GDPR and financial services: What does it mean?
We review how new data protection laws affect the financial services industry
Whether your business is in marketing, IT, retail, the services industry or another sector, and whether it's small or large, GDPR will have made life just that little bit harder. Since coming into force in May 2018, the new rules have hit every company and industry that deals in data, in other words, everyone.
Designed to give data subjects far greater control over how their data is collected and processed, and to provide regulatory alignment across the EU, companies now need to be far more careful when it comes to data.
GDPR dictates what, how and when data can be collected and processed. It requires companies to be far more transparent about the ways they use customer data for their services, and imposes far stricter rules about the disclosure of data breaches.
One of the sectors most affected by the changes is the financial services industry, particularly as it already has to comply with a number of existing regulations that may not always complement responsibilities under GDPR.
Below we look at the various responsibilities a company now has as part of GDPR, and how they pertain to the financial services industry.
Complying with GDPR and other financial regulations
It’s important to remember that compliance with GDPR should in no way contradict existing national laws, which is particularly pertinent to the financial services industry. Generally speaking, existing UK laws will take precedence over GDPR, so that organisations are still able to comply with other legal obligations. The Financial Conduct Authority, which manages many UK regulations, works closely with the Information Commissioner’s Office, responsible for the application of GDPR and the Data Protection Act 2018 in the UK.
Consent
The idea of obtaining consent to process data is one of the core principles of GDPR, and was often cited as a key consideration for businesses in the run-up to its introduction in May 2018. However, as a justification for processing data, consent is one of, if not the weakest legal position to adopt. Not only is it difficult to secure informed consent from data subjects, but the new laws also make it even easier for users to withdraw that consent at a later date – if that happened any related data processing would grind to a halt.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Organisations should consider carefully which legal basis best fits their processing needs, a comprehensive list of which is available on the ICO’s website. There are a host of other legal justifications that are far more robust than consent.
Right to be forgotten
The 'right to be forgotten', as set out under article 17 of GDPR, gives data subjects the right to have their data removed from a company's systems and excluded from marketing material and data collection.
This is not an absolute right, however, as the article stipulates criteria on what data can be removed, and the defences a company can use to reject a request. For example, data must be removed if consent is withdrawn, unless the business has an alternative legal basis for collecting it.
Each request needs to be considered carefully and judged in isolation. If any company refuses a data deletion request, it must be prepared to justify this decision.
The need for a data protection officer (DPO)
Some companies are unsure whether they need to appoint a DPO or not, but the ICO guidance on the subject is quite clear and offers a checklist to assist businesses in meeting their GDPR obligations in this respect.
"The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities," the ICO states.
"DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability."
A DPO can be an existing or newly appointed employee and can also work in this role across multiple organisations, according to the ICO. However, they must be an absolute expert in data protection, have the resources available to them to help them do their job - of monitoring compliance, informing and advising of obligations and providing the necessary advice - and report directly to the highest level of management in the organisation.
Data breaches
GDPR regulations stipulate that organisations report any data breach to the supervisory authority of personal data within 72 hours. This should contain details about the breach, the categories and estimated number of people impacted, and contact details of the DPO.
ICO guidance states: "From 25 May 2018, if you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people's rights and freedoms, following the breach. When you've made this assessment, if it's likely there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. You do not need to report every breach to the ICO."
It's important to also reassure customers, partners and employees that you are following the necessary procedures and certain certifications to ensure continued GDPR compliance in order to avoid a data breach occurring in the first place or at the very least minimising its impact. The information security standard ISO 27001 is one such certification.
The ICO states: "You must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. You should remember that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organisational security measures.
"You need to consider the security principle alongside Article 32 of the GDPR, which provides more specifics on the security of your processing. Article 32(1) states:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk'
"Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals lives may even be endangered in some extreme cases."
Managing vendors
Financial firms will have client data passing through several applications. GDPR means that firms will need to understand how data flows through these. Personal client data can also be exposed to external vendors, such as outsourcing partners. GDPR enforces accountability right across the data flow to ensure that personal data stays protected.
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.