Regulatory Rundown (Part Two)
GDPR: The Cost of Data Protection
This is the second post in a series of blogs where we explore the regulatory arena for U.S. and European financial markets. In our first post, MIFID II: Key Areas to Pay Attention to in 2018, we identified a few key areas that we believe would be important to keep track of to understand the broader ramifications of this key regulation in coming years. In this post, we will discuss the EU General Data Protection Regulation, better known as GDPR, which will come into effect in late May 2018 and how it will affect the financial services industry, focusing specifically on IT security and data compliance.
GDPR: The Cost of Data Protection
GDPR’s effective date of May 25, 2018, is fast approaching creating a frenzy as firms scramble to implement compliance measures. It is the first major overhaul of European data protection laws in twenty-years and compliance is expected to place significant strain on companies. The goal is admirable: to empower EU citizens by making them aware of the breadth of personally identifiable information firms have, enabling them to protect their information.
Both EU and non-EU countries will need to comply with GDPR and time is of the essence. The financial services industry will feel the full force of GDPR compliance as they collect personally identifiable information, and at times (and with permission), share this information with third-party vendors. Investment firms, wealth managers and vendors alike will need to put measures in place to comply with the regulation. Simply checking the box is out of the question for GDPR as non-compliance penalties are significant.
In this blog post, we explore the impact GDPR will have on the financial services industry focusing on the importance of data compliance and IT security.
Why GDPR? Why now?
Given that GDPR is the first EU data protection regulatory change in nearly twenty years, many are asking the questions: Why such stringent laws and why now?
GDPR’s reach is expansive, affecting both EU and non-EU domiciled companies in many industries. Compliance isn’t straightforward as personal identification data needs to be collected, stored and recorded securely for all EU persons.
The increase in cybercrime, particularly in the financial services industry, has been the catalyst behind the comprehensive data protection regulation. 46% of businesses in the UK were victims of a cyber-attack in 2016, up from 24% in 2015.
Non-compliance will have significant financial and reputational ramifications on firms. The maximum fine is €20 million or 4 percent of the annual worldwide turnover for the preceding year, whichever is greater. The penalty amount will be determined by the severity of the data breach, taking into account how many people were affected and whether proper procedures were in place. The amount of the fine, however, should be a lesser concern to firms than the reputational damage caused by the breach. Independent supervisory authorities will “name and shame” companies that are in violation of GDPR, potentially causing significant reputational damage.
Why Pay Attention?
Although GDPR is an EU regulation, its reach spans the globe. Any firm that does business with a European person/entity, regardless of the firm’s location, will need to comply with this regulation in some shape or form. Whether it is just one European entity or multiple, the responsibilities are the same. Non-compliance will result in steep fines and reputational damage.
Taking a Risk-based Approach Towards Compliance
A simple “check the box” approach towards GDPR compliance is out of the question. Financial services firms should resist taking a knee-jerk reaction to compliance and instead, take a risk-based approach when designing policies and procedures, identifying technology solutions and implementing training protocols. At the same time, firms will need to ensure their vendors have thorough policies and procedures in place to comply with the regulation.
To prepare for GDPR, financial services firms should have a firm grasp on the following areas:
- Audit where client data is stored and how it can be accessed
- Design risk-based procedures that include measures on how client data should be stored, how it should be shared, training for employees and what to do in the event of a data breach
- Obtain clients’ consent for the use of their personal identification information
Let’s explore each step further.
Know Your Data
Every firm manages client data differently, so there isn’t a quick, out-of-the-box solution for data management. Firms will need to be aware of the personally identifiable information they have in their systems and on paper. They should also have a firm grasp of the data flows for different functions such as client onboarding. Creating a process map will pinpoint areas where potential breaches can occur, making it straightforward to implement procedures and minimize data security threats.
Design Thorough Policies and Procedures
GDPR requires firms to have written policies and procedures in place. The procedures should be thorough but practical, again going back to taking a risk-based approach to client data management. The data audit procedures firms initially create will not only outline how data flows through an organization but where potential breaches can occur. Armed with this information, firms can draft effective processes and workflows to demonstrate GDPR data security compliance. The procedures should clearly outline identifying the data breach, stopping the breach from spreading, reporting it to authorities within 72-hours, notifying clients, and taking steps to place more robust controls in place.
Obtain Clients’ Consent
To effectively protect clients’ personally identifiable information, firms must understand the data they are currently in possession of. Under GDPR, personal data refers to anything that can identify a person including their name, email address, social media profile or passport number. Firms are required to notify clients of the data they have on file and explain the reason for having the data. There is no quick opt-in option, so firms need to reach out to clients to obtain their consent before May.
Vendor management is an integral part of GDPR compliance as in many instances, vendors have access to personally identifiable information for financial services firms’ clients. With the growing use of third-party service providers in the financial services industry, firms will need to ascertain the data protection controls their servicing partners have in place.
While financial services firms are no strangers to regulation, GDPR is a whole different animal. It requires the secure collection of large amounts of customer data that is used for various purposes including client onboarding, relationship management, trade processing and accounting. The wide use of data exposes personally identifiable information to a large number of people across the organization.
With the general acceptance of outsourcing within the financial services industry, client data is often even more exposed than initially contemplated. GDPR is clear that vendors cannot disassociate themselves from data security obligations. The regulation holds all parties accountable for protecting client data thereby ensuring firms embrace compliance.
GDPR will force technology firms and other data and compliance vendors to have a more secure data management approach. Sophisticated third-party services providers have certifications in place such as ISO 27001 or SOC2. These certifications require frequent testing and monitoring of internal controls and procedures. Firms with an ISO 27001 or SOC2 have built and tested robust controls that are audited periodically to ensure procedures are being followed and the established controls are effective. When selecting a third-party service provider, ask whether they have an industry-accepted certification and request a copy of their report.
EU GDPR is the biggest shake-up in privacy legislation in twenty-years and will have a significant impact on the financial services industry. Non-compliance is not an option as financial and reputational ramifications are steep. One thing is for certain, financial services firms and their vendors will need to have robust data protections in place.