EU regulation to place new requirements on financial organisations

By Iain Chidgey, Delphix

IainFinance, probably more than any other industry, will find itself under the scrutiny of the EU if a new data privacy regulation is implemented. As it announced a few weeks ago, the European Commission is on track to create a set of rules that will govern how companies handle personal data, and if executed, the regulation is expected to be adopted by all countries within the next 12-24 months. Any company that deals with customer records, national insurance numbers, passwords, credit card details,or any other personal information will have to comply. For those caught unprepared, there could be some significant repercussions.

The EU regulation aims to prevent breaches, requires full and immediate disclosure when they happen, and enables customers to request that their data is moved from one organisation to another. It will also place restrictions on who can access personal information. Whilst financial organisations are already heavily regulated and have many restrictions in place, the EU regulation will go further. In its initial reply to the regulation proposals in March 2012, the British Bankers’ Association (BBA) wrote that the laws would be ‘difficult to work with in practice, will be unnecessarily burdensome to business and will provide little or no additional benefit to individuals.’

One of those burdens would be a requirement to mask all private data unless it is absolutely essential that it is accessible to the employee or the third party accessing the data. The impact would be felt across the whole organisation as it finds itself limited in how it can share information internally.

Being able to access and move data within the organisation is absolutely essential to the running of any business. Data sets are required to run business analytics, market reports and risk analysis, as well as develop new products.Copies of data need to be created for backup, training and disaster recovery, and that’s why an average organisation holds 8-10 copies of each live database. Often personal information is held within this data.

Why does that matter?

Under the proposed regulation, every piece of personal information will have to be masked unless it is absolutely necessary to keep it exposed. This will include every original database and every copy that is made. Any time a new copy is requested by an analyst, a developer, or the IT department, it will have to be masked.The new practice could put a new strain on already maxed out IT resources. Everything could take more time or make certain processes not feasible because of the associated cost.

I recently heard from a leading UK bank that it estimates it spends up to 50% of its time just moving data around to service the business. If there is now a requirement to mask all of this data first, then the time involved could mean banks find themselves having to employ more people and incur more cost just to complete simple tasks.

The industry needs technology that will allow this process to be automated and therefore cut costs and improve efficiency.

Several banks and other financial organisations have already adopted new technologies such as database virtualisation where masking is done once in the live database, meaning each virtual copy is automatically masked. When a virtual copy is made it retains the characteristics of the original database including the masking of data, saving IT the time and resources that would be otherwise spent on masking each individual copy.

If passed, the EU regulation could make organisations with unprepared IT departments less competitive. Developers could find themselves waiting longer for a new copy of a database, analysts wouldn’t have the latest data to work with, and overall the organisation would move at a slower pace because it would be bogged down by masking data. There is still time to make sure you are not one of them.