GDPR: six months to go, yet financial sector remains behind the curve

On 25 May, all organisations will have to achieve compliance with the General Data Protection Regulation (GDPR) or face fines of up to €20 million, or four percent of annual global turnover (whichever is greater). Not only are financial sector firms subject to these measures, they are likely to be one of the most impacted sectors.

With only six months to go, financial sector firms should now be in the midst of impact assessments and remediation programmes to ensure compliance before the enforcement date. However, many firms within the industry have yet to begin to implement the measures, processes and controls required.

Throughout the history of the financial services, customer data has been the lifeblood of the sector. The adoption of ‘big data’ and artificial intelligence by many businesses has ushered in new ways to gather customer data and provide more accurate profiling.

However, with the increasing use and volume with such data comes concerns on how firms collect, store and use consumer information. GDPR seeks to allay these fears and give citizens back control of their personal data.

So what are the changes expected under the new regulation?

There are around a dozen headline changes which financial sector firms should be aware of but some of the key areas include:
  • increased territorial scope – the jurisdiction of the GDPR will be extended to apply to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location;
  • consent – explicit permission to process any personal data deemed to be outside of the specific purpose it was collected will become mandatory;
  • breach notifications – the notification of a breach, where there is a risk that the rights and freedoms of individuals could become compromised, must be reported within 72 hours of the breach being identified;
  • right to access – data subjects will now have the right to obtain confirmation from you of what personal data is held concerning them, how is it being processed, where and for what purpose;
  • data portability – data subjects will now have the right to receive the personal data concerning them, which they have previously provided, in a commonly used and machine readable format;
  • right to be forgotten – data subjects will now have the right to be forgotten which entitles the data subject to have you ensure that information is deleted from every piece of IT equipment, portable device and from server back-ups and cloud facilities;
  • privacy by design – privacy by design calls for the inclusion of data protection from the onset of the designing of systems. Firms must also only hold and process the data absolutely necessary.
Key questions to consider
  1. Are you fully aware of what personal information you hold and where within your organisation this information is maintained and managed?
  2. Have you addressed how you are going to communicate privacy to your external stakeholders? Has your privacy policy been reviewed to ensure this is going to be compliant under GDPR?
  3. Are your consents up to date and GDPR compliant, for example, the details include explicit opt-in where required? Are you recording the consents obtained so you have a record of these?
  4. What is your organisation's policy for reacting to a data breach? Will this policy be able to meet the new data breach reporting deadlines set under GDPR? Is everyone aware of the data breach policy throughout the organisation?
  5. Is your organisation required to have a data protection officer? If not have you designated the responsibility of data protection to an individual within the organisation?
If you are unsure about the answers to the above questions, please contact Christopher Beveridge. We would welcome the opportunity to meet and tell you how we can help you successfully prepare for GDPR.
 

Leave a comment

 Security code