The importance of organisations in financial services investing in the GDPR
November 2017 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
November 2017 Issue
The Data Protection Act (DPA) is 20 years old in 2018, the year that the EU General Data Protection Regulation (GDPR) becomes law. Technology is evolving at a rapid pace, and in this digital revolution data powers how we do business. Data adds billions of pounds to the economy, improves science and research and assists with the prevention of crime. We need the GDPR as the DPA has not kept pace with the internet age and technological developments.
The GDPR aims to make those organisations that collect and use personal data accountable for the security of that data. When GDPR comes into force on 25 May 2018, organisations will find the fines they face increasing dramatically. Maximum fines range from €10m (approximately £8.8m) or 2 percent of global turnover, whichever is higher, for one set of compliance obligations, to €20m (approximately £17.6m) or 4 percent of global turnover, whichever is higher, for breaches of critical compliance obligations. Arguably even more damaging will be the reputational impact of a breach with customers and contacts, which can take years to recover from.
The financial services sector has significant data protection issues to address, particularly with the expectation of customisation across the user experience. There is significant value in the data that organisations collect and there has been a steady increase in harvesting data due to technological advances and the demand for customer convenience. The GDPR has a global reach, applying to organisations that offer goods or service to, or monitor the behaviour of, data subjects in the EU. It is essential to prepare for the arrival of the GDPR and to address any gaps in compliance well in advance.
Challenges under the GDPR
Organisations that collect and use personal data and determine how it is used (controllers) must provide fair processing information to individuals about the use of their personal data. Individuals have the right to be informed about the purpose of processing their data, the legitimate interests of the controller (where required), recipients of the personal data and the lawful basis for processing.
One of the legal bases relied on will be the data subject’s consent. The concept of consent in the GDPR is stricter than in the DPA, setting out more onerous requirements in relation to both the content of consent and the way in which it should be obtained. Consent should be granular and obtained for each specific type of processing that relies on consent as the legal basis. Consent must also be separate from other terms and conditions, and organisations will need to provide simple ways for people to withdraw consent. Controllers should update their systems if consent is withdrawn.
The GDPR creates new rights for individuals and strengthens existing ones. The GDPR provides an individual with the right to be informed, right of access, right to erasure, right to object, right to restrict processing, the right to rectification, the right to data portability and rights in relation to automated decision making. Financial organisations need to ensure that their systems allow them to comply with a request by a data subject to exercise any of these rights. It therefore may be an opportunity to modernise your data infrastructure and governance. Having the ability to quickly identify a particular individual’s data elements will enable organisations to meet GDPR requirements and create value in the data.
Data breaches in financial services are on the rise and there have been a number of high profile breaches which have affected millions of customers. There is a newly-imposed 72 hour notification period for serious breaches to ensure a quick turnaround and encourage transparency. There are additional requirements for processors to report breaches to controllers, and controllers to inform individuals where their privacy or rights are at risk.
Steps to prepare for the GDPR
One of the first steps is to carry out an impact assessment (IA) to find out where the information is stored, what data is personally identifiable and how accessible it is. Organisations should understand what data is necessary for commercial purposes and reduce risk across the organisation by carefully disposing of data which is no longer needed or for which the purpose has expired.
Once the IA is complete, organisations can create a gap analysis to assist with resolving the highlighted issues. To comply with the individual rights provisions under the GDPR, financial services providers must ensure they have visibility into every instance of user data, how it is used, for what purpose, and by whom. Most financial services organisations share data with third parties. Organisations must ensure that their data is protected adequately when shared and risks are effectively managed when transferred.
It is important to adopt an organisation-wide approach, factoring data protection and privacy management into your overall business strategy. One of the biggest challenges will be to change embedded behaviours, reliance and information provisions within the organisation. It may be necessary to train your staff on changes to the GDPR to ensure they understand internal requirements (such as internal record keeping) and external-facing procedures. Additionally, there are a number of areas left for Member States to determine their own approach (as seen in the UK with the launch of the Data Protection Bill in mid September). Multinational organisations must be aware of legal developments across the globe and adopt these into business plans and strategies.
Organisations should move away from relying on consent to justify processing data, particularly with employment contracts. In order for consent to be a valid basis for data processing under the GDPR, it must be actively and freely given – silence or inactivity do not count. Signing an employment contract with a consent clause will not amount to consent which is freely given. Organisations should rely more on alternative bases going forward.
Organisations may be required to appoint a data protection officer (DPO) to monitor compliance with the GDPR and influence decision making at a senior level to drive improvements in privacy and data protection management. The DPO will have a key role in the business and will complete record keeping, training and advice on impact assessments.
Financial organisations should follow a series of clear steps and phases to ensure they remain on track, have clear project management tools to initiate, plan and achieve specific goals and learn lessons from previous change programmes, for example what worked and what did not.
The financial services market is under increasing pressure regarding compliance, not just with GDPR but other regulations such as MiFID II and PSD2. Compliance with the GDPR is essential and must be achieved alongside other regulatory requirements in unison and built into business as usual, rather than as a separate ‘tick box’ exercise. Organisations should remember that it is highly unlikely that they will be 100 percent compliant before 25 May 2018. The process is effectively an agile risk exercise, with organisations completing as many of the requirements as they can (focusing on high risk areas first) and documenting all steps which have been taken.
This compliance exercise can also save the organisation money when considered on an overall basis. An updated inventory can dramatically reduce storage costs by identifying and eliminating data that has no real value. Effective management and optimisation of data will allow organisations to understand and make better use of the data and could lead to a competitive advantage or must no longer be retained. Finally, taking sufficient steps to ensure GDPR compliance will avoid the much publicised increase in fines and reputational impact of a breach.
JP Buckley is a partner and Andrew Mills is a solicitor at Shoosmiths. Mr Buckley can be contacted on +44 (0)3700 867 358 or by email: firstname.lastname@example.org. Mr Mills can be contacted on +44 (0)3700 865 734 or by email: email@example.com.
© Financier Worldwide
JP Buckley and Andrew Mills