Four practical tips for financial firms preparing for the EU GDPR
Financial services organisations are responsible for significant amounts of their clients’ sensitive information – not just details on financial transactions or viability, but also personally identifiable information such as names, residential addresses and dates of birth. Should this information be accessed by a third party – whether through being lost or stolen – there is serious scope for identify theft and fraud.
For financial services firms themselves, meanwhile, data breach incidents have far-reaching ramifications – such as reputational damage (Tesco cyber-raid raises serious questions over UK banks’ security) that often leads to client losses and subsequent revenue losses; and direct financial costs including providing credit monitoring / fraud protection services, regulatory fines and enhancing security (What was the cost of the JP Morgan Chase data breach?).
As the new standard for data protection legislation, the EU General Data Protection Regulation (GDPR) is set to only make these consequences more severe.
Currently, if an organisation in the UK is discovered to have suffered a data breach – whether they announce this or it is reported by a third party – they can anticipate a fine of up to £500,000 from the ICO. However, few industries are currently mandated to report data breach incidents, although all organisations are encouraged to do so (and can face more lenient penalties for being forthcoming with this information), so there is always a chance that breaches can go unreported for significant lengths of time.
The EU GDPR is going to change this considerably.
Amongst many alterations to data protection law, the EU GDPR brings with it two serious implications for organisations who suffer a breach:
- Mandatory reporting of data breaches. Any organisations suffering from a breach where sensitive information is put at risk will have up to 72 hours to notify authorities – regardless of their sector.
- Financial penalties of up to 4% annual global turnover or €20m. With fines from the ICO only one part of the financial implications resulting from a breach, the total cost of an incident is set to skyrocket.
How, then, can financial firms comply with the regulation and protect themselves from these ramifications?
1. Improve understanding
If you don’t understand the types of data your organisation is handling or how it is being handled, how can you expect to put adequate protection measures in place?
This must start with a review of who has access to personally and commercially sensitive data, why they access this information, what they do with it and the technology in place to secure it. Next, these results must be analysed in light of the upcoming changes to ensure current systems and processes are suitable, so you can retain those that are and improve or replace any that fall short. This means organisations will be able to limit changes as much as possible, but it also provides an opportunity to redefine the security technology required to operate under the EU GDPR. As a result, legacy technology and processes can be updated to suit advancements – for example, in ease of use, which will help user adoption (a crucial factor to ensuring employees aren’t actually causing data breaches by making mistakes).
2. Prepare your people
For the most part, people accept the importance of data security and the technology required to enforce it.
What they don’t want are processes and systems that seem arbitrary or are difficult to use.
Educating and training staff must therefore be primary considerations for any new data protection strategy. This must encompass guidance on the types of information that needs protecting and easy access to technology that they know how to use. By taking this approach, financial firms can ensure their people are their first line of defence rather than their greatest vulnerability.
Alongside enabling users to make the correct choices, organisations need to decide when to take decision-making away – for example enforcing encryption of emails containing sensitive information or classified documents at the gateway or blocking access to insecure file sharing sites. As a result, organisations can enforce their data protection policies without necessarily relying on employees to make the right choices all of the time.
3. Embrace technology
The EU GDPR clearly directs organisations to adopt encryption software and offers benefits for doing so:
- Implement appropriate technical and organisation measures to ensure a level of security appropriate to the risk, including encryption of personal data (Article 32 – Security of processing)
- Notifying data subjects about a breach of their personal information is not required provided the data was protected by technical and organisational measure, ‘in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption’ (Article 34 – Communication of personal data breach to the data subject)
The intelligence gathered in Step One should, therefore, be used to invest in data security technology that:
- Offers the correct level of protection. Certifications and accreditations can provide an initial indication of the security and assurance offered. Functionality should also be examined – for example, controlling what third party recipients do with data, such as the ability to download documents or copy and paste information elsewhere; applying multi-factor authentication; or revoking access to one or more recipients in real time.
- Is easy to use. Ease of use is directly linked to end-user adoption, so organisations need to make it as easy as possible for staff to acess encryption technology – such as single sign-on via ADFS or SAML v2, integrating technologies (e.g. deploying email encryption directly from Outlook so users don’t have to log onto a separate system), and scanning content for key words to prompt users to classify documents and / or encrypt content.
- Supports pre-established ways of working. If, for example, staff share information via file sharing / collaboration sites, you shouldn’t automatically assume they can change to email to support the business case for email encryption. There is likely a range of factors as to why this method was used in the first place, including file size, download issues and simplified version control. A secure collaborative environment is much more suitable in this circumstance.
4. Scrutinise the changes you make
As with any strategy, reporting on changes made and their effects offers the ability to provide continuous change for ongoing success. Consequently, you cannot be sure you’re protecting data to the necessary levels unless you can prove this is so. Moreover, any changes to the types of information being handled and by whom could require new policies, approaches or technology.
Auditing and reporting also forms a strong foundation for response should a client submit a Subject Access Request (SAR) or if the worst happens and your organisation suffers a breach.
When examining existing or implementing new technology, financial services organisations should therefore ensure it provides audit logs and can generate any reports as required, including scanning and reporting on content encrypted by staff.
Financial services need to use the time between now and 25th May 2018 wisely. Data protection must be put to the top of the decision-making agenda, with a full information security strategy designed to protect clients’ sensitive data and implemented effectively by the time the legislation comes into force. Otherwise, we can expect to see an increase in the number of data breaches reported to the ICO and harsher penalties being levied for non-compliance.