It's May 25th. The General Data Protection Regulation (GDPR) is in effect. My take Is simple, GDPR presents more opportunities than hurdles.
With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimize reputational and financial fall-out of a breach. In the world of financial services, that presents a fantastic opportunity. My colleague, Manoj Patel, has written a blog shedding light on the current state of preparedness (or lack thereof) and where we go from here.
Laurie Ehrbar, Global Program Director, Financial Services
After the GDPR Enforcement – The End of a New Beginning:
By Manoj Patel, Senior Advisor, Security & Risk Global Practice EMEA
It's 25th May (CET) and it’s now in effect. The General Data Protection Regulation.
….and you can still talk to me! You have my consent – according to GDPR §4 section 11, §7, §9 section 2(A), §13 section 2(c), §14 section 2(d)…..… to comment on this article!!
So, now what? GDPR is an opportunity to clean the mess…and not a threat!
As we are all aware of what GDPR is, what it contains, and why it is important….I will skip that part (or you can visit my previous blogs):
GDPR - Quick Facts & Best Practices Part I (of III) & GDPR Part II
So, what are the impacts on Financial Services Organizations?
The General Data Protection Regulation (GDPR) will have a great impact on any company that processes EU citizens’ data - even if the company isn’t located in the EU. Like any other organization, financial institutions underlie the same compliance requirements. Under GDPR, financial services organizations like banks and investment advisory firms need to tighten their policies and procedures concerning the usage and storage of personal data.
Whether a financial institution uses the “Personal Data” of a data subject for any marketing, customer segmentation, regulatory requirements (other than GDPR) or fraud prevention, all following key requirements apply:
Right to be forgotten and right to data erasure
GDPR strengthens data protection for individuals within the European Union. EU citizens can request access to, or the removal of, their own personal data from banks. If there is no valid justification, the individual’s right to be forgotten applies to every financial institution. This can be applied to any personalized marketing or customer segmentation.
Customer Consent
Under GDPR terms, Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent. Customers are empowered to retain the rights over their own data. This can be applied to any kind of data subject use in the financial institution.
Breach Notification
GDPR mandates that DPO reports any data breach to the supervisory authority of personal data within 72 hours. Financial penalties (up to 2% or 4%) are in addition to potential reputational damage and loss of future business.
3rd Party/ Vendor Management
GDPR states end-to-end accountability to ensure customer data stays well protected by enforcing not only the bank, but all its support functions, including 3rd parties (e.g. outsourcers) to fulfill compliance. Non-EU organizations working in collaboration with EU banks or serving EU citizens need to ensure watchfulness while sharing data beyond EU boundaries.
Data Protection Officer
Many financial institutions will need to appoint a Data Protection Officer (DPO) because they “carry out large scale systematic monitoring of individuals (Data Subjects)”. The DPO tasks are clearly defined within the regulation, e.g. management of data protection activities, guiding on data protection impact assessments, tracking organization’s GDPR compliance, GDPR awareness training, etc.
So, where do we stand today?
According to the latest poll by ISACA, only 29% of the organizations will be fully compliant by 25th May. The scary thing here is though, 1 in 10 organizations doesn’t know whether they have to comply with GDPR! The good news is that 69% of executives have set GDPR as their priority. (Source: ISACA, GDPR Readiness Survey, May 2018, www.isaca.org/gdpr-readiness-survey)
Let’s remain positive: these results show GDPR is an opportunity to create better awareness of data security, improved business reputation, etc. On the other side, organizations will need more time to overcome challenges to fully comply with the regulation.
The Fine Times & Consequences:
- Article 83 section 4 states, that infringements would be subject to administrative fines up to €10m, or in the case of an undertaking (organization/ enterprise), up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- Further, non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall be subject to administrative fines up to €20m or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
We have to realize that the larger the revenue, the larger the risk and the larger the fine, and this should make clear that its not just about info security but the pure business risk.
Which fine level? 2% (Level 1) or 4% (Level 2) fines?
Breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher level fine:
- Level 1 fine – up to 2% of total global annual turnover or €10m (whichever is the higher), include e.g.: consent of a child, data protection by design/default, third-party processing, notification of data breach, data protection impact assessment, etc.
- Level 2 fine – up to 4% of total global annual turnover or €20m (whichever is the higher), include e.g.: conditions for obtaining consent, the principles for processing, right to obtain rectification, right to data portability, failure to provide access to supervisory authority, etc.
But listen…. GDPR specifically says in Article 83(1) that fines must be ‘effective, proportionate and dissuasive’ so it's unlikely – or one can hope - that any regulator will get away with putting anyone out of business. Whether litigation costs will be more significant than regulatory penalties remains to be seen.
Furthermore, GDPR introduces a comprehensive set of rights for data subjects, including the right to an effective judicial remedy against a controller or a processor and the right to compensation. Therefore, in addition to being at the receiving end of an enforcement action, controllers and processors may be subject to court proceedings and have to pay compensation to data subjects for their infringements of the GDPR.
Thanks!
To learn more please visit www.servicenow.com/finserv
