-GDPR remains the priority but financial services also facing challenge from PSD2 and MiFID II-
How the financial services industry deals with customer data has become a major source of anxiety in recent months with the looming General Data Protection Regulation (GDPR) set to come into force in May 2018.
Coupled with that, the Markets in Financial Instruments Directive (MiFID II) is set to challenge the status quo on how financial businesses operate while the EU’s Incoming Payment Services Directive (PSD2) threatens to break the traditional banking model by opening up customer data.
Each one of these new regulations presents a challenge individually, but dealing with all three at once – and the contradictory nature of some of these new rules – means the financial sector is facing a three-pronged assault.
Of the three incoming regulations however, GDPR is looking like the most pressing issue, with 52% of chief information security officers working in the finance sector making compliance an investment priority, according to data from Network Group Events’ 2017 Financial Services Information Security Network.
This is despite as many as 50% of companies affected by the regulation still not being fully compliant, according to research by Gartner.
There is no doubt that the finance sector is fully aware of GDPR regulations, but they will face tough challenges on the road to compliance, and recent cyber attacks such as WannaCry and Petya will have placed a renewed emphasis on data security.
DataRaze’s Commercial Director Steve Inglessis discusses how financial services firms can prepare ahead of GDPR – sharing some top tips and highlighting why GDPR is not a compliance burden but, actually, an opportunity.
Know where your data is
Knowing where your customers’ data is kept at all times is a major step to being GDPR compliant. Businesses are increasingly data-driven, using big data to understand performance and identify opportunities to improve. Nowadays, not only is the volume of data we create increasing – every day we create 2.5 quintillion bytes of data – but so too is its complexity.
This process typically involves a number of individual solutions, each collecting, managing and analysing data. While businesses benefit tremendously from this, it means that data is often scattered across a number of systems, from legacy hardware to cloud-based platforms. Subsequently, it becomes difficult for the business to have a unified and holistic view of its data.
Traditionally, the view has been that more data equals more value, but this is not the case – it’s about data quality. Also, employees within the business might be using a variety of Shadow IT solutions (i.e. solutions outside of the business’ standard IT infrastructure) to manage data – making it harder for you to understand your current data procedures, as well as exposing your business to potential data security risks.
Taking the time to understand how your business captures, stores and processes data will help to streamline the process and standardise the systems you use. Taking these steps will enable you to assess current risk levels and develop an approach to GDPR-compliant data management.
Establish data governance framework
With data volume growing so fast – and GDPR quickly approaching – information management needs to change. Financial firms need to first establish a data governance framework, one that ensures that only the right, high-quality data is collected and for the intended purpose, and then proceed to carefully dispose of data which they do not need.
GDPR states that businesses can only capture data for the purpose it is required, meaning firms will not be able to record information other than that which is stated.
This will involve updating existing IT infrastructure and improving data security measures, moving to scalable cloud-based solutions to support more streamlined data management in line with new policies. It is vital however, that legacy IT assets and data is completely destroyed, and financial firms need to be sure any data disposal is compliant with new regulations.
Enlisting the services of a professional, external data disposal firm, could help with this and ensure any destruction is carried out professionally.
It is important to remember though, that even if you outsource the data destruction, your company is still responsible if this isn’t carried out properly so businesses should make sure they obtain a robust chain of custody to ensure data is destroyed safely and correctly to avoid potential problems down the line.
Remember, good data governance is not just about the collection of high-quality data, but also having a robust, industry-compliant and risk-free data disposal method.
Protect your data and achieve transparency
GDPR puts increased accountability on data processors and the controller/processor relationship becomes even more important. Many financial service firms share information with third parties, such as clients, suppliers, regulators or partners but should one fail to protect that data in line with GDPR standards, the other will be held accountable too. To ensure ongoing compliance, financial services firms must have a handle on all of its existing data.
As that data is transferred to a third party, the interaction needs to be recorded and the third party must have a system in place that compiles clear and detailed reports on how the data is being used and interacted with. This includes data ownership, as well as access and data usage, and record that information in a central location.
Ultimately, taking the steps above will pave the way to ongoing compliance and will enable financial firms to increase efficiency and productivity. Companies which are able to demonstrate better compliance and data security will inevitably gain the trust of customers, as well as avoiding the fines and punishments facing them from May 25, 2018.