abaQon Project Report: Data Protection / GDPR

THE PROJECT

A renowned UK-based private bank was faced with new regulatory requirements imposed by the latest General Data Protection Regulation (GDPR), which came into force on 25 May 2018.

From the perspective of an EU citizen, the new regulation aims to protect personal data and empower data privacy, and the need to comply with nearly one hundred legal articles created a significant workload for a data-driven financial institution. The strong regulatory focus on the rights of individuals, combined with a complex IT architecture that processes and stores customer data, presents a significant challenge even for a mature organisation. To this end, the project workload has been planned and executed in a balanced, risk-weighted manner. 

OUR CONTRIBUTION

A team of abaQon consultants delivered a formal project methodology, underpinned by a focus on traceability, which helped to structure the requirements and resulting deliverables. Due to the regulatory nature of the implementation, there was a need for consistent standards of project documentation and evidence gathering for all decisions to create a fully defensible set of information for audit purposes.

The delivery included a new IT build to support the mandated regulatory and customer-driven use cases – such as Subject Access Request (SAR) or Right to be Forgotten – and the required definition of complementary processes. As a speciality, our team took the lead role in implementing, configuring and testing the data erasure module for the core banking system (Avaloq).

In addition, abaQon was directly involved in the analysis, documentation and implementation of requirements for the strategic remediation of more than 20 high-risk systems (Avaloq being the master system for customer relationship data). The remediation activities covered aspects such as data retention, data minimisation or end-to-end data flow controls.

Note: Although the project was driven by the EU GDPR regulation, Swiss institutions that do business with EU residents must comply with its provisions. In the near future, GDPR’s sibling, the Swiss DSG, will come into force, which will also have legal implications for institutions serving Swiss residents.