GDPR: the impact on financial services businesses

Throughout the history of financial services, data has always been the lifeblood of the sector. Now in the digitally interconnected world in which the sector exists the need for proper use, management and optimisation of such data has never been greater.
 
Against this backdrop, the EU has approved the highly anticipated General Data Protection Regulation (GDPR) to take account of the rapid increase in the use of data and how our behaviour towards personal data usage have changed over the last 22 years, since the launch of the last EU Directive in 1995.
 
The sheer scale of the wide ranging new requirements is compounded by a hard deadline of 25 May 2018 to ensure full compliance with the new regulations. Add to that the cost of non-compliance which could result in penalties of up to €20 million, or four percent of worldwide turnover (whichever is highest), and it is clear that organisations need to fully understand the requirements of the GDPR but also prepare well in advance of 2018.
 
So what are the changes expected under the new regulation?
There are around a dozen headline changes which financial firms should be aware but some of the key areas include:
  • increased territorial scope – the jurisdiction of the GDPR will be extended to apply to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location;
  • consent – explicit permission to hold any personal data in electronic systems will become mandatory. It will no longer be possible to rely on implied consent with individuals having the option to opt-out;
  • breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified;
  • right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose;
  • data portability – data subjects will now have the right to receive the personal data concerning them, which they have previously provided, in a commonly used and machine readable format;
  • right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server back-ups and cloud facilities;
  • privacy by design – privacy by design calls for the inclusion of data protection from the onset of the designing of systems. Firms must also only hold and process the data absolutely necessary.
How we can help
There are a number of aspects to the GDPR that will take considerable time to achieve and all organisations should be looking at these now. This draws on a range of governance, risk and assurance capabilities as well as in-depth technical and data protection skills. Our team of Technology Regulation experts can support you:
 
  1. Educate your senior management and employees on the changes that the GDPR will bring and ensure that they are fully aware of these and how these changes will affect the organisation.
  2. Architect your risk, policy and procedure environments to help you ensure your business operates effectively in line with the GDPR regulation requirements.
  3. Assure the processes you have in place around GDPR giving you independent and timely information on the state of your management in relation to GDPR regulation requirements.
  4. Manage your GDPR requirements and objectives, making sure you blend education, architecture and assurance in a way that is appropriate to your operation.
 
Contact us here to speak to one of the team.
 

Leave a comment

 Security code