Europe’s new General Data Protection Regulation, effective May 2018, will require financial firms to do a lot more than invest in technology to protect sensitive data from a cybersecurity breach or other loss.
Compliance, operations,marketing, sales and even human resource managers at financial firms across the globe will need to establish the right processes and controls to guarantee the privacy rights of customers and employees, warn data privacy experts. Any information governance programs must be documented and stand up to regulatory scrutiny.
Penalties for non-compliance with the GDPR will be steep. A firm can face a fine of up to E20 million or up to 4 percent of global annual revenues of the year when a violation occurred, whichever is greater. Any of its external data processors can also be subject to a fine of up to E10 million or up to 2 percent of global revenues. An industry working group tackling implementation of GDPR has published guidance on how any firm can identify its data protection supervisory authority or the regulatory entity responsible for enforcing the GDPR. In the case of a global organization, the oversight agency will be located in the country where the firm has its main office or registered office. For US headquartered firms, the Federal Trade Commission could end up taking charge.
So what’s new about the GDPR? “Although EU member countries always had data privacy rules, they differed by nation and penalties were often limited in scope,” explains Robin de Wit, an attorney specializing in data privacy protection with the law firm of DLA Piper in Amsterdam. The GDPR’s other clarifications; it applies data privacy rules to third-party data processors as well as firms located outside the EU. The GDPR will affect any organization which targets its products or services to European residents or monitor the behavior of European residents, including through online tracking. It doesn’t matter whether the firm has a physical presence in Europe. Despite Brexit looming, the UK has committed to implementing the GDPR by the same deadline as its European peers.
Last but not least, the GDPR elaborates on the meaning of personal data. “Personal data [as clarified in the GDPR] refers to a wide range of identifying information on the customer or employee beyond its name, identification number and address,” explains de Wit. “It is all data that can be traced back to the customer or employee including IP addresses, location data and data retrieved from cookies.”
What to Do
Given that financial firms have only a year to comply with the GDPR, they don’t have much time to waste. For starters, they must figure out where customer and employee data is located, how it is being used and if it is being transferred between subsidiaries, within the EU or across continents. Because most large firms have dozens if not hundreds of applications holding customer and employee data it won’t be easy documenting its whereabouts and usage. “What might sound like a straightforward task could end up being one of the most time-consuming challenges involving IT, marketing, sales and HR departments,” explains Alex van der Wolk, a partner in Brussels specializing in data privacy compliance with the law firm of Morrison & Foerster.
Once firms have created a data inventory, in some instances they must also complete a personal risk assessment about the affected data. That means evaluating more than just the potential for financial loss if it falls into the wrong hands. “The GDPR calls on firms to evaluate the impact their use of the data may have on individuals, essentially putting themselves in the shoes of customers and employees,” says van der Wolk. “It could end up including a subjective analysis which risks being called into question by a regulator.”
It stands to reason that financial firms have dedicated privacy departments in place to enforce current regulations on preventing data loss and ensuring data privacy. However, the GDPR now wants them to go one step further and appoint data protection officers (DPOs) if they systematically monitor individuals as a core activity on a large scale or process certain categories of personal data.
“The DPO won’t face personal laibility in the case of non-compliance with the GDPR, but because the penalty to the firm is so huge, the firm must take extra precautions to ensure it appoints the right person to the job,” says de Wit. The International Association of Privacy Professionals (IAPP) has estimated that about 75,000 data protection officers will be needed to comply with the GDPR and European and US firms having to appoint hire 28,000 DPOs for the first time.
That’s easier said than done. The DPO must have experience in privacy regulations, technology and data management. Because conflicts of interest are prohibited, senior management, heads of IT and marketing directors can’t be on the short list of candidates for the job. Their duties would conflict with their ability to objectively create and manage a data protection program. The IAPP has estimated that 40 percent of firms will rely on their current privacy leaders while 50 percent will appoint someone from within. Only 10 percent will outsource the task.
Bart Willemsen, a research director focused on data privacy compliance with Gartner Group, a technology research firm headquartered in Stamford, Connecticut, recommends that DPOs establish an information governance framework for accountability from the time the data is processed to the time it may be deleted. That framework should include appointing business process owners to evaluate existing and new processing activities, including where the data is stored and how it is being used. Firms should also ocument any analysis and future changes. Reviewing existing business processes where personal data is involved for the first time could take anywhere from a week to up to three months,” cautions Willemsen, who suggests that legal advisors and business operations managers be involved in the analysis.
Among the DPO’s most important responsibilities will be ensuring that the firm’s agreements with third-party data processors support the requirements of the GDPR. That means the service providers must set up the same process and procedures as the data controller, or their client. The financial firm’s compliance with the GDPR is only as good as its weakest link. If a data processor fails, both the client and service provider will pay fines separately. “For the next year, financial firms will need to update agreements and conducting vendor risk assessments and audits to ensure vendors won’t trigger liability with the GDPR,” recommends Constantine Karbaliotis, vice president of data privacy solutions for Nymity, a Toronto-headquartered firm providing research and compliance monitoring tools for data privacy officers.
One of the most difficult aspects of complying with the GDPR, warn data privacy experts, will be protecting the rights of customers and employees. The GDPR shifts the approach in the way firms determine what is fair and legal processing of data. Individuals will have a much greater say in the decisionmaking process. They can ask how their data is being processed, where it is located and how it is being used, including what profile has been established. They can even ask for a copy of the data to take to another organization. “Many firms do not have the processes and technologies in place to respond to subject-access requests,” warns Karbaliotis, who urges them to start creating the correct framework.
Answering questions could open a Pandora’s box of more work and even liability. The GDPR requires the individual to explicitly consent to how the data is used which includes at a minimum checking off a box. If the customer or employee disagrees with how the data is being used or with the accuracy of the data then what? The firm could also be asked to delete all reference to the customer. That means erasing data from its own records and applications and ensuring that any third-party vendors with which the data has been shared do the same.
Financial firms can reduce the potential of being fined by proving they have reduced the potential harm to customers or employees if their personal data falls into the wrong hands. The process, coined pseudonymization, can also help firms protect personal information shared with third-parties while allowing them to retain the ability to re-identify the individual. The key-coded data has not been irreversibly anonymized. The data can be recorded in a way that can still be used by the firm, but not traced back to any specific individual in case of a breach, explains van der Wolk.
The GDPR also gives customers and employees the right to be notified if a data breach has occurred. The regulation requires a firm to inform its local regulator within 72 hours of the data breach to explain just what data has been stolen or lost and what the firm is doing to mitigate potential harm to affected parties. Investors and employees must also be notified as quickly as possible, if there is a high risk their rights have been violated.
What does that mean? A lot more than simply whether the breach has cost a customer or employee any financial loss. “The GDPR reflects the European concept of privacy as a human right,” explains de Wit. “Data privacy is considered to be just as important as free speech, free thought and freedom from discrimination.”
Firms which fail to meet the GDPR’s requirements won’t face the highest amount of penalties for cybersecurity breaches. Rather, violating the rights of customers and employees on how their data is to be used and when it should be deleted will carry the steepest fines.