By Simon Kouttis, Head of Cyber Security, Stott and May
The European Commission’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, and will regulate how businesses collect and process the personal data of all European Union (EU) residents. The impact on the UK’s financial sector—which handles billions of users’ records and data transactions every year—will be significant. Essentially, any bank, regardless of its actual location, that markets goods or services to any EU member states, or uses EU residents’ personal data for marketing and selling purposes, will be subject to the GDPR in less than two years. To give you an idea of what will be expected, here are some of the requirements:
- Each individual must give explicit consent for their personal data to be collected and used.
- These individuals must understand how their information is going to be used.
- Companies must clearly stipulate the legal channels available should data-processing not comply with its agreed-upon use.
- All personal data must be wiped after a prescribed period of time.
- In the event of a serious cyberattack, companies must inform all those affected by the security breach, as well as the Information Commissioner’s Office, within 72 hours.
Should a financial institution not comply with the GDPR, it could be fined up to €20 million or 4 percent of its annual international turnover—whichever is higher. That’s a substantial amount for a business of any size, and yet, according to research by Trend Micro, 20 percent of IT (information technology) decision-makers in the UK are still unaware of the GDPR. This lack of knowledge could become very expensive for those banks that leave their GDPR strategies to the last minute. Fortunately, there is still time to prepare.
Check your database. How much of your bank’s stored data is up-to-date and relevant? Possibly not as much as you think. Arguably, the GDPR’s biggest impact for banks will be around how they obtain customer consent that is freely given and 100 percent affirmative. With such a definite focus on data collection, it pays to make sure that only your most useful and important data is reviewed to comply with GDPR. All other information that has no real business purpose can, and should, be deleted.
Update your IT security strategy. Once your database is clean and its information-collection processes are streamlined, you need to make sure it’s protected. Review your security measures, and ask yourself who has access to the information, and why? Is the bank’s data being accumulated, stored and used correctly? What is the response plan should a security breach occur?
Use the answers to these questions to update your information-security strategy so that it meets the GDPR—and provides your business with better protection. Compliance is important but so, too, is having the right security measures in place to respond to a cyberattack. Run a systems-impact test to assess how at risk your data processes are, and put in place the necessary measures to strengthen any vulnerable areas. Should your system’s security be compromised, make sure that a clearly defined process for notifying authorities and affected users is in place.
Pay close attention to your communication processes as reputational damage can often result from badly managed security breaches. The TalkTalk scandal is a good example of a company being completely unprepared for the worst, and suffering for it. Not only did the CEO refuse to apologise, the company charged customers £250 to quit its service—a bizarre response that indicated little, if any, planning.
Unfortunately, one of the biggest issues facing the financial sector today is the protection of personal data from a security breach: a cyberattack these days is not a matter of if but more a question of when. With that in mind, always be on the alert for any threats, and have a statement drafted and ready to release should the worst happen. The GDPR demands transparency; aligning your existing processes with it sooner rather than later will upgrade your current IT security measures and ensure that your business operations are compliant come May 2018.
Build a solid team. Don’t underestimate the enormity of the GDPR; once it comes into force, pleading ignorance will not get you off the hook. A proactive move would be to hire the right people now to ensure compliance in the near future—one such role is a data protection officer (DPO). Don’t let the title confuse you, though; a DPO is more focused on GDPR compliance than actual data protection. The DPO’s role is to navigate all the paperwork and bureaucracy—not help you with encryption codes, storage security or network segregation. That’s a job for your chief information security officer (CISO), among other responsibilities.
Rather than viewing the pending GDPR with dread, see it as a helping hand, pushing you to better your cybersecurity systems and data processes before it’s too late. In today’s world, protecting your customers and your business from potential hack-attacks should be your number one priority, regardless of the EU’s rules and regulations.