With the deadline fort GDPR compliance coming up shortly, many businesses are starting to feel the pressure. And while financial services firms are no strangers to regulations (being one of the most heavily regulated industries out there), GDPR adds a whole new layer of complexity to even the most basic operations. Particularly since adhering to their normal regulations requires the collection of large amounts of customer data, which is then used for various actives like customer onboarding, relationship management, trade booking and accounting. During these processes, customer data is exposed to a large number of different people at every stage. That’s where the big impacts of GDPR on financial services come in.
The first 2 major impacts are not specific to the financial services industry – they will hit every business in the same way. So let’s start simple. Under GDPR, persona data now refers to anything at all that could be used to identify an individual – including their name, email address, social media profiles and even their IP address. The rules then state that companies must gain explicit consent for individuals in order to collect, process and use that data, giving the individual more rights and control over their own data. This means that you will need to ensure you have explicit and documented consent for every piece of information you gather on a customer or prospect during the course of working with them – which in financial services can be a lot!
The Right To Be Forgotten
Next, we come to the right to data erasure, more commonly known as the right to be forgotten. This part of GDPR means that any individual could ask you to produce and then delete all data you hold on them at any time. This means that they could also request access to, or the removal of their own personal data from financial institutions such as banks, without the need for any outside authorisation. Financial institutions may keep some data in order to comply with other regulations, but in all other cases where there is no valid justification for keeping it, the individual’s right to be forgotten is paramount.
Consequences Of A Breach
In the past, financial institutions were allowed to create and adopt their own rules and protocol in the event of a data breach. But this is no longer the case. Now, under GDPR, data protection officers are required to report any breach to the supervisory authority of personal data within 72 hours of discovery. The notification also needs to contain details of the nature of the breach, the categories and number of individuals effected and the contact information of the Data Protection Officer. If that wasn’t enough, you will also need to notify the impacted customers of the breach, the likely outcome and your remediation plans. Overall, GDPR puts heavy emphasis on the liability faced by businesses in the event of a data breach, with the highest fines reaching €20 million or 4% of global annual turnover, whichever is highest. Not to mention the reputational damage that could be done for financial services businesses who deal with a lot of highly sensitive data.
IT systems form the backbone of every financial services business, with client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, financial services businesses need to understand where all the data flows within their systems. And since there has been an increased trend towards outsourcing development and support functions, that means that personal client data is often accessed by external vendors, which significantly increases the data’s exposure to risk. Similarly, non-EU organisations working in collaboration with EU banks or serving EU citizens need to ensure vigilance while sharing data across borders. In effect, GDPR means end to end accountability, and financial firms need to be able to ensure security not only internally, but in all of its support functions as well.
GDPR is a wide-reaching regulation, and it applies to all client data across the board, whether it’s in a live production environment, during the development process or in a testing programme. In these cases, it’s quite common to mask data across on-production environments in order to hide and protect highly sensitive information. But GDPR requires such data to be pseudonymised into artificial identifiers in the live production environment in order to ensure that data access stays firmly in the realms of ‘need to now’ obligations. This means that financial firms need to start embedding the idea of ‘privacy by design’ into their existing systems and methodology.
Of course, failing to identify your risk points, talk to client and secure client data doesn’t just leave you open to crippling financial penalties. It also significantly erodes your client’s confidence and trust in you. A study published earlier this year by Close Brothers UK, found that an alarming 82 per cent of the UK’s small and medium businesses were still unaware of GDPR, even though the deadline is almost upon us. At Tipac, we work with financial services firms to help them unite their processes into one single solution, managing their documentation and data imply and providing as fully auditable, traceable and accountable solution. If you would like to find out more about how we can help you become GDPR complaint, just get in touch with us today.