• Data Analytics @ Structured Data
• Data Analytics @ Unstructured Data
• Data Analytics @ Suspicious Transaction Reporting (STR)
• Data Analytics @ EBAM Systems
• Big Data Analytics @ Hadoop, Spark

• Treasury Management Systems (TMS)
• Enterprise Resource Planning (ERP)
• Order Management Systems (OMS)
• Execution Management Systems (EMS)
• Assets Classes Pricers

• Currency Data – Direct Pairs, Indirect Pairs
• Cross Currency Data – G7 Crosses, G20 Crosses
• Interest Rate Swaps (IRS) Data
• Overnight Index Swaps (OIS) Data
• Credit Derivatives Reference Data

• BCBS 2329
• Fundamental Review of Trading Book (FRTB)
• Global Data Prevention Regulation (GDPR)
• Markets In Financial Instruments Directive II (MiFID II)
• Markets In Financial Instruments Regulation (MiFIR)
• Securities Financing Transaction Regulation (SFTR)

Ensure your organisation understands the impact of GDPR and can identify any issues that could cause compliance problems. Senior management buy-in is essential and large organisations may need to look at resource allocation.

Document all personal data that is held by the organisation, including data that falls into special categories, where the data came from, and any other organisations it is shared with. An information audit across the organisation or within particular businesses may be necessary. GDPR also requires data processing activities to be recorded. For example, if inaccurate personal data is shared with another organisation, the inaccuracy must be communicated to ensure both organisations correct the data. This action must be documented.

Current privacy notices should be reviewed and amended in line with GDPR requirements. Personal data collection currently requires giving people information such as the organisation's identity and how it intends to use the information. Under GDPR there are additional requirements, including the need to explain the lawful basis for processing the data, retention periods, and individuals' rights to complain to supervisory authorities if they think there is a problem with the way their data is being handled.

Policies and procedures should be checked to ensure they cover individuals' rights under GDPR. The rights are: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to automated decision-making including profiling. In great part, the rights of individuals under GDPR are the same as those under the Data Protection Directive - or the Data Protection Act as the directive is interpreted in UK legislation. The right to data portability is new, but only applies to personal data an individual has provided to a controller where processing is based on an individual's consent or for the performance of a contract, and when processing is carried out by automated means. All personal data must be provided in a structured, commonly used and machine readable format, and must be free of charge.

Organisations need to review and be able to identify their lawful basis for processing personal data, document the lawful basis, and explain it in privacy notices. While a lawful basis for processing does not have many practical implications under current law, GDPR modifies some individuals' rights depending on the lawful basis for processing their personal data. Be aware, for example, that individuals have a stronger right to have data deleted where an organisation uses consent as the lawful basis for processing.

Firms should review how they seek, record and manage consent and make changes where necessary. GDPR requires consent to be freely given, specific, informed and unambiguous. There must be a positive opt-in - consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must be separate from other terms and conditions, and there must be simple ways for individuals to withdraw consent. There is not necessarily a need to repaper or refresh existing consents for GDPR, although where there is reliance on individuals' consent to process their data, make sure the consent meets the GDPR requirements above. If it doesn't, alter consent mechanisms and get fresh GDPR compliant consent, or identify an alternative lawful basis for processing individuals' personal data.

Procedures need to be in place to detect, report and investigate personal data breaches. GDPR introduces a duty for all organisations to report certain types of data breach to their supervisory authority, and in some cases, to individuals. A breach only has to be notified where it is likely to result in a risk to the rights and freedoms of individuals.

GDPR makes privacy by design a legal requirement and data protection impact assessments (DPIA) mandatory in certain circumstances, particularly when data processing is likely to result in high risk to individuals. Organisations should assess where DPIAs may be necessary, who will run them, and whether they should be run centrally or locally.

Organisations must consider whether they need to formally designate a data protection officer (DPO) on the grounds that they are a public authority or an organisation that carries out regular and systematic monitoring of individuals on a large scale. If an organisation needs a DPO, someone must be designated to take responsibility for data protection compliance and a decision must be made on where the role will sit in the organisation's structure.

Organisations carrying out cross-border processing within the EU must determine a lead data protection supervisory authority and document this. The lead authority is the supervisory authority in the state where an organisation's central administration is located or the location where decisions about the purposes and means of processing personal data are taken and implemented.

• Financial Institutions (FI)
• Master Data Management (MDM)
• Data Protection Impact Assessment (DPIA)
• Privacy Impact Assessments (PIA)
• Data Protection Officers (DPO)