The General Data Protection Regulation (GDPR) sets out the basic premise that individuals should have control over their own data and places restrictions on financial institutions and other organisations seeking to store, process or transmit that data.
Financial organisations are no strangers to privacy regulations, operating in one of the most heavily regulated industries in the world. While many organisations already have robust privacy practices, GDPR compliance still requires the attention of security and privacy professionals to ensure that their firms remain on the right side of the law.
There are serious implications for financial organisation if data is misused. Businesses must understand how they interact with personal information and obtain consent from individuals before taking action with the data they hold.
Here’s four important factors any financial institution should think to about when meeting GDPR requirements:
Appointing a Data Protection Officer (DPO)
The concept of a Data Protection Officer (DPO) for organisations processing personal data has been around for years. However, the appointment of a DPO is a mandatory requirement under GDPR for certain types of companies, regardless of their size or whether they are processing personal data in their capacity as a controller or processor.
Financial services have for a long time followed the tried-and-tested three lines of defence approach to compliance risk management: the first line being management control of frontline operations; the second being risk management and compliance oversight functions and the third being internal audit. A DPO in a bank or other financial institution sits clearly in the second line of defence.
A DPO is appointed to:
- Inform and advise the organisations of its obligation.
- Monitor compliance, including awareness-raising, staff training and audits.
- Cooperate with data protection authorities and act as a contact point.
There are currently no mandatory qualifications for who can be DPO, although the following people cannot be a DPO: chief executive, chief financial officer, head of IT, head of marketing, chief operator officer or the head of HR, as this may result in a conflict of interest. Which makes it more likely that someone from in-house legal or compliance will be a popular choice. The person of choice must require ‘expert knowledge of data protection law and practices’.
Implementing a GDPR privacy compliance framework
Having an appropriate compliance framework in place ensures businesses not only avoid significant fines and reputational damage but can also demonstrate to customers that they’re trustworthy and responsible.
This can be achieved by a privacy compliance framework: a formal structure for managing the security of personal data.
If your organisation has not developed its own privacy compliance framework, there are currently two standards that you can use to ease your path to GDPR compliance: BS 10012:2017 and ISO/IEC 27701:2019.
Implementing these standards and achieving accredited certification- will demonstrate to regulators such as the UK’s ICO (Information Commissioner’s Office) that you have carried out due diligence and are doing all you can to comply with the GDPR law.
Investing in GDPR complaint tech for finance
As financial organisations undertake their GDPR compliance efforts, they may take advantage of a wide range of technology controls, third-party services and policy revisions designed to help them achieve compliance.
While financial businesses should approach GDPR as a business problem, some technologies can play a crucial role in achieving and maintaining GDPR compliance:
- Electronic discovery tools help organisations identify stores of personally identifiable information (PII) as it builds a data inventory by going through desktops, email accounts and servers. After locating information with a data discovery tool, the business can organise the information and decide to purge it or obtain appropriate consent.
- Advanced threat monitoring and protection tools help to enhance an organisation’s security posture by building profiles of normal activity and then detecting deviations from those behaviours.
- GDPR compliance frameworks monitor the user consent process and track compliance activities throughout the customer lifecycle. Compliance frameworks replace the manual tracking that many organisations perform in spreadsheets with an actionable solution that provides auditors with the confidence that GDPR compliance is being managed.
- Subject access request portals track a full lifecycle of consumer requests and assist the organisation with responding within legally mandated time frames.
These solutions are not always used as well as they should be by financial institutions. Users need to be clear about the value they hope to get from these tools before fully committing.
Navigating regulatory requirements and the ‘right to be forgotten’.
The General Data Protection Regulation (GDPR) provides individuals with the right to request the erasure of personal data concerning them, also known as “the right to be forgotten”. Personal data must be erased if:
- The personal data is no longer necessary in relation to the purpose it was collected or processed for
- The individual withdraws their consent
- The individual objects to the processing of their data where the processing is on the basis of the employer’s legitimate interests
- The personal data has been unlawfully processed
- Erasure is required for compliance with a law to which the employer is subject
If one of the above grounds applies, the organisation must erase the personal data without undue delay.