In the fourth part of his monthly series on GDPR, Kris Lahiri, Chief Security Officer at Egnyte looks at how financial services organisations should approach the new regulation.
Now that the tax year is over and everyone will start prepping their paperwork for 2016/2017, I figured it would be a good time to take a look at how financial services organizations will be affected by the new GDPR.
Throughout the history of the financial services industry, data has always been the lifeblood of the sector, whether it’s used for spotting trends, helping analyze returns, or a number of other vital processes. As we have advanced in the digital age, the proper use, management and optimisation of this information has never been more critical.
Against this backdrop, the EU has approved the highly anticipated General Data Protection Regulation (GDPR) to help account for the rapid increase in the use of data and how our behaviour towards personal data usage has changed over the last 22 years (launch of the last EU Directive in 1995).
The GDPR will put individuals in control of their personal data (like tax information) empowering them to choose how businesses (like accounting firms) handle their data. When personal data is not properly handled, individuals will have increased rights to legal recourse and can, in some instances, claim compensation. Regulators across the EU will have unprecedented power to enforce the legislation and impose hefty fines in instances of non-compliance.
Given that the financial services industry deals with a lot of sensitive content, they will likely be under more scrutiny with GDPR. Regulators are expected to keep a close eye on financial service organisations like banks, brokerage houses, insurance companies, asset management firms, and more.
While there are more than a dozen headline changes that financial services organisations should be aware of, here are some of the changes under the new regulation that they should pay closer attention to:
- Increased Territorial Scope – the jurisdiction of the GDPR will be extended to apply to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location
- Active Individual Consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out
- Breach Notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified
- Right to Access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose
- Data Portability – data subjects will now have the right to receive the personal data, which they have previously provided, in a commonly used and machine readable format to share it with another provider
- Right to be Forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and even server or cloud back-up services
- Privacy by Design – privacy by design calls for the inclusion of data protection from the onset of the designing of IT systems. Firms must also only hold and process the data absolutely necessary
There are a number of aspects to the GDPR that will take considerable time to achieve and all financial services organisations should be looking at these now. They draw on a range of governance, risk and assurance capabilities as well as in-depth technical and data protection skills.
To be ahead of the GDPR change in May 2018, financial services organisations should:
- Educate their senior management and employees on the changes that the GDPR will bring and ensure that they are fully aware of these and how these changes will affect the organisation.
- Assess their risk, policy and procedure environments and re-architect as needed to ensure their business operates effectively in line with the GDPR regulation requirements.
- Plan, track and manage their GDPR requirements and objectives, making sure they achieve the right blend of education, architecture and assurance in the appropriate time frame.
It is also worth noting that the majority of financial services organisations will need to appoint a Data Privacy Officer (DPO) to act as a liaison with regulators and be an independent enforcer for data in their company. The DPO will create and maintain adequate levels of privacy awareness across your organisation, monitor GDPR compliance, and influence decision-making at a senior level to drive improvement of privacy and data protection management.
With all of the GDPR changes taking place in just under a year, it provides a great opportunity for financial services organizations to be proactive and open up a dialogue with their clients well ahead of any changes they may have to make come May 2018.
There is no time like the present, and just like we advise all of our customers, I strongly advise all organisations out there to start opening up the GDPR dialogue today.