We talk to hundreds of enterprises in the finance and banking sector, and we’ve seen compliance putting more strain on IT and information security teams than ever before. If you’re in IT, you will know GDPR is imminently due and is the most talked about event in the IT world at the moment.
It’s likely you’re already sick of hearing about it already, and it’s not even enforceable yet. Your mission, should you choose to accept it, is to cut through the nonsense, the hype and the myths and figure out what you need to do to ensure you’re prepared for the May deadline.
We know that banks and finance organisations are under constant cyber-attack – for obvious reasons. The impact of a breach within this sector is significant. On the positive side, it’s likely you already have some of the more fundamental and basic measures needed for GDPR in place. Typically, the finance sector spends 3 times as much as any other sector on security and compliance. However, you obviously still need to identify any potential gaps and get them filled before the May deadline.
GDPR matters for the finance sector perhaps more than other sectors. Putting aside the direct potential consequences of a breach, the finance sector is heavily scrutinised by the media, and reported breaches can cause significant damage to brand and reputation. Over recent years, such news has also made mainstream press, not just the niche IT news. So, the relevance of having to report and comply in such a public manner without question creates risk.
We’ve been looking through the mandate, and below is a selection of some of the key challenges finance and banking companies could face once this mandate is enforced.
I Want to Be Forgotten – It’s My Right
GDPR mandates that all EU citizens have the right to be forgotten or can request their data is erased. Essentially, unless there is a valid reason for retaining personal data, then the subject can request all data that’s held about them and (unless a valid and justified reason is given for why this data is retained) they can request is it erased. In many instances, in the banking sector there are compliance drivers that dictate certain details may have to be retained which may qualify as being ‘justified’ in the eyes of the ICO.
Consent Needs to Be Explicit
This basically means that you can only hold ‘uniquely identifiable information’ attained through explicit consent, and you need a justifiable reason and/or purpose for holding this data. This also applies to your partners. You have a responsibility to ensure your supply chain and partners are compliant.
If you’re a bank or finance company operating with integration partners, alliances or third parties (which is likely) you need to ensure they operate within the same compliance parameters as you. You need to be accountable for all parts of the chain and explicit as to how you expect them to interact with ‘your’ data.
One of the key things you will need to establish is how your data moves inside and ‘outside’ your organisation so you can establish how much exposure it has and whether any third parties are handling access appropriately.
72 Hours to Disclose – Now Mandatory
In the past, breach reporting was more discretionary and governed mainly through internal protocol. Under GDPR, the Data Protection Officer is obligated to ensure any recognisable breach (along with the nature, scale, potential impact and volume) is reported within 72 hours. There is also now an obligation to report the breach to those affected with essential information as to what was breached, the potential impact and the steps being taken for prevention. While there is not a defined time set for this, the wording states ‘without undue delays.’ Essentially, the sooner you report it the better – and the more credit and potentially sympathy/leniency you may get from the ICO.
What Happens If You Don’t Comply?
There’s a lot of conflicting information surrounding this topic, and it’s becoming somewhat emotive. The official line for GDPR fines, according to Elizabeth Denham of the ICO, is a maximum fine of £17 million or 4% of turnover (whichever is higher).
If the past is anything to go by, you’re going to need to get it horribly wrong to fall foul of the maximum fine. While there are still mountains of political, technical and process considerations that need to be addressed, the security maturity of banking and finance companies is already of a standard where it’s highly unlikely we’ll see a wave of high profile, major GDPR incidents in the banking sector.
I may be in the minority here, but I think GDPR is a good thing. I know we’re a beneficiary of people working towards GDPR, and that makes me biased, but ultimately anything that encourages thought and holds organizations responsible for data security can’t be bad.
Without a doubt, there is a huge amount of confusion, misinformation and mis-interpretation around GDPR. I think many vendors have also taken the wrong approach; using fear-based selling techniques which have probably created an environment where people are immune and resistant to many of the genuine GDPR offerings.
Either way, if you’re in the banking sector, the reality is that there are risks that need addressing (arguable as to how much or to what extent is up to debate). The risk VS reward for the banking sector means that it makes good business sense to be proactive in ensuring you’re ready. Talk to us today or visit our website to find out how LepideAuditor could help you be GDPR compliant.