Businesses around the globe are becoming increasingly data-driven. This is largely due to the expectation of customisation of the user experience. Financial institutions, in particular have been able to use customer data and customisation in order to offer tailored services to their customers, such as loans or insurance, based on recent purchases or their financial history. However, the consumer is now being encouraged to take back control of their own personal data. The new emphasis being placed on individual rights to data is clearly demonstrated within the upcoming General Data Protection Regulation (GDPR) that will come into effect across the European Union on May 25th, 2018. Despite Brexit, the UK will have to implement nearly identical legislation in order to continue doing business with European organisations.

GDPR promises to affect all businesses that operate within the European Union., regardless of where they are based. However, given the amount of personal data collected and processed by the financial services industry such as credit card numbers and financial records. It’s safe to say that regulators are going to be especially strict when enforcing financial services GDPR compliance.

Many business leaders do not feel prepared for the upcoming regulation. Gartner predicts that 50 percent of businesses due to be affected by the GDPR will not be in full compliance by the time the regulations take effect in May of 2018. With the clock ticking, the financial services industry must focus its attention on transitioning data collection, processing, and security protocols to meet compliance. This means understanding individual data rights as well as data collection and processing accountability and implementing the required protective measures.

What does GDPR mean for you?

In addition to standardising the data processing regulations for international businesses operating within the E.U., GDPR puts the individual back in charge of their data. Residents of the E.U. will also have the ability to decide how their data is used under the new regulation.

First and foremost, under GDPR, individuals must actively give consent for organisations to process their data. Pre-ticked boxes, silence, or inactivity is no longer considered sufficient to achieve compliance. What is now required, is for the user to explicitly give permission to each data processing operation, and in addition, they the ability to withdraw consent at any given time.

Users will now also have the right to request access to their data and to confirm how it is being used. Furthermore, under the data portability stipulation, consumers can transfer this data to reuse across organisations and services. In this case, organisations must have the technical ability to send this information to a specific user in a machine-readable format.

In addition to consumers now having greater freedom to access data and broad rights to use it for their own purposes, individuals can now also request their data’s deletion under the Right to Be Forgotten stipulation. This means they can request to have their data erased, prevent its processing, when they withdraw consent, or if the data is no longer necessary for the purpose for which it was originally sourced.

Where is the data stored?

To meet the individual rights provisions under GDPR, any organisation within the financial services industry must ensure it has high visibility into every instance of user data – meaning how is the data being used, for what purpose, and by whom, and be able to meet user requests regarding the use or deletion of their data in a reasonable amount of time. What’s more, organisations must ensure they are only collecting the minimum amount of data required for the consented purposes and will have to implement a system by which to manage where and whenever consent has been given and withdrawn. In order to avoid high financial penalties and fines, financial institutions will need to keep strict track of their data inventory and prove that they have removed data no longer necessary to core functions in order to minimise their risk. 

What are the technical and operational requirements?

Aside from the ability to quickly locate, transfer or remove data, under GDPR, organisations are now expected to implement data protection by “design and default.” This means security and accountability must be a core focus from the outset of all data monitoring and collection programmes. Compliance accountability rests on the shoulders of the data controllers. Their role is to determine the purposes and means for data collection, and data processors, who are responsible for processing data on behalf of the controller. Under the new regulation, controllers and processors are expected to perform regular risk assessments and updates to the infrastructure as new threats emerge.

Although network security and visibility are necessary for keeping track of the movement of data across your ecosystem, it will also be increasingly important for intrusion detection and mitigation. GDPR requires organisations to report qualifying data breaches to authorities and individuals within 72 hours of detection. This actually isn’t much time to perform the necessary tasks such as incident response, forensics, and containment. Early detection and mitigation will be key in minimising lost data and breach expenses, as well as avoiding compliance failure.

If an organisation is deemed to have not made a sincere effort to comply with the new regulation, they can expect some eye wateringly large fines. For instance, under GDPR, if an organisation is found to have committed a lesser infringement, they can face fines of €10 million, or 2 percent of worldwide annual turnover, whichever is higher. If the infringement is considered to be more severe, that fine increases to €20 million, or 4 percent of global turnover, again, whichever is greater. One thing is clear, the EU is not going to be going easy on any organisation that is seen to be lacking on GDPR compliance. These fines will have crippling effects on any organisation, regardless of size or turnover.

Financial services firms must be able to comply with these rights through the implementation of technical and operational infrastructure that meets compliance at both the controller and processor levels.  As we get closer and closer to the 25th of May, financial institutions need to understand how their data inventory affects the rights of their individual users, and implement consent and data visibility operations to ensure compliance with the new derivative.