For many, the General Data Protection Regulation (GDPR) has mainly been handed over to the IT department.However, while IT professionals may be somewhat prepared for this regulation ahead of the official implementation on 25th May 2018, the business as a whole needs to be responsible and aware of the implications. Financial institutions, in particular, need to consider the repercussions this regulation will have, how to prepare for this change and the importance of having enough time to comply.
What does FS need to know about the GDPR?
Firstly, firms need to understand the changes will come into effect under the GDPR and, more importantly, how they will affect their day-to-day operations. Put simply, GDPR aims to standardise data protection across the EU, placing a greater focus on accountability and documentation should a cyber-attack occur.
While this may sound like a lot of work, the UK is in a good position.The GDPR reflects many of the compliance rules already set out in the Data Protection Act. However, the GDPR will expand on this 19-year-old Act to include data that is both automated and manually filed. In some cases, personal data that is key-coded can also be included in this regulation. Because of this, many professionals have worried about the impact GDPR will have on their businesses, but there are processes that can be put in place to offset this concern.
Most businesses should already be taking steps to protect themselves from a breach. However, additional elements need to be incorporated to fully comply with the GDPR. For financial firms, client data will need to be a particular focus of attention.
Even in cases where customers have given consent for their information to be used, they may not have given consent for their data to be processed. The GDPR requires accountability at every level of the business, so it’s important that clients give their consent for data to be processed on top of the standard consent documentation.
Additionally, under the GDPR, businesses are obligated to share full details of a data breach as soon as possible with the Information Commissioner’s Office (ICO). If a company is based abroad, a country-specific supervisory authority will need to be notified. This can be a costly and time-consuming process to the company, while also damaging the company’s reputation through a‘name-and-shame’ process.
However, the Supervisory Authority does not need to be alerted if the data has undergone a process known as ‘Pseudonymisation.’ This refers to an encryption process that renders the original data less identifiable, making it useless to any hacker.
All these issues need to be managed by a Data Protection Officer (DPO) who can oversee any breach and take responsibility for data protection compliance. Fortunately, the responsibilities of the DPO can he assigned to an external third-party operator, should one not be present within the organisation. This allows many businesses to offset the strain to a professional provider that can aid a company in regulatory compliance.
It is evident that the process of complying with the GDPR is data intensive, requiring time and effort to fully meet the regulatory requirements. The complexity of this task becomes compounded if a company has not maintained a consistent record of its processing activities prior to this time.
Many large businesses are still underprepared for this dramatic change in data protection. While the UK has the benefit of meeting the regulation part-way with the Data Protection Act, it is integral that organisations can meet the government’s requirements for data safety ahead of the deadline in 2018. If found to be non-compliant, a business could suffer hefty sanctions including regular security audits and fines up to €20,000,000, or 4% of its annual turnover.However, the damage of not complying goes beyond the financials.
If a company is shown to be non-compliant with the GDPR, its reputation as a reliable organisation can be permanently damaged, resulting in a loss of customers and revenue for the long term. For financial firms especially, defending the company’s reputation is therefore a key motivator to prepare sooner, rather than later.
The GDPR is set to change the way businesses protect their data. While there is still time for companies to achieve compliance with these regulations, financial firms need to act now to allow for any difficulties they encounter in the run-up to the deadline. Firms need to be aware that the GDPR will require more than simply ensuring the company’s data security is up to scratch.Instead, it will require a holistic approach where everyone recognises the financial and reputational dangers that non-compliance can create.