GDPR programme development at a leading global bank

By Certeco | October 20, 2017 | Categories: Case Studies | Tags:


Our client, a subsidiary of a leading global bank based in London, had identified that its data protection policy and procedures were considerably out of date and they hadn’t been updated for a number of years.

During this time, the regulatory landscape had changed considerably and the bank’s data protection policy didn’t reflect these changes. Therefore a full review was required to ensure compliance with new regulatory and statutory requirements, as well as to ensure that the data protection policy adhered to best practice procedures.

The review needed to reflect the incoming EU General Data Protection Regulation (GDPR) requirements and also had to consider the current and future structure of the business.


Knowledge of data protection, GDPR and upcoming UK and EU regulatory and statutory requirements, along with experience of implementing policies and procedures in a wholesale and retail banking environment were key to a successful outcome. Certeco was selected on the basis of its expertise in this area.

The Certeco team agreed a policy led approach with the bank, with the roll out of the policy to be undertaken by the client after the completion of the project. Certeco then mobilised a project team of business analysts and data protection regulatory specialists to establish the full scope of work including the impact of GDPR and a data protection framework.

Multiple workstreams were created to deliver a number of aspects of the project, including a new data protection framework and updated policies. Another workstream focused on privacy impact assessments and the associated training across the business, whilst another dealt with data subject rights request policies. Workstreams were also constructed to deal with data protection reporting requirements for management information (MI) purposes and also for the preparation of training materials for all staff training. This included the development of specialised materials for data protection, in areas that had been identified as high risk.


  • Insight: independent expert insight into the current state of the data protection framework and the business assessment of the impact on the business of new regulations.
  • Risk reduction: compliance with data protection regulations and GDPR requirements improved the client’s confidence and reputation.
  • Knowledge transfer: the delivery ensured the client had a much deeper understanding of the impact and importance of privacy legislation on its business.
  • Capacity: the increase in resource enabled the client team to focus on business priority issues and risks while improving standards.

Download case study