group.