Nordea ‘Data protection is a human right’ (GDPR event - Part I)
We recently held an executive dinner in Copenhagen around the subject of the new EU General Data Protection Regulations (GDPR). A fascinating and robust discussion about the impending regulations, it was clear that companies are at varying degrees of preparedness for GDPR compliance. One of the most striking stories was given by the head of GDPR and Privacy at Nordea, who are in the midst of a journey toward GDPR that began five years ago.
The Nordea speaker began by explaining that, whilst banks are used to stringent rules from the Financial Supervisory Authority (FSA), GDPR is one of the most comprehensive regulations yet seen and the most lobbied ever in the European Union.
However it's one thing to want to comply, and another thing to succeed.
Further, she believes that in order to fully comply, it requires both both a "top down" and "bottom up" approach, which means executive commitment coupled with maturity and legal assessments and a fleet of enterprise architects, information architects, data engineers and lawyers.
To do this Nordea is operating their GDPR project from a recently created privacy office that reports to the CISO (infosec is our friend). Interestingly, the security team at Nordea now reports into the COO (deputy CEO), an example of just how seriously it is taken at the company. As mandated by the GDPR longer term, the privacy office will evolve into a Data Protection office, and this will require fitting to the Three Lines of Defence model used by many FSA regulated firms. Defence in depth is important, as relying on perimeter security is insufficient in today's mobile IOT world.
The speaker then went on to say that their work is not about just being compliant with GDPR by 25th May 2018. They passionately believe that the human rights of their customers should be respected and this effort will go on long beyond the introduction of the act. I really like this concept and is, after all, what the GDPR is all about. We are custodians of our customers' data; we don't own it, the customer does and we need to care for it better than the owner would. Nordea's efforts around GDPR shows they value their customers and respects their rights ultimately enhancing their brand and creating trust.
The second half of the talk was by the IT Compliance part of the bank. GDPR expertise is intentionally placed close to the business functions, and IT and its data is no exception. International banks have the challenge that data crosses multiple platforms and jurisdictions, languages and information owners. It is also worth noting that although the size of application data is important (one application required 2.6 billion rows to be masked), more important is the sensitivity of that data. This requires data profiling, and process guides for data controllers to follow.
This was a hugely insightful talk, and many thanks much go to our customer Nordea for telling their GDPR story. They are right, data protection is a human right and it's up to IT practitioners, compliance officers, lawyers and risk managers to work together and safeguard their most important asset - their customers.
In Part II, I will summarize some of the discussion that followed this talk. In the meantime if you want to learn more about the Delphix data masking solution for GDPR click here.