Wind of Change in Corporate Regulations – Understanding how to prepare for stricter compliance requirements
Corporate regulations and compliance have changed radically to fit the online world we now live in. They are highly likely to change again in the future to respond to new challenges and it is vital that organisations are able to make fixes fast. The penalties for non-compliance are serious now but will soon become a game-changer. For example, GDPR (General Data Protection Regulation) could levy fines of up to £20m or 4% of your turnover.
In the same way that oil and gas companies have had to change their procedures to make sure that leaking pipes do not damage the physical environment, organisations are now having to understand where their sensitive data is and how to contain it. Data is the new leaky disaster waiting to happen. Organisations have to protect customers, staff, companies and the economy from devastating data breaches.
If you do not understand what your data is, or where it’s stored, you
- will take longer to notice that it has been stolen
- won’t know where it has been stolen from
- won’t know the extent of the theft, and
- won’t be able to prevent a breach from reoccurring.
It can be even more dangerous when you move it around. If data flows are not controlled your data can dribble away through all the gaps in your systems and end up hidden in remote spots, such as in files and spreadsheets on users’ machines. Even worse it can end up outside the firewall.
The implications for organisations that allow data leaks have always been serious but up to now the long-term effects have been easier to keep out of sight. Now data leaks hit the headlines immediately and can do a lot of damage to the reputations of organisations, and those who manage them.
There have been a lot of very painful data breaches that affected UK consumers already in the 21st Century, including Yahoo, Tesco and Morrisons. The companies involved lost significant money in fines but, perhaps more importantly, reputation and customer trust.
Many software suppliers have built tools to help organisations take control of their reporting. This is so that they can provide information in the right shape to comply with the changing regulations. These are great but they will all require a robust data and integration strategy to underpin them and make them work. ‘Garbage in, Garbage out’ has never been truer.
The good news is that there are things you can do to fix the problem now, and for the future. It takes a bit of investment and effort but the benefits are clear. Setting up a robust approach to data and integration with processes that are clean, clear and effective has never been easier. There are tools and operating ￼models￼ to revolutionise your IT delivery capability and ensure compliance to existing and future new regulation.
Here is a quick guide to three pieces of new legislation your organisation must comply with.
- ePrivacy Directive
- Fourth Money Laundering Compliance Directive
Fines for non-compliance – up to £20M or 4% of turnover.
It will still be law in the UK after Brexit.
This should be on everyone’s radar by now but organisations have been slow to act. A recent survey of 900 businesses in the UK, France and Germany showed that fewer than 10% of them even understood the legislation.
GDPR means that if you store any data personal to a person you must be able to
- secure it
- encrypt it
- delete it after a reasonable time
- forget it on demand.
This applies not just to standard personal data but also to genetic, health, cultural, economic and social data and anything that can identify an IP address. This is more than just name, address and bank details.
You need to ask yourselves some questions:
- Do I know where all my data relating to people lives in my systems? This applies to official and unofficial copies.
- Do I know how all my data is maintained and by whom?
- Do I know who owns the policy on each element of the data?
- Could I find all the data relating to a particular person on demand?
- Do I know who is responsible in my organisation for making sure questions 1 to 4 can be answered?
If these questions make you nervous you need to think about your data and integration strategy.
Fines for non-compliance – up to £20M or 4% of turnover.
Alongside GDPR, The European Commission has announced it will implement a new ePrivacy Regulation within the same timescale – a deadline of 25th May 2018. This regulation will require organisations to put in the same controls over instant and social media messaging services and VoIPs (e.g. Skype) as currently exist for telephone calls, emails and SMS messages.
This means that organisations will have to provide robust tools for enabling the people they message to opt-in or out of cookie usage and unsolicited marketing. The directive also creates new rules about the confidentiality of customer information.
You will need good control over your customer data in order to ensure that this can be complied with and prevent penalties.
Fourth Money Laundering Compliance Directive
Fines for non-compliance – up to €5M or 10% of turnover.
This EU regulation, MLR 2017, was introduced in 2017 and set out many new rules that organisations must follow to prevent money laundering. This includes making customer due diligence more effective by insisting on a risk-based approach.
- Risk profiling requirements
- Setting up an MLRO (Money Laundering Reporting Officer)). Someone who carries the can if it all goes wrong
- Improvements to internal audit and due diligence
- Customer due diligence and monitoring
- Client due diligence – the ability to check client identities, identify potentially fraudulent transactions, verification of identities of individuals acting for the client
- Internal systems and controls
- Effectiveness of internal controls
- Effective policies, controls and procedures to eliminate fraud
- Processes to protect politically exposed persons (PEPs) and identify them to spot and prevent conflicts of interest.
- Effective record keeping
All these rules require fast access to accurate and secure data. If your data and integration processes are not robust it will be easy to lose control and attract penalties. These can be punitive and affect individuals as well as the organisation.
The MLRO must be a Senior Manager under the new rules. What this effectively means is that an individual is personally accountable for any failings in a firm’s anti money laundering systems and controls. Poor data may result in MLR breaches, putting that individual in the firing line. Possible sanctions include individual fines or other actions, for example a banning order. The firm will also attract punishment, usually a fine, if the breach is deemed serious enough.
So What Can You Do?
Data sitting quietly in badly protected systems is dangerous. When that data starts to move around, inside your organisation and outside the firewall, it can become lethal. Smart-looking reporting tools and user-facing apps are not enough. They need good quality, secure data to drive them.
The good news is that it isn’t too late! You need to make sure that you have someone in your organisation who cares about the structure, availability and security of data in your systems. You also need processes and people to simplify and control the movement of data around and outside your business.
Create a capability to manage data and the movement of it and compliance will be much easier. As a side benefit, you will also be enabling your IT department to react much faster and cost-effectively to the system changes you need to move your business forward.
Talk to Wheeve about how to set yourselves up to address the new regulations and build capability, speed to market and control into your IT delivery into the bargain.