Author: Steve Durbin, Managing Director, Information Security Forum (ISF)
It is no secret that the impending EU General Data Protection Regulation (GDPR) will impact every entity that holds or uses European personal data, both inside and outside of Europe. It starts from a position that says ‘citizens’ rights are paramount.’ But what does this mean for financial organisations?
Everyone from business people to consumers will have a GDPR footprint. Knowing what these footprints look like is the first step to becoming aware of what the regulation means and the data that it affects.
Finding the Footprints in the Data
GDPR affords new rights to EU residents over their personal information, regardless of where it is processed. This includes the right to be forgotten, how data can be used and, importantly, that it should be protected against unauthorised disclosure. It mandates that personal data must not be transferred to jurisdictions that do not have equivalent data protection laws, unless suitable legal safeguards are in place. This includes treaties, such as the EU-US ‘Privacy Shield’ and contractual protections to bind the recipient to the laws of the source country; for example, ‘model clauses,’ ‘binding corporate rules,’ or obtaining unequivocal consent to transfer from the individual.
Article 4 of the regulation defines personal data as ‘any information relating to an identified or identifiable natural person … such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person.’
It can include information obtained directly from someone, from other sources, and even inferred through processing or aggregation with other information.
Even if an individual’s name is removed, the data may still be personal in nature depending on additional information the organisation holds. For example, were the organisation to store a database anonymised with account numbers but also hold a separate record of customer contact details that includes the account number, then both would be deemed personal under this regulation.
What must be remembered is that it does not just cover customer information, but also employee details; and not just electronic records- paper records stored in a filing system or archive are subject to the new rules as well.
Following the Footprints
As explained above, GDPR is wide-reaching legislation that will touch on various data repositories within financial organisations that have potentially been gathered over many years. This will be further complicated by the evolving working practices. For instance, employees may have been utilising online data repositories to exchange data with colleagues, or even between their own devices.
Organisations will need to follow these data trails to identify where information is stored and ensure it is adequately protected.
Looking internally is just one element.Arguably, any and every business is sharing information in some way, shape or form. Organisations will need to ensure that these third-parties are also working to apply the correct level of security to comply themselves.
One point that the European Commission has made is that this legislation is not just about fining organisations for suffering a data breach, but instead to encourage them to make the right moves towards compliance. This means organisations need to be able to demonstrate that they have taken reasonable steps to implement processes that allow them to identify personal information. Moreover, they must show they have placed reasonable protection around personal information, including any shared with third-parties, prove that they can remove data in a reasonable timeframe if requested and be able to report a breach within 72 hours.
Protecting the Footprints
Data protection is the combination of processes and technologies that ensure personal data is processed in accordance with an individual’s wishes and the requirements of the law. Here are five steps to help financial organisations assess and manage these requirements:
Determine applicability: examine personal data processing activities to determine if GDPR applies and, if so, identify the data, functions or business units who may process it. Should the organisation share personal data with a third-party, it is still responsible for ensuring adequate protection is in place. Third party (processor) assurances should be requested ahead of next May’s regulation introduction.
Evaluate controls: implement specific, defined controls over personal data if the number of records exceeds a certain size, a certain level of sensitivity, or when processing of personal data is the main activity of the organisation.
Assess capabilities: GDPR stipulates a number of ‘outcomes’ and organisations need to make sure that they have the capabilities to achieve these requirements or, if needed, seek additional external support. For example source legal guidance, employ an independent audit to check controls, seek advice and/or assistance from management consultants, etc. There is also a wealth of information, such as ISF’s ‘Preparing for the GDPR: Implementation Guide’ for organisations to find practical advice and guidance.
Understand consequences: Failure to uphold information rights can carry a fine of up to 4% of the organisation’s group turnover or €20m, whichever is the greater. In addition,failure to implement the specified controls can carry a fine of up to 2% of the organisation’s group turnover or€10m, even if information rights have been upheld. Companies cannot underestimate the potential impact of an enforcement, which is just as significant – particularly if it requires an organisation to suspend business activities whilst it remedies data protection problems. Not to mention the associated adverse publicity arising from a data protection incident. An organisation should ensure that these new consequences are reﬂected in risk assessments and mitigated by training,procedural, technical and legal controls.
Prepare for compliance: The GDPR will be enforced from 25 May 2018 and an organisation should understand which aspects of its preparations will – or will not – be in place by that time so that they can plan their implementations and mitigate residual risks if they are not ready.
To become compliant with GDPR could require an immense amount of effort, but the bolstered security could prevent a brand-destroying data breach. If the worst were to happen, the organisation would be able to demonstrate that it had acted responsibly and implemented reasonable protection, including evidence such as audit trails and vulnerability assessments, risk assessments, which demonstrate that the organisation and its senior management are taking their responsibility to protect sensitive information seriously. While it may not prevent a fine being levied, it should limit the amount imposed.
Rather than seen as an inhibitor, good data protection practices actively protect both brand and reputation and can ultimately improve data quality. It is an opportunity to enable strategic change that can help the business grow – just don’t leave it until May 2018 to identify the data footprints in your organisation.
ISF has published ‘Preparing for the GDPR: Implementation Guide’ to provide organisations with the structured method needed to achieve sufficient levels of compliance.