John Culkin is Director of Information Management at Crown Records Management, a leading information management company with a presence in nearly 60 countries. He has published a white paper entitled ‘Leaving the digital Stone Age behind’ analysing the forthcoming EU General Data Protection Regulation and providing advice on how to prepare. Here he outlines the biggest challenges facing the financial sector and suggests best practice solutions for companies aiming to stay ahead of the game.
What’s the latest news on the EU’s Data Protection Regulation?
The Regulation was given the support of the European Parliament in March and is currently being discussed by Ministers with a new draft expected soon. There are likely to be many changes before it is finally approved, but the general principles involved are already established. The desire for a one-stop Europe-wide regulation for data controllers and processors is unquestioned – together with a desire for European citizens to have greater rights over information stored about them. The Regulation will replace current legislation in all European countries – and will have a significant impact on all sectors, including banking and finance.
So when will it actually come into effect?
The timeline is not entirely clear, but the likelihood is the Regulation will be passed in 2015 and in place by 2017.
What is likely to be the biggest consideration for the financial sector?
A proposal for huge fines – up to five per cent of global turnover or 100m Euros if greater – for companies that negligently breach regulations stands out for all sectors. When you consider how much information and data is collected and processed by banks it a challenge, although perhaps the industry is better prepared than others. The key will be to adopt a culture where privacy is considered in every process – and staff in every department and every level are aware of its importance. Crucially, the Regulation does not only apply to digital data but also to paper records – and this may prove to be the biggest challenge.
Is it only data controllers that need to be concerned?
No. The distinction between data controller and data processor that has been accepted in the UK until now will no longer protect the data processor from liabilities – so outsourced processing centres may be impacted. For global financial firms there is a further impact to consider as the EU expects its regulations to apply to any company or organisation that handles the data of European citizens, even if that company is based outside of the union. Off-shore financial centres effectively fall under the new legislation.
What requirements will be there be for reporting breaches?
The Regulation will include a requirement for breaches to be reported to the supervisory authority without delay. This is expected to move from a 24-hour deadline outlined in the first draft of the proposals to 72 hours following recently lobbying. But nevertheless, businesses in the finance sector will need to have very clear procedures that assign responsibility for reporting. It would be wise to get these procedures as soon as possible.
What about the ‘right to be forgotten’ that has been so widely discussed since Google was required by the European Court of Justice to remove outdated information about a Spanish man’s repossessed home from future searches?
This is an interesting area. European Commission Vice President Viviane Reding described that verdict as confirming the ‘need to bring today’s data protection rules from the digital Stone Age into today’s modern computing world’
Her words inspired our white paper and have got a lot of people talking.
The ‘right to be forgotten’ is likely to be redrawn as a ‘right to erasure’ when the Data Protection Regulation finally goes through; but the principle that citizens have the right to ask for data held about them to be altered, deleted or checked is not going away.
This has major implications in the financial sector which will need more robust processes – and potentially increased staffing – in place for the searching of historic data and to deal with customer requests.
It is also worth mentioning that in future companies will require ‘explicit consent’ to collect any data from citizens in the first place. Use of a service by a data user –or their silent decision not to opt out – will not be enough on its own.
Are there are any exemptions for the industry?
If so they have not been announced so far. One interesting area is credit ratings. Citizens already have a right to access these records but if a ‘right to erasure’ is applied there are obvious complications. The erasure of information may not always be in the interests of customers, either.
A further complication is the inclusion of a clause giving data subjects the right not to be subject to a “measure based on profiling”. This means profiling individuals based on automatic processing that predicts a person’s creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour may well be under threat.
Are there are any areas in which the financial sector is ahead of the game?
A recent wave of claims management firms seeking information to assist with miss-selling claims has at least prepared the industry for what lies ahead in terms of providing access to data. A new ‘right to portability’ which allows citizens to ask for their information in an accessible format has also been pre-empted by banks, allowing customers to switch accounts.
Will there be any cost implications for the industry?
The cost of putting systems in place for the reporting and prevention of data breaches –and for the storage and searching of information – is significant. So, too, is the cost of dealing with an increased number of customers who want to apply for data held about them to be deleted or altered.
The Regulation will also include a requirement for all public sector bodies and private sector bodies with more than 250 staff to employ a Data Protection Officer So whether it is operational costs or the adaptation of new processes and procedures the challenge that lies ahead is significant.
The bottom line is the age of data is changing fast, for better or for worse and whether we like it or not. So regardless of what ministers in Europe decide over the coming months – and however the final EU Data Protection Regulation takes shape – the digital Stone Age is on the way out. Getting left behind should not be an option.