The General Data Protection Regulation (GDPR) was introduced by the European Parliament, Council of the European Union and European Commission to strengthen data protection for all individuals across the EU.
Its official implementation date is May 25 2018 and the regulation has already become part of UK law. As such, all financial services firms writing business across the EU, including in a post-Brexit United Kingdom, must comply past this date.
For larger and more complex organisations, however, compliance could become difficult if left until the last minute.
Need to know
In laymen’s terms, the GDPR acts as a way to standardise data protection laws across the European Union, and places greater emphasis on the documentation that firms must keep so they can demonstrate their accountability in the event of a data breach.
For UK firms in particular, the GDPR echoes many of the compliance rules set out in the Data Protection Act almost two decades ago. As a result, many businesses will be on their way to being compliant, but there are new areas which must be considered.
Like the Data Protection Act, the GDPR applies to ‘personal data’, but with a wider scope. Now, it also applies to both automated data and data within manual filing systems. Additionally, personal data which has been key-coded can also fall within the remit of the GDPR.
Although not officially implemented until next year, businesses have been given a two-year transition period to set up their compliance processes to be regulation-ready. Despite the large amount of time allocated to lay the groundwork, many organisations are still finding themselves unprepared with less than a year to go.
Awareness is a key part of preparation. Decision-makers and key stakeholders within a firm should be notified of the expected changes and begin to consider the impact of areas that may cause compliance problems under this regulation.
To begin with, firms should build a team to deal with the new standard and allocate a Data Protection Officer (DPO) to take responsibility for data protection compliance. Whilst the DPO is a necessary part of complying with the GDPR, this role can be outsourced to third party firms.
The next crucial step is to know and understand the data held within your business – specifically, where it came from and who it is shared with.
The GDPR requires an organisation to maintain records of its processing activities, to ensure that personal data is not shared with other organisations without an individual’s consent. Whilst a firm may have customer consent to hold their data within its systems, it may not have permission to process their data in a different manner.
Part of the GDPR’s regulatory framework also considers individuals’ data privacy. Firms may need to alter their current privacy notice practices, as they now need to establish the legal grounds for holding a person’s data.
Processing children’s data is a potential sticking point too. There is a real focus on information held about children under this regulation, leading to firms in the banking and insurance spaces particularly, to consider how they can verify the ages of children’s data held on their systems, and how they will attain parental or guardian consent to process this information.
Dealing with data breaches
Many financial services firms have kept data breaches under wraps to date, but this can no longer be the case. All organisations complying with the GDPR must now report any serious data breaches to the Information Commissioner’s Office (ICO) within 72 hours of awareness of the breach.
Part of this regulation also includes penalties for succumbing to a data breach, meaning that firms can have fines imposed on them of up to 4% of their annual worldwide turnover, or €20 million – whichever is higher. Additionally, fines of up to €10 million can also be imposed for “specified infringements”, such as failure to inform the ICO of a data breach within that timeframe.
To this day, many firms have no truly usable documented procedures in place for how to respond to a security breach. Now, an organisation must adopt internal procedures for handling data breaches effectively, in case there is a risk to any individuals’ data that may be compromised. This is where technology comes in.
Using technology effectively
To be fully compliant with the GDPR, it is vital that firms take time to assess every service provider and individual that is responsible for processing data, and undertake regular privacy impact assessments (PIAs) to deal with any required counter-action should a data breach take place.
From an additional technology perspective, financial services firms should also consider how automated systems can assist in complying with this regulation. The more automation in place, the lower the risk of something falling through the net and causing a data infringement.
Many firms that are compliant with the Data Protection Act will already be well on the way to being prepared for the GDPR implementation next year.
It is a matter of being aware of where the differences lie, and considering how internal processes can be improved, if not automated, to better comply with the upcoming regulation. For firms that are just starting out on this path, it is imperative to begin preparations now, to avoid difficulties later down the line.
Robert Rutherford is CEO of business and IT consultancy QuoStar.