Let s get GDPR right at Danske Bank!! November 21st, 2017

Similar documents
Weekly Credit Update

JANUARY 2018 (21 work days) FEBRUARY 2018 (19 work days)

Deloitte Shared Services, GBS & BPO Conference

SFI Research Centres Reporting Requirements

AUD/USD Forecast Update

Emergency Department Waiting Times

Capital Market Day, Copenhagen, 29 June On-line Banking. John Andersen Senior Vice President e-finance

Irish Research Council Government of Ireland (GOI) Postgraduate Scholarships Shona Leith Research Development Office

Irish Research Council Postdoctoral Fellowships

Corporate Services Employment Report: January Employment by Staff Group. Jan 2018 (Jan 2017 figure: 1,462) Overall 1,

CAMDEN CLARK MEDICAL CENTER:

European Freight Forwarding Index

SPRU DPhil Day : Postdoctoral Fellowships & Funding. David Rose Research & Enterprise

Laguna Honda Lean Transformation. Laguna Honda Strategic Performance Management November 2017

What happened before MMC?

SFI Research Centres Reporting Requirements

HEIDI Stakeholder Group Tuesday 12 th April 2016 HESA, 95 Promenade, Cheltenham

FUNDING NATURAL HERITAGE PROJECTS IN SCOTLAND LIFE+ NATURE AND BIODIVERISTY

EIT Health. Innovation for Better Longer Lives. EWI-Focus 20: Vlaanderen in de Knowledge and Innovation Communities (KIC s) (17-June-2015)

LESSONS LEARNED IN LENGTH OF STAY (LOS)

TRUST BOARD / JUNE 2013 PROPOSAL FOR UNIVERSITY STATUS

BOROUGH OF ROSELLE PUBLIC NOTICE ANNUAL NOTICE OF CALENDAR YEAR 2018 WORKSHOP SESSIONS, PRE-AGENDA MEETINGS AND REGULAR MEETINGS

Northern Health - Acute Services. Evidence Based Practice Venous Thromboembolism Prevention

Investment Research General Market Conditions

JOB MARKET REPORT Q Britain s job market in the first quarter after the EU referendum

The Case for Optimal Staffing: A Call to Action

Elaine Andrews, Assistant Director of Nursing & Safety and Caroline Booton Quality Analyst Jill Asbury, Acting Director of Nursing

EPSRC-NIHR Healthcare Technology Cooperatives Partnership Awards

Danish Council for Independent Research. - When curiosity brings change

Health Innovation in the Nordic countries

Compliance Division Staff Report

National Council on Radiation Protection and Measurements Homeland Security Recommendations Related to Nuclear and Radiological Terrorism

Arms and defence. Position statement Danske Bank

Enlisted Professional Military Education FY 18 Academic Calendar. Table of Contents COLLEGE OF DISTANCE EDUCATION AND TRAINING (CDET):

PROCEDURE FOR SUPERVISION AND PRECEPTORSHIP FOR PROVIDER SERVICES

OPEN DAYS 2014 LOCAL EVENTS COUNTRY LEAFLET DENMARK

Grant Reporting for Faculty Grant Expense Detail

HOMES ENGLAND UPDATE 5 TH FEBRUARY 2018

Charter of the Remuneration Committee Danske Bank A/S CVR no

Co-Sourcing Lab Services Maximizing Service Partners in a Lab Environment

Group Professionals Concept. Robbin Brugman MD Group Professionals Concept

NEWS, KNOWLEGDE, EXPERIENCE & INSPIRATION. ectd. a practical perspective

THE AUDIT REPORT ON DONATION FUNDS OF THE KINGDOM OF DENMARK

Peraproposal for EWG Task

Improving Quality of Care in Anesthesiology Session # 182, March 7, 2018

ARTES Applications: - IAP programme: outcome of Phase 1 and outlook for Phase 2 - Satcom Applications

APPENDIX C COMPUTATION OF SERVICE

University of West Georgia. University Web Advisory Committee Fiscal Year 2015

Topical Peer Review 2017 Ageing Management of Nuclear Power Plants

MANAGEMENT DEVELOPMENT PROGRAMMES CODE COURSE DURATION DATES

DKK: Nationalbanken Preview

PhD project application guidelines

User Group Meeting. December 2, 2011

Charter of the Credit and Risk Committee Danske Bank A/S CVR no

Public Transport Access to the new Southmead Hospital (Information report)

Bank of England Review

Mission, Vision & Core Values:

Mark Stagen Founder/CEO Emerald Health Services

Intergovernmental Working Group of Experts on International Standards of Accounting and Reporting (ISAR) Sustainability Reporting

Innovating for Improvement

Privacy and Proxy Services Accreditation IRT ICANN57 Working Meeting. 9 November 2016

1. Introduction, purpose of this Standard Operating Procedure (SOP)

ENCLOSURE: J. Date of Trust Board 29 February Pressure Ulcer Clinical Improvement Programme. Purpose of Report

Invitation to. The 16 th Nordic. Research Conference. Safety NoFS XVI. Topic: Intervention - what works? Gilleleje, Denmark June 8-10, 2005

Oct-15 As above CK/JG. Aug/Sep TU Reps

Interim Report. First quarter 2017, BioPorto Group. May 4, 2017 Announcement no. 09. BioPorto A/S CVR DK

Tarek & Sophie Inspiration (TSI) Grant Application Guide

Global Nutrition Cluster (GNC) Fundraising Strategy (DRAFT)

May 2012 Jim Blackburn, Project Officer CIED. European Defence Agency CIED briefing to the Global EOD Conference

Why Nordic Health and Welfare Innovation?

Division of Research

From Implementation to Optimization: Moving Beyond Operations

Standardising Acute and Specialised Care Theme 3 Governance and Approach to Hospital Based Services Strategy Overview 28 th July 2017

Open Government Data For Bangladesh. Access to Information Programme Prime Minister s Office Dhaka, Bangladesh

Build Your International Record With a Marie-Skłodowska-Curie-Fellowship Thomas Preusser, Xilinx Research

Retail Banking Overview

Human Resources Activity Report

Improving Outcomes for High Risk and Critically Ill Patients

Energy Technology Development and Demonstration Programme (EUDP)

NHS Forth Valley. Annual Procurement Report 2017/18

MISSION INNOVATION ACTION PLAN

Boosting Your Bottom Line

Executive Director s Report

GAO WARFIGHTER SUPPORT. DOD Needs to Improve Its Planning for Using Contractors to Support Future Military Operations

Processor Application

UHF Quality Institute. Patient-Reported Outcomes in Primary Care New York PROPC-NY. Module 2 Webinar

Irish Research Council Postdoctoral Fellowships

National Trends Winter 2016

Improving Pain Center Processes utilizing a Lean Team Approach

BOARD CLINICAL GOVERNANCE & QUALITY UPDATE MARCH 2013

Reference Number: Form ALCRG APPLICATION FOR A MUHD ARIFF AHMAD RESEARCH GRANT FORM (ALCRG1) First Request for Proposals: 15 Dec 2014

Open Proposers Day November, 2014

Invest in the event that will define the 21st century

P4: PACIFIC REGIONAL ICT REGULATORY DEVELOPMENT PROJECT APPROVED ON JULY 30, 2014 UNIVERSITY OF THE SOUTH PACIFIC

Introduction to China CDISC Coordinating Committee (C3C) February 2014

Staff Development Institute

1) Does the application platform offer the chance to edit your application, or is it a one time enter + submit?

The Physicians Foundation Strategic Plan

University Grants Committee's Structure

Director of External Affairs. January 2018

Transcription:

Let s get GDPR right at Danske Bank!! November 21st, 2017

Getting GDPR right at Danske Bank requires a great deal of collaboration!! GDPR Programme IT HR Communication Legal & Compliance 2

Agenda Danske Bank s Approach GDPR data mapping GDPR Solution Portfolio Collaborative Implementation 3

GDPR History within The Danske Bank Group The first remarks on the new regulation are presented in Danske Bank Group. The regulation is subject to many political discussions and a concrete set of rules seem far away. It is advised to follow the development of the regulation in order to assess the consequences for Danske Bank Group. A project has been established in Group IT in order to initiate and anchor the implementation work surrounding the GDPR. Challenges in terms of scope, extend and funding within the business are arising. The GDPR was formally approved in the European Parliament in April, with a 2 years and 20 day implementation deadline.. In order to avoid double work, considerations point to replace these work streams with autonomous projects that are able to work across the units and countries. It is an element that the implementations process must be conducted using a risk based approach and with the least disturbance of the business and in the most cost efficient way. In addition, an angle toward Danske Bank Group s customers must be taken into consideration. The GDPR SteerCo is established. In order to create an overview the Program now works with the Program Map as a guidance for the activities that are initiated. In addition, documents now include the legal requirements converted into actual actions and traceability of the link between decisions and solutions/initiatives. NNIT has presented the first drafted version of gab analysis, which does not identify all of the GDPR risks The first GDPR Solution Project is approved and initiated. January 2012 Jan-May 2016 Oct-Dec 2016 May-Jun 2017 Fall 2015 May-Sep 2016 Early 2017 Jul-Aug 2017 The regulation has begun to take form. Legal and Compliance advise the establishment of a working group in order to consider the implementation of the regulation. However, the European Council has not yet formally passed the regulation. The GDPR Programme establish. The GDPR requirements are mapped and translated into high level actions and defined as work streams. However, it turns out that the work streams have a lot of overlapping to various business units because the IT systems entwine and data flow through many systems at once. It is approved by the SteerCo to take a Top-Down on process level and go with a pilot with NNIT. The overall purpose with the data mapping provided by NNIT is to point out the relevant gaps and where to focus the changes necessary for ensuring compliance, by applying a risk based approach. See next slide for further information. Onboarding the GDPR Projects and adjusting scopes to each Solution Project. The new GDPR Reporting format is created to improve GDPR understanding, illustrate gaps across multiple countries, and communication the distinction between the Group level Solution Projects and the responsibility of each individual business entity. 4

GDPR Programme Organization The GDPR Programme is anchored in Personal Banking, with a Steering Committee consisting of all Executive Board members except Thomas Borgen. GDPR Programme Steering Committee Jesper Nielsen (PB) - Chairman Tonny Thierry Andersen (WM) Henriette Fenger Ellekrog (HR) Lars Stensgaard Mørch (BB) Flemming Stig Pristed (Legal) Jim Ditmore (IT) Anders Meinert Jørgensen (Compliance) Kim Larsen (Communications) Legal & Compliance Partners Programme Management GDPR Business analyst Henrik G. Kilsgaard (Group Legal) Niels Lysgaard Mikkelsen (Group Legal) Ditlev Hvelplund (Group Compliance) Anne Birch Christensen (Group Compliance) Kristine Timand Pedersen (Group Compliance) Ole Steen Brams (Programme Lead) Niels E Lindstrøm (IT Programme Lead) Kim H. Hendriksen (PB) Melanie Ranfelt (IT) Thomas Schmidt Rudolf (Sponsor) Kim Uhd Jepsen (IT) Lead Business analyst Beate Larsen (IT) Business analyst GDPR Data Mapping 28 Business Leads 25 consultants GDPR Solution Portfolio 20-25 Project Managers Between 1 25+ specialists pr. project

Danske Bank s GDPR data mapping approach Danske Bank has explored various approaches to the GDPR data mapping in order to identify the most suitable approach. After exploring a bottom up and IT driven scanning approach the GDPR Programme selected a Top-Down Approach and utilizing the consultants from NNIT to support the group wide GDPR data mapping. The overall purpose with the data mapping is to document the processes that contain personal data, the legal basis for processing it and to identify, which systems the data is processed in, and finally to document the surrounding organizational and technical security controls. The Top down approach was selected to ensure quick progress and must be viewed as a starting point to document, where Danske Bank s business entities and the GDPR programme must collaborate to take steps to further clarify and investigate the appropriate solutions to ensure compliance. As a result of the selecting the interview based approach delivered by NNIT, Danske Bank has accepted the fact that the data quality will never reach 100% and that this report will not be able to deliver a completely exhaustive gap report. It is, how ever, the best solution available at the time of this reporting. 6

GDPR Programme components The three GDPR Programme Pillars 1. Group wide data mapping 2. Group wide Solution Projects 3. Business unit level projects The data mapping has been carried out on a risk based approach, where the sequence of each business entity is decided by their amount of personal data and level of complexity. The Group wide data mapping is conducted by each business unit with the assistance of both GDP and NNIT Consultants. The latter has facilitated the data mapping workshops and collected the GDPR data in a GDPR Tool. The Group wide Solution Projects are approved by Danske Bank GDPR Steering Committee consisting of the entire ExBo, minus Thomas Borgen. Once a project manager has been allocated she co-creates a project charter, which is to be approved by the Project Steerco, on which the GDPR Programme is always represented. The Group wide Solution Projects are designed to cover the entire Group. This is not feasible in every case, because some business entities run on separate IT platforms, demanding local GDPR Projects. These will also be monitored by the GDPR Programme to ensure that the entire Group reaches the desired compliance levels. 7

GDPR data mapping update Danske Bank has applied a risk and capacity based approach to our data mapping. Starting with the entities with the largest amount of personal data and complexity. # BUSINESS ENTITY MAY JUN JUL AUG SEP OCT STATUS COMMENTS 1 Personal Banking (additional processes*) Is finalizing legal and IT validation in August. Ready for final report early September. 2 Wealth Has mapped majority of processes, missing minor processes due to vacation. 3 Life and Pension Final GDPR Report in new format to be presented on August 21. 4 Marcom (starting with PB) Will close final steps late august and recieve GDPR report early September 5 Baltics (Three countries, same IT system) Has mapped all operational processes during July, supporting processes to be mapped early Sep. 6 GTIL & GSL Has been postponed to September to allow for scope to be validated. 7 Group HR HR Danish processes have been mapped and instructions for local validation distributed in July. 8 HR Services Has started preparations in August. 9 Group Risk Close to IT and Legal validation 10 C&I plus International banking Has started preparations in August. 11 Group Operations (only Personal Banking) Preparing for process mapping workshops. 12 Transaction Banking Preparing for process mapping workshops. 13 Northern Bank (UK) Has mapped 50% of all processes, rest will be mapped early September 14 Non-core banking (Ireland) Preparations in progress will conduct. 15 Nordania Leasing Workshops in progress, will be ready for IT and Legal validation end August. 16 Mobile Pay Preparations in progress, due to book workshops for process mapping. 17 Mobile Life NDA discussions have slowed progress, but has been resolved August 16th 2017. 18 Business Banking (incl. Operations) Have booked workshops and is ready to start data mapping 19 Group Physical Security Has booked process mapping workshops. 20 CRM Will be mapped in August, has not been booked due to vacation. 21 CFO/ Group Finance Has booked process mapping workshops. 22 CFO/ Treasury Has booked process mapping workshops. 23 Home Finishing up IT and Legal validation. 24 Group Process Dev. Preparations have started. 25 Group Audit Finishing up IT and Legal validation. 26 Group Procurement Has been mapped over the summer break and in progress with IT and Legal validation. 27 CFO/ Group Compliance Preparations have started. 28 CFO/ Group Legal Not started due to summer vacation. 29 Realkredit Denmark 3-5 processes will be mapped in September. Preparations done. * Has been added since last SteerCo Preparing Data mapping Reporting On track Minor delay Major delay 8

Danske Bank Group s New GDPR Reporting Format has been introduced in August 2017 in order to move beyond communicating gaps enabling immediate action. New GDRP Reporting Format objectives: 1. Improved understanding of the GDPR. 2. Ability to include gaps in multiple countries 3. Clarify Group level solutions 4. Describe business entity responsibilities What has been retained from the NNIT report: The new report still contains the data collected during the GDPR workshops across your business entity. The data relating to the gaps between your current state and the GDPR requirements is displayed in high level charts inside the report. The data in each chart can be explored in great detail in the spreadsheets located in the appendixes. What has been improved in the new format: The new report explains the GDPR requirements, your business entity gaps, how the group solutions help resolve them and your business entity responsibilities. The new report has an outside-in structure, starting with the customer perspective, moving to business entity impact and closes with group level impact. The data is broken into lists, enabling immediate action. 9

Customer centric approach Customer experience has been a key design criteria since inception. The aim is to move beyond tick-box compliance towards a joint effort to improve the customer experience. GDPR SteerCo material from January 2018 Group wide Regulatory Innovation workshop conducted on August 28 th 2017 The GDPR Programme has set an ambitious course from the inception of the programme to deliver positive customer experience, despite the volume and complexity of the compliance requirements. To build on the initial ambition the GDPR Programme hosted a group wide workshop on integrating innovation into the regulatory. The key note speaker was PhD Åke Freij, who inspired the participants for an hour. The GDPR Programme facilitated a five stream break out session to explore the application in Danske Bank. The 60 participants agreed that the learnings should inspire a more proactive approach, completely in line with Danske Bank s aspiration to turn regulatory requirements into business opportunities. 10

GDPR at Danske Bank- Inspiring Customer Confidence

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback