A lot has been said regarding the forthcoming European data protection regulation (aka GDPR) since its enactment in 2016. With the deadline for implementation fast approaching (the regulation will be enforced starting May 25, 2018), the coming weeks are about to attract lots of attention as many organizations are already expected to show they have taken steps towards compliance.
One would expect that financial institutions will be ready by the deadline due to the nature of the services they are providing and their ‘exposure’ to more stringent regulatory authorities. In fact, however, given the many challenges, the GDPR poses for such institutions, their current readiness is leaving much to be desired.
Compliance with the GDPR is mandatory and vital for every organization that collects and handles EU personal data, but for financial service providers, it is absolutely crucial. This is because they are exposed to a significant volume of data, a considerable portion of which is being shared or transferred to third parties.
Take for example alternative payment solution providers that, to execute their clients’ transactions, must interact with their client’s bank, clearance company, the recipient’s bank, and so forth. These providers must share and transfer their client’s data – surname, forename, address, e-mail, and other information such as credit card number or bank account. By doing so, they may lose control over the data and are potentially in breach of the GDPR unless they put strict organizational, technical, and legal safeguards in place.
Vulnerability to litigation
Another point to mention in regards to financial services providers relates to their ‘vulnerability’ to litigation because they have interaction with their customers on a regular basis. This is different from, say, an occasional e-commerce transaction where it is harder to sue and receive compensation or where litigation is not economical for the customer as the breach is (usually) trivial.
In the case of health institutions such as hospitals, for example, the right of data subjects concerning their data is restricted or balanced against other rights and therefore the risk of a breach is insignificant. Such institutions may also have a legal justification to collect and retain data without the need for consent. This, however, is not the case with regards to financial services.
Service providers such as banks also have more significant turnovers compared to other non-financial service providers and therefore enforcement of regulations can not only be easier but even more effective in the eyes of the customer. This is because, under the GDPR, compensation is calculated as a percentage of the total (and global) turnover.
Therefore it is essential for financial services institutions to have a clear strategy before they embark on, or deal with the implementation of the GDPR. Such strategy must take into consideration the factors above, namely, the unique challenges that financial services are facing in light of the GDPR. Also, as opposed to other regulations (i.e., AML), legal counseling is only one aspect. The GDPR requires a multi-disciplinary approach that involves risk assessment methodologies, privacy, security, IT, and audit.
How to move forward
The question is therefore what should this strategy include to achieve compliance or, at least, to show regulators and customers alike, that the organization is taking the GDPR seriously and is preparing for it.
ACY Securities Supports ASIC’s Product Intervention OrderGo to article >>
The first crucial stage is the mapping of personal data held by financial institutions. Although this may sound quite straightforward, it is a very complicated matter. As indicated, financial services are exposed to extensive information which is not very easy to categorize and asses without sophisticated mechanisms. Also, the data that they hold may be sensitive and not only ‘personal’ so that different rules will apply to the implementation stage. Therefore, this stage must be undertaken by privacy, security, and IT professionals rather than by legal advisors alone.
Once a full understanding of the data collected has been reached, a gap analysis will usually take place, i.e., what is the current situation and how it should be changed in accordance with the GDPR, followed by a tailored compliance work plan. This stage will undoubtedly involve both legal advisers and the professionals mentioned above
The IT and information security operations will have to work together to seek viable solutions to many challenges they may not have encountered before or deliberately chose to postpone. For example, many financial organizations are struggling with sophisticated Data Leakage Prevention (DLP) systems. These might be configured to monitor databases but often were not set to track the many log files that were identified during the data discovery stage as containing personal data. These must now be dealt with (e.g., specific data fields may be encrypted or anonymized, access to them be further tightened, and DLP configured).
The organization’s privacy operations will also have their hands full with new challenges. The designation of a Data Protection Officer (DPO) that is mandated by the GDPR comes with many duties. First arises the necessity to identify if internal resources can man this position. Not a trivial matter since this requires both privacy laws expertise and in-depth data protection knowledge, which is not a very common combination (yet). Of course, this can be managed by a team of experts or outsourced but, it will introduce an organizational function that its sole purpose is to handle the “rights and freedoms” of EU data subjects with a dedicated budget and operational autonomy.
A change of mentality
The second major challenge of the privacy operations would be to implement policies, procedures, and technical solutions to handle the new types of Data Subject Requests (DSRs) that the GDPR allows (e.g., the rights of data access, rectification, erasure, restriction of processing, data portability, and the right to object). For instance, the DPO is now tasked with oversight of employee awareness and privacy training so that when a DSR is received, it would be handled in a compliant way. This will take its course and is expected to eventually ingrain privacy in almost every business unit, something that is currently not a common practice, even within financial organizations that are already privacy oriented.
The next phase is where the law takes its course, namely, the implementation of the GDPR. Legal advisers will then need to review the existing policies and update the current privacy notices. Contracts with third parties will also be considered at this point to ensure that they comply with the new regime. Also, the organization will need to prepare and train its staff so that once full compliance has been reached, it shall be maintained.
There is no doubt that there is much work ahead of financial institutions until they achieve compliance. There is also a new level of risk liability on their management which is specifically dealt with in the scope of the GDPR. On the other hand, as individuals, we must embrace the GDPR and be more optimistic as to how our data will, from now on, be treated and safeguarded especially when it concerns information regarding our financial matters.
The new changes under the GDPR will allow building better relationships between financial institutions and their customers and as a result, will lead to better transparency, built on trust and more respect towards customers’ privacy.
Izhar Levy is an associate at Nir Porat & Co., Law Firm, whose expertise lies in data protection and the General Data Protection Regulation (GDPR).