One year of GDPR: the impact so far and what more needs to be done

By David Kemp, business strategist, Security Risk and Governance, Micro Focus 

On 25th May 2019, the world noted, rather than celebrated, the first anniversary of the General Data Protection Regulation (GDPR).The one-year mark is an opportune moment to reflect on whether the regulation has been effective in its ambitions and goals so far and look at how financial institutions have coped with compliance over the last year.

The laudable intentions of the regulation are largely recognised as an overall drive to provide a consistent and defining standard of data privacy, through defending against intrusion, cyber-attack and deliberate or negligent misuse of data. However, despite its positive purpose, legislators and regulators failed to foresee the enormity of the task of compliance,not only within the financial sector, but across all industries.

GDPR principles and enforcement

If we unwrapa number of key GDPR principles such as the “right to be forgotten” and “purpose limitation”, all require major investment in policy, process and technology. The regulation effectively demands that organisations have complete visibility over all data held, in any format and in any location.This involves near real time reporting and requires the ability to respond to a Subject Access Request and data breach within 72 hours. In fact, these standards mirror many national laws,including the 2018 California Consumer Privacy Act. And interestingly, the rules around immediacy and availability of data actually reflect the Dodd-Frank Act 2010 standards of derivative trade audit and verification.

From an enforcement perspective, the sanctions imposed in Europe over the last year have been generally small and infrequent – with the exception of the French regulator, the CNIL, fining Google €50m in January 2019. That said, while regulators are known to be short of “over watch” capability, even in 2019 one can expect them to find “trophy” non-compliant entities to provide an example to others. Additionally, with the UK’s Information Commissioner recently achieving jail terms for delinquent managers under the Computer Misuse Act 1990, the risk of non-compliance is now a matter of deprivation of liberty, not just fines.

Compliance: the picture so far

In practical terms, the banking industry has largely taken the regulation to heart, providing guidance on active and demonstrable consent to retail customers. Moreover, anecdotal evidence has suggested that the “privacy by design” concept is being respected when it comes to building compliance features into new products and services. To use a tangible example, a global UK-headquartered bank CDO is seeking to improve its wealth management products and services by deep analysis of Personal Data, but it has made sure that anonymisation is in place.

However,unfortunately it is currently the case that surprisingly large institutions, especially insurers, are still at an early stage of data discovery. This also includes identifying precisely where, and in what form and volume Personal Data lies across their legacy data landscape. As the stakes of non-compliance rise, it is highly prudent for financial institutions to have carried out data discovery and undertaken a gap analysis on their policy and technology – and at least have an in-flight road map for remediation.In other words, GDPR compliance should not be taken as simply another “Y2K”damp squib situation.

Looking beyond sanctions: the benefits of effective compliance

Unexpectedly, there have been some positive up-sides to GDPR compliance for the finance industry– not limited to defending against fines and reputational damage.

• Using GDPR compliance as a catalyst for improved operational efficiency

Deletion of unwarranted Personal Data retention has caused two major UK insurers to pro-actively down-size the “dark data” they hold, representing on average in excess of 30% of all information held by corporates. As a result, the insurers have reduced back-up and data storage costs. Therefore, they have increased ROI, as well as effectively cleansed data in anticipation of moving to the cloud and digitisation.

• Using GDPR as a bench-mark for improved due diligence arising in M&A

This can be applied both from the point of view of a subsidiary sale, as well as the data discovery necessary on a subsidiary purchase.

• Contextual linkage of data in all formats

By ensuring compliance, organisations are able to link to data in all its forms, whether it be structured or unstructured. As a result, they have the ability to not only facilitate replies to a Subject Access Request, but also achieve greater opportunities from compliant data mining and value extraction – ultimately leading to enhanced revenues. Ironically, the long-heralded “Customer 360” view of retail client data is now a necessity, not just a“nice-to-have”.

• Applying GDPR standards to other perennial internal security corporate issues

Cleansing data for internal issues regarding security provides organisations with greater visibility, clarity and prospect of advance warning – made possible by using Identity Access Management and encryption technology.

Over the last year the implementation of the GDPR has been a Pandora’s Box of yet more financial institution compliance requirement. But somewhat paradoxically, for the canny it has represented a real opportunity for business advancement.