With the EU General Data Protection Regulation (GDPR) scheduled to come into effect in two years’ time, the clock is ticking. The central tenet of the regulation is that organisations will need to demonstrate compliance with the directive in its entirety and be fully accountable for even any inadvertent lapses that occur. It’s perhaps the most ambitious legislation (across 28 member states) thus far and one that truly means business. The maximum fine for non-compliance at 4% of the organisation’s worldwide turnover is substantial for any organisation.
Ubiquity of End User Computing applications – a huge risk to compliance
In the banking and financial sector, where applications such as Microsoft Excel, financial models and databases are the ubiquitous and fundamental computer applications for data management and analysis, potentially these End User Computing (EUC) applications pose one of the biggest risks to GDPR compliance. For example, given that millions of Excel workbooks, each with multiple worksheets with millions of cells is typical, the task of ensuring that these mammoth files comply with the various GDPR requirements – including the right to be forgotten, data portability, and anonymisation and pseudonymisation of personal information – is no easy task.
There’s no prescription for GDPR compliance
The perennial problem with most of the new regulations is that regulators are consciously moving away from a prescriptive, siloed and rules-based approach in favour of best practice process and continuous governance. Therefore, fundamental to GDPR or indeed any data-related regulatory compliance is a three-step process of discovery, risk assessment and thereafter, on-going monitoring to minimise new risks.
Foremost, an accurate understanding of the EUC applications estate is imperative – especially as it’s common practice for employees to export data from core enterprise systems such as SAP, Bloomberg Terminal and so on for financial analysis and modelling. This discovery process will enable organisations to identify the EUC applications and files that contain the private and confidential records of individuals.
With an exhaustive inventory of files, the next logical step in the process must be to classify them into categories based on the level of risk posed by each. For instance, an EUC file containing personal details and national insurance number of employees, or client data pertaining to the ‘Know Your Customer’ requirement is likely a high level risk file compared to say a spreadsheet inadvertently containing sporadic entries of personal records. This kind of in-depth understanding and visibility will enable organisations to appropriately and proactively manage those files for GDPR compliance.
Finally, it is vital that organisations embed governance processes into their day to day business operation so that EUC files can be closely monitored. Due to the current dynamic business environment and ever increasing data, which is accessed in a number of formats and via a variety of devices, the ability to detect anomalous behaviour almost in real time, is critical to minimising the risk of regulatory non-compliance. To illustrate, in preparation of a client statement, an employee in the finance department of a bank exports data from the organisation’s SAP system into an Excel spreadsheet that contains personal details such as name, email address and phone number, bank details and so on. The bank must have the capability to apply auditable security controls to that particular file immediately, to sufficiently protect the personal information contained. In fact, a key principle behind the GDPR is ‘privacy by design’ and establishing such processes will go a long way in embracing the sentiment.
The days of tick box compliance are long gone. Falling foul of the GDPR will be costly, not to mention the much more far-reaching consequence of reputational damage. EUC applications present one of the biggest risks to non-compliance, and yet the reality is that many organisations simply don’t undertake strategic EUC application management. So while from an external perspective, organisations are challenged by the regulation; internally they are beleaguered by a lack of visibility of the compliance risks they face. Organisations need to make EUC application management a compliance priority. Only when they ascertain where the risk lies can they meaningfully determine where controls need to be applied for auditable, reliable compliance. It’s a rational approach.
For more stories like this please view the latest magazine http://www.finance-monthly.com/magazine/