The General Data Protection Regulation (GDPR) will come into play on May 25th, 2018 and will affect the majority of organisations. We are going to cover the impacts of GDPR on the finance sector and why it’s important for organisations to start their GDPR journey now.
Data breaches are on the rise in financial services, 66% of global financial services institutions have experienced at least one cybersecurity attack in the last year according to Metric Stream Research. Therefore, it’s vital businesses prepare for GDPR to ensure the likelihood of data breaches are reduced, data is stored and encrypted, and processes are put in place to ensure data is protected. Lastly, the finance sector has a large reliability on technology in comparison to other sectors like retail for example, therefore it’s important for organisations in this sector to manage data in the right way.
What Personal Identifiable Information (PII) does the finance sector record?
• Social Security number
• Transaction involving financial products or services
• Account numbers
• Payment History
• Loan History
• Deposit Balances
• Credit or debit card purchases
How will GDPR affect the financial sector?
Often, financial institutions will process personal data in order to fulfil their duties under a contract with the data subject, such as an account agreement, loan contract or insurance policy as they have a legal obligation to do so. This is often unavoidable, so this PII will need to be protected.
For financial institutions, this means re-evaluating terms and conditions on existing contracts, notices and template agreements to ensure the data being collected complies with GDPR. For instance, if consent has previously been given, this consent may no longer suffice under the GDPR and may have to be obtained again.
Financial institutions are already subject to similar requirements under various national and European banking laws, but it needs to be verified whether these correspond with the GDPR obligations.
Profiling, or more precisely, automated decision-making based solely on profiling activities, is subject to strict rules under the GDPR e.g. gathering data for credit scores. Data transfers outside of the European Economic Area will generally remain prohibited.
Processing children’s data is a potential sticking point too. There is a real focus on information held about children under this regulation, leading to firms in the banking and insurance spaces particularly, to consider how they can verify the ages of children’s data held on their systems, and how they will attain parental or guardian consent to process this information.
It’s important that the finance sector manage their IT Systems, client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, firms need to understand all data flows across their various systems.
Lastly, data subjects do not have a right to be forgotten when it comes to financial services.
MiFID II, (as well as suitability, anti-money laundering and pension rules) requires the retention of data for years after an account is closed. GDPR doesn’t contradict this but says that you should only store the data you need for as long as you need it.
7 Steps you need to consider on your GDPR Journey:
Below we have outlined 7 steps that the businesses within the finance sector should consider when approaching GDPR compliancy:
STEP 2: Be able to respond to data subjects’ rights and requests
STEP 3: Check how you obtain data and ensure it is up to date
STEP 4: Review your IT Security and Policies to protect against breaches
STEP 5: Review any data processing contacts eg Mail Chimp
STEP 6: Appoint a person in charge of data compliance
STEP 7: Update HR documentation and how it is held
How do I get started on my GDPR Journey?
At TechQuarters we have a 3-staged approach. Data Discovery, present and protect. This solution is ideal for small to medium-sized organisations who want to get started on their GDPR Journey. If you would like to know more about our GDPR solution, click here.