How does the GDPR impact Financial Services?

The recent media reports about an alleged data breach involving social media site Facebook and Cambridge Analytica have added to the ongoing concerns about the safety of personal data from identity theft, cyberattacks, hacking or unethical usage.

The European Union has introduced the new General Data Protection Act (GDPR) to safeguard its citizens by standardising data privacy laws and mechanisms across industries, regardless of the nature or type of operations. It also aims to empower EU citizens by making them aware of the kind of data held by institutions and the rights of the individual to protect their personal information.

GDPR has wide-ranging implications for commercial organisations that hold the personal data of EU citizens, generally raising the bar in terms of:

The measures that must be undertaken to protect personal data
Ensuring that there is a lawful basis for processing personal data
Giving individuals the right to request that their personal data is deleted
Taking steps to avoid potential fines imposed on organisations that transgress: up to €20 million or 4% of turnover

While banks and other financial firms are no strangers to regulation, adhering to these requires the collection of large amounts of customer data, which is then collated and used for various activities, such as client or customer onboarding, relationship management, trade-booking, and accounting. During these processes, customer data is exposed to a large number of different people at different stages, and this is where GDPR comes in.

Impact of GDPR

So, what does the introduction of GDPR actually mean for financial institutions and which areas should they be focusing on? Here seven key areas of the GDPR legislation that will impact the sector:

1. Client Consent

Under the terms of GDPR, personal data refers to anything that could be used to identify an individual, such as name, email address, IP address, social media profiles or social security numbers. By explicitly mandating firms to gain consent (no automatic opt-in option) from customers about the personal data that is gathered, individuals know what information organisations are holding. Also, in the consent system, firms must clearly outline the purpose for which the data was collected and seek additional consent if firms want to share the information with third-parties. In short, the aim of GDPR is to ensure customers retain the rights over their own data

2. Right to data erasure and right to be forgotten

GDPR empowers every EU citizen with the right to data privacy. Under the terms, individuals can request access to, or the removal of, their own personal data from banks without the need for any outside authorisation. This is known as Data Portability. Financial institutions may keep some data to ensure compliance with other regulations, but in all other circumstances where there is no valid justification, the individual’s right to be forgotten applies.

3. Consequences of a breach

Previously, firms were able to adopt their own protocols in the event of a data breach. Now however, GDPR mandates that data protection officers report any data breach to the supervisory authority of personal data within 72 hours. The notification should contain details regarding the nature of the breach, the categories and approximate number of individuals impacted, and contact information of the Data Protection Officer (DPO). Notification of the breach, the likely outcomes, and the remediation must also be sent to the impacted customer ‘without undue delays’.

Liability in the event of any breach is significant. For serious violations, such as failing to gain consent to process data or a breach of privacy by design, companies will be fined up to €20 million, or 4 per cent of their global turnover (whichever is greater), while lesser violations, such as records not being in order or failure to notify the supervisory authorities, will incur fines of 2 per cent of global turnover. These financial penalties are in addition to potential reputational damage and loss of future business.

4. Vendor management

IT systems form the backbone of every financial firm, with client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, firms need to understand all data flows across their various systems. The increased trend towards outsourcing development and support functions means that personal client data is often accessed by external vendors, thus significantly increasing the data’s net exposure. Under GDPR, vendors cannot disassociate themselves from obligations towards data access. Similarly, non-EU organisations working in collaboration with EU banks or serving EU citizens need to ensure vigilance while sharing data across borders. GDPR in effect imposes end-to-end accountability to ensure client data stays well protected by enforcing not only the bank, but all its support functions to embrace compliance.

5. Pseudonymisation

GDPR applies to all potential client data wherever it is found, whether it’s in a live production environment, during the development process or in the middle of a testing programme. It is quite common to mask data across non-production environments to hide sensitive client data. Under GDPR, data must also be pseudonymised into artificial identifiers in the live production environment. These data-masking, or pseudonymisation rules aim to ensure the data access stays within the realms of the ‘need-to-know’ obligations.

Conclusion

Given the wide reach of the GDPR legislation, there is no doubt that financial organisations need to re-model their existing systems or create newer systems with the concept of ‘Privacy by Design’ embedded into their operating ideologies. With the close proximity of the compliance deadline – May 2018 – firms must do this now.