HOW THE FINANCIAL SERVICES INDUSTRY CAN PREPARE FOR GDPR

Paul Irvine, Director, Major Accounts UK&I, Fortinet.

Paul Irvine
Paul Irvine

The nature of how modern businesses operate means they are becoming more and more data driven. This is largely due to the expectation of customisation of the user experience. Financial institutions, for example, have been able to use customer data and customisation in order to offer tailored services to their customers, such as loans or insurance, based on recent purchases or their financial history.However, at the same time, consumers are being encouraged to re-take control of their own personal data. This emphasis on the individual’s right to data privacy is clearly highlighted within the upcoming General Data Protection Regulation (GDPR) that will be implemented across the European Union on May 25th, 2018. Whilst the UK will be leaving the EU, it will have to implement nearly identical legislation in order to continue doing business with European organisations.

Make no mistake, GDPR will affect all businesses that operate within the E.U., regardless of where they are based. Given the amount of personal data collected and processed by the financial services industry including credit card numbers and financial records.It’s safe to say that regulators are going tobe especially strict when enforcing GDPR compliance on the financial services sector.

Many business leaders do not feel prepared for the upcoming regulation. In fact, a recent study by Gartner found that 50 percent of businesses due to be affected by the GDPR will not be in full compliance by the time the regulations take effect in May of next year. With this in mind, the financial services industry must focus its attention on transitioning data collection, processing, and security protocols in order to be compliant with the regulation. This is no easy feat, it will involve understanding individual data rights as well as data collection and processing accountability, and implementing the required protective measures.

What doesGDPR mean for the individual?

In addition to the standardisation of data processing regulations for international businesses throughout the E.U., GDPR looks to put the individual back in charge of their data. Residents of the E.U. will also have the ability to dictate how their data is handled under the new stipulations.

Most substantially, under the new regulation, individuals must actively give consent for companies to process their data. Gone will be the days of pre-ticked boxes, silence, or inactivity as being acceptable, under the directive, this is no longer considered sufficient for compliance. Instead, users will be asked to explicitly give permission for each data processing operation, and in addition, have the ability to withdraw consent at any time.

Users will now also have the right to request access to their data and for the organisation to confirm how their data is being used. Moreover, under the data portability stipulation, consumers can transfer this data to reuse across organisations and services. In this case, organisations must have the technical ability to send this information to a specific user in a machine-readable format.

In addition,to these increased rights, individuals can now also request their data’s deletion under the Right to Be Forgotten stipulation. In this case, the user can request to have their data erased, or prevent its processing, when they withdraw consent, or if the data is no longer necessary for the purpose for which it was originally collected.

Data awareness

In order to comply with the individual rights provisions under GDPR, financial services providers must ensure they have high visibility into every instance of user data – meaning how is the data being used, for what purpose, and by whom, and be able to meet user requests regarding the use or deletion of their data within a reasonable timeframe. Furthermore, organisations should ensure they are only collecting the minimum amount of data required for the consented purposes. They should also look to implement a system by which they are able to manage where and whenever consent has been given and withdrawn to avoid being caught out by this stipulation. Financial institutions will need to keep strict track of their data inventory, and prove that they have removed data no longer necessary to core functions in order to minimise their assumed risk.

Financial Services’ Requirements

Aside from the ability to quickly locate, transfer or remove data, organisations are expected to implement data protection by “design and default.” Essentially, this means security and accountability needs to be at the core of all data monitoring and collection programmes. Compliance accountability rests on the shoulders of the data controllers. Data controllers determine the purposes and means for data collection, and data processors, who process data on behalf of the controller. To remain compliant, controllers and processors are expected to perform regular risk assessments and updates to the infrastructure as new threats emerge.

While network security and visibility are necessary for keeping track of data movement, it will also be increasingly important for intrusion detection and mitigation. Part of GDPR compliance requires any organisations that has suffered a data breach to report said breach to the authorities and individuals affected within 72 hours of detection. This actually isn’t much time to perform the necessary tasks such as incident response, forensics, and containment. Early detection and mitigation will be key in minimising lost data and breach expenses, as well as avoiding compliance failure.

Failure to demonstrate that an organisation has made a sincere effort to comply with GDPR on all technical and operational fronts can result in heftyfines. GDPR mandates fines of €10 million, or 2 percent of worldwide annual turnover, whichever is higher, for lesser infringements.If an organisation is found to be in severe breach of infringements, the fine escalates to €20 million, or 4 percent of global turnover, whichever is higher.This could spell the end of a smaller financial house and have crippling effects on many of the larger houses. GDPR is not pulling any punches when it comes to the financial repercussions for a lack of compliance.

Financial services firms need to be able to comply with these rights through the implementation of technical and operational infrastructure that meets compliance at both controller and processor levels.As the 25th of May looms, financial institutions must understand how their data inventory affects the rights of individual users, and implement consent and data visibility operations to ensure compliance with GDPR.