GDPR – It’s time to show your hand.

19 February 2018


I’m sure your business is deep in the weeds with understanding and remediating GDPR (General Data Protection Regulation), we all are. In the process of the mad rush to meet the 25th May deadline I often wonder, are we missing some parts of the bigger picture? On the surface it looks like another set of regulations that financial services organisations and their suppliers need to comply with, but there’s something subtly and importantly different about this regulation that makes it stand out from the growing crowd. Those differences are

  • The potential of weaponization of subject access requests
  • Supplier compliance risk
  • External proof for regulator and customers

The last two are effectively different lenses on the same problem of visibility.

The regulations imposed over recent years to the financial sector have involved a relatively simple, if sometimes fraught, relationship between the firm and their regulator. GDPR is different. Yes, firms must be ready to open their books to the Information Commissioner’s Office (ICO) for marking, but there are more people than the regulator to keep happy. While it’s true that having a demonstrable and defendable understanding of your deviations and a set of processes for managing Subject Access Requests and Breaches will halve your potential fines. However, in the cold light of day, the fines are probably not the thing keeping DPOs from their beauty sleep. The weaponization of Subject Access Requests and privacy remediation presents a real threat equivalent to an organisational scale denial of service attack. Potentially impacting both day to day operations and any bandwidth to make change and better prepared firms are already mobilising manual resources as a temporary solution and making allowances in their financial forecasts to cope.  I will probably return to the weaponization challenge in a later blog as it is such a potential business impact that it deserves some space and time dedicated to it. What they may be missing is that modern Financial Services companies, their clients and service provider firms are part of a tightly locked eco-system of data and service provision, each requiring GDPR compliance from each other.

Don’t be fooled into thinking about GDPR as an internal issue

For those organisations with large corporate customers, what happens when they come asking for your compliance status and plans? They are accountable as data controllers and processors themselves to their end customers and they are going to make very sure they share some of the risks they run with their Banks, Payment processors and other service providers. If your Data Breach management process doesn’t meet their needs or you are holding some of their toxic data how long do you think it will take for them to start asking some hard to answer questions or looking to move business to providers who can accommodate their enquiries? Hence the need for visibility, both to the regulator and to clients.

Be ready to demonstrate your GDPR strategy

While there is no black and white, compliant or non-compliant certification for GDPR and, even if there were, the likelihood that any organisation of any size would be fully compliant by 25th May is remote, procurement and vendor management teams will be drawing up risk profiles and will be toughening up and renegotiating contracts based on who they deem to be the best risk match or who can offer the best assurance of future compliance.

Getting help

On a practical note, getting this level of visibility for financial institutions is neither impossible nor is there a “Silver Bullet” solution. Thankfully there are several tools available in the market place that establish, maintain and demonstrate GDPR compliance for you.

We’ve built a relationship with Digital Control Room, with whom we have created the GDPR Integrator based on their GDPR Platform.  The GDPR Integrator is tailored to giving banks the enterprise data governance technologies, legal and compliance controls, and the managerial processes needed. However, you’ll need architects and programme delivery professionals with specific knowledge of the patterns and platforms of the finance sector to get the best out of it. As a result, you will have a detailed Plan that proves to regulators and all stakeholders that the bank is actively working towards GDPR compliance, and longer term architectural simplification.

Our approach, combining a GDPR Platform and experienced architects, means that GDPR won’t cause you to lose the game

Contact us

If you would like to know more about the GDPR Integrator that will pacify the GDPR regulators, please contact email


Don’t miss a thing! To receive future blogs and insight updates from Icon Solutions, simply register your details below:

You can unsubscribe at any point by clicking the link in our emails. Read our Privacy Policy.

* indicates required

Mady Dyson