Amid growing concerns surrounding the safety of personal data from identity theft, cyberattacks, hacking or unethical usage, the EU has introduced new legislation to safeguard its citizens. The EU General Data Protection Regulation (GDPR) aims to standardise data privacy laws and mechanisms across industries, regardless of the nature or type of operations.
Most importantly, GDPR aims to empower EU citizens by making them aware of the kind of data held by institutions and the rights of the individual to protect their personal information. All organisations must ensure compliance by May 25, 2018.
While banks and other financial firms are no strangers to regulation, adhering to these guidelines requires the collection of large amounts of customer data, which is then collated and used for various activities, such as client or customer onboarding, relationship management, trade-booking and accounting. During these processes, customer data is exposed to a large number of different people at different stages – and this is where GDPR comes in.
So, what does the introduction of GDPR actually mean for financial institutions, and which areas should they be focusing on? Brickendon’s data experts take a look at five key areas of the GDPR legislation that will have the biggest impact on the sector.
- Client consent
Under the terms of GDPR, personal data refers to anything that could be used to identify an individual, such as a name, email address, IP address, social media profile or social security number. By explicitly mandating firms to gain consent from customers about the personal data that is gathered – with no automatic opt-in option – individuals know what information organisations are holding.
Also, in the consent system, firms must clearly outline the purpose for which the data was collected and seek additional consent if firms want to share the information with third parties. In short, the aim of GDPR is to ensure customers retain the rights over their own data.
- Right to data erasure
GDPR empowers every EU citizen with the right to data privacy. Under the terms, individuals can request access to, or the removal of, their own personal data from banks without the need for any outside authorisation. This is known as data portability. Financial institutions may keep some data to ensure compliance with other regulations, but in all other circumstances where there is no valid justification, the individual’s right to be forgotten applies.
- Consequences of a breach
Previously, firms were able to adopt their own protocols in the event of a data breach. Now, however, GDPR mandates that data protection officers report any data breach to the supervisory authority of personal data within 72 hours. The notification should contain details regarding the nature of the breach, the categories and approximate number of individuals impacted, and the contact information of the data protection officer. Notification of the breach, the likely outcomes and the remediation must also be sent to the impacted customer without undue delays.
Liability in the event of any breach is significant. For serious violations, such as failing to gain consent to process data or a breach of privacy by design, companies will be fined up to €20m ($23m) or four percent of their global turnover – whichever is greater. Lesser violations, such as records not being in order or failure to notify the supervisory authorities, will incur fines of two percent of global turnover. These financial penalties are in addition to potential reputational damage and loss of future business.
- Vendor management
IT systems form the backbone of every financial firm, with client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, firms need to understand all data flows across their various systems. The increased trend towards outsourcing development and support functions means that personal client data is often accessed by external vendors, which significantly increases the data’s net exposure. Under GDPR, vendors cannot disassociate themselves from obligations towards data access. Similarly, non-EU organisations working in collaboration with EU banks or serving EU citizens need to ensure vigilance while sharing data across borders. In effect, GDPR imposes end-to-end accountability to ensure client data stays well protected; it does this by compelling not only the bank but also its support functions to embrace compliance.
- Pseudonymisation
GDPR applies to all potential client data wherever it is found – whether it is in a live production environment, during the development process, or in the middle of a testing programme. It is quite common to mask data across non-production environments to hide sensitive client data. Under GDPR, data must also be pseudonymised into artificial identifiers in the live production environment. These data masking or pseudonymisation rules aim to ensure the data access stays within the realms of the ‘need to know’ obligations.
Given the wide reach of the GDPR legislation, there is no doubt that financial organisations need to re-model their existing systems or create newer systems with the concept of Privacy by Design embedded into their operating ideologies. With the close proximity of the compliance deadline, firms must do this now.
There are three steps that companies must now embark on: identify client data access and capture points; collaborate with clients to gain consent for justified usage of personal data; and remediate data access breach issues. Failure to do at least one of these now not only cause financial pain in the long run, but will also erode client confidence.
A study published earlier this year by Close Brothers UK found that an alarming 82 percent of the UK’s small and medium businesses were unaware of GDPR. Recognising the importance of GDPR and acting on it is therefore the need of the hour.
