How financial services should be preparing for GDPR

By Jamie Graves | 31 March 2017

Dr Jamie Graves, CEO, ZoneFox

With the likes of MiFID II and Priips, the financial sector is well versed in the multitude of regulation that needs to be sorted and addressed each time they arrive. However, the impending GDPR (General Data Protection Regulation) is a very different proposition; one that will impact almost every corner of a business, whether you were aware they existed or not. 

The reason behind the importance of addressing GDPR is clear – data is now a fundamental part of almost every business there is. From online vendors to dentists, data is a key component for retaining customers, delivering innovative new products and executing personalised customer service to the highest level possible. 

Another major factor for data’s use is the way that people now engage with businesses. They might order something on their laptop, pick it up in store, and then submit feedback over their phone, with data crucial to joining up this experience. 

Simply put, without data your business can’t function in an effective way. Which is why GDPR is being implemented in May 2018 to standardise how data (whether it’s employees or customers) is protected, stored and accessed across EU borders.

It’s a far-reaching and ambitious legislation and worryingly it seems that the triggering of Article 50 has lured many companies into cancelling or at least re-prioritising their GDPR preparations – as many as a quarter now don’t think it applies to UK companies as we are leaving the EU. This is simply not the case.

From companies across the world working with those in the EU, through to countries in flux like the UK, GDPR applies to any data transferred outside the EU zone. In other words, if you are a US-based business that collects data from EU citizens, you'll be required to comply. And preparations need to be underway. There is no quick fix to complying. For us at ZoneFox, the regulation falls into three categories: proactivity, ensuring GDPR is a board-level priority, and mitigating risk. 

Proactivity

A proactive approach is vital when it comes to security. Most companies are unsure of exactly how and where all of its data is processed and stored across their organisation – or if anyone accessing it is doing so in line with company policy. Auditing this process is a great place to start, as once you have the knowledge of where all your data resides and how it is currently accessed, you know what needs to be addressed. This audit should give you clear insight into: 

•    What measures you have in place to protect data, especially personally identifiable information (PII). Ensure you perform vulnerability assessments and penetration tests to determine if unauthorised access and downloading are possible. This is a valuable exercise and also offers the opportunity to test your data encryption standards

•    The relationship your organisation has with third-parties. Who do you share data with? And how do third-parties collect data from your business? Longer term, you will need to ensure that your data supply chain is GDPR compliant - the onus is very much on you to take responsibility for this. It’s also worth liaising with third parties to understand how they secure their own (or your) data, and share best practice between all parties. 

•    Have your legal and compliance teams go over end-user agreements to ensure that all data subjects have willingly agreed

•    Ensure that how you tell people you use their data is actually how you use it. An outside opinion can help here, so don’t be afraid to engage an expert to advise

•    Does your current data storage solution have any risks associated with it? If so, create a risk registry so that you can tackle these

Ensuring GDPR is a priority

The proactivity previously mentioned will help you understand the vulnerabilities and non-compliance that your organisation faces once GDPR hits. This insight can then form the basis of the strategy you then need to take to the company directors to address these issues. The exec board faces a lot of project pitches – all of which will be after funding and resources – so it’s vital that you put forward the following information to ensure the board’s backing: 

•    Any discrepancies between end-user agreements and GDPR requirements as well as a clear roadmap for how to reconcile the two

•    Create risk-based metrics based on vulnerability assessments and penetration tests to outline any weaknesses in your data defences. Don’t forget, the board will be looking to you to bring solutions as well as problems to the table

•    Be clear about any deviations from GDPR and present a strategy encompassing technical, legal and compliance requirements with a timeline for ensuring compliance by May 2018 alongside associated risks of the data registry

Risk mitigation

Successfully complying with, and continuing to comply with GDPR, requires a strong mitigation of risks. Data is now the lifeblood of most companies and the vast majority can be accessed online, therefore this key resource is also highly traceable. We’ve seen what happens to companies that suffer data breaches: irreparable brand damage, a loss of customers and customer’s trust and a severe impact on the bottom line – especially as the legislation can result in fines up to €20 million, or 4% of global turnover. GDPR puts the onus on companies to take responsibility in a far more granular way for data protection, therefore it is imperative that you:  

•    Classify your data as this is vital to preventing data loss

•    Continuously monitor the environment to ensure your data stays exactly where it is supposed to and doesn’t walk unauthorised out of the front door

•    Encrypt your databases. This might seem like an obvious point, but not all companies are following this basic rule. Apply strong algorithms so that even if the bad guys steal your data you render it useless to them

A challenge – and an opportunity

GDPR may well feel like climbing Everest at this point, but by breaking it down into these three areas it, compliance becomes much more manageable – two base camps to reach and then the summit. But aside from it being an intimidating piece of legislation, it also offers a great opportunity for businesses to redefine their relationships with customers and earn significant goodwill by ensuring that their data is handled in the most respectful and secure way possible. But the time to start this process is now, with a little over 12 months to go until the legislation is live. 

it’s important to realise that those that don’t address this won’t just falter – they could be permanently affected. The opportunity is there to become a leader in data protection – so make sure you grab it!

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development