Financial firms ignore the GDPR at their peril

On May 25th 2018, the General Data Protection Regulation (GDPR) will take effect in order to strengthen data protection across the European Union (EU). This far-reaching legislation will impose tight data protection requirements and heavy penalties for non-compliance for any business that collects EU residents’ data.

In essence, the GDPR will help to standardise data protection laws across the EU. In the UK, the GDPR will build upon the protections afforded by Data Protection Act, which was enforced almost two decades ago. This could mean that some firms are already compliant with certain aspects of these new rules, but several new restrictions will be introduced as well – some of which firms may not be aware of.

For example, under the GDPR, organisations will not be able to hold data for longer than advised by the regulator and must delete it at the request of a data subject. The GDPR also goes beyond current requirements in terms of the information that must be provided to data subjects when requesting consent to process personal data.

Protecting personal data

With these changes, the GDPR has widened the definition of personal data considerably. These new rules apply to a level of data that has not typically been protected before in order to keep sensitive data more secure. As a result, the rules set out by the GDPR have a much larger scope, as they not only apply to data in manual filing systems, but also to personal data that has been key-coded.

These changes are likely to create compliance challenges for firms of all sizes. The first step towards addressing these issues will be to ensure that employees at all levels fully understand the changes that are coming in as a result of the GDPR, as well as how they could impact the business. This process will take a considerable amount of time and attention, so it’s important to begin preparations well ahead of time in order to avoid difficulties when the legislation comes into force next May.

Data breaches and the GDPR

Businesses that fall victim to a data breach post-GDPR could face strict penalties under this new regulation; firms could be fined up to 4% of their annual worldwide turnover, or €20m, whichever is higher.

Traditionally firms may have tried to keep any data breaches under wraps, but this will no longer be possible with the GDPR. The new regulation stipulates that a firm must report a cyber-attack to the relevant supervisory authority – in the UK’s case the Information Commissioner’s Office (ICO) – within 72 hours of discovering the breach, particularly if individuals’ data privacy rights and freedoms are at risk. Fines of €10m can also be enforced for ‘specified infringements’, such as failure to inform the ICO of a data breach within the timescales provided.

To comply with these deadlines, organisations will need to have strategic plans in place for handling cyberattacks and taking swift action in the event that an individual’s data is compromised. The rigid timescales set out by the GDPR are likely to be problematic for some, however, as many firms have yet to create an official, documented procedure of how to respond to data breaches.

Preparation needs to start now

Although firms were given a two-year transition period to get ready for this new regulation, many are still unprepared, so it’s vital that a firm’s leadership, compliance and IT teams start taking responsibility now. Recent figures from international law firm ERM Law have found that only 29% of organisations have begun their GDPR preparations, which means a majority still needs to build the groundwork.

With the GDPR placing greater responsibilities on the data controllers and processors, it is vital for firms to understand what personal data they hold and how it is processed. Financial firms will already store personal client data on file, but should take the time to assess every service provider and individual interacting with this data to ensure they fully comply with the requirements of the GDPR. Automated systems can help to lessen the risk of something dropping through the net, but firms will need to work with an IT provider who can understand and implement these solutions.

Clients will also receive additional rights around areas such as the rights to erasure, the right to be informed and the right to restrict processing, so firms will need proof of consent to hold individuals’ data on their systems. Under the Data Protection Act, negative consent was enough (e.g. tick a box to show you do not wish to receive communications), but organisations will now need to prove a positive opt-in.

As a result, businesses will need to review all of their privacy policies and conduct regular privacy impact assessments (PIAs) to ensure they are robust enough to meet the GDPR’s requirements. Additionally, the language used within these consent forms must be clear and straight-forward, so that individuals are completely aware of how their personal data may be used.

Board level support will be vital if firms are going to complete all of these preparations in time. With less than 12 months to go, it’s important that businesses take action now. Not only do businesses need to understand the steps they will need to take to protect personal data, but they also need to have the right tools and systems in place to be able to detect a data breach and react to it within the strict guidelines set out by the GDPR.

115 views

Related reading