Question

In: Finance

The impact of Personal Data Protection Act 2010 on banking industry & ways to manage the...

The impact of Personal Data Protection Act 2010 on banking industry & ways to manage the impact

Solutions

Expert Solution

Solution) The General Data Protection Regulation (GDPR) will undoubtedly have an
impact on how businesses manage compliance in the coming years. The banking and
finance sector is not immune. It does however already operate in a heavily regulated
environment, because the type of personal data banks receive, while not generally fitting
the definition of ‘sensitive personal data’ in the EU, is still highly vulnerable data that could
see the data subject becoming a victim of fraud or other financial crime. With the fast and ever changing information communication technology, the financial service transactions today can be conveniently conducted online from anywhere in the world. In recent years we have seen an increase in number of incidents of cyber
threat, security breach, data loss, identity theft and computer crimes making headlines in
the media. This has prompted lawmakers and regulators across the globe to engage in
implementing new legal frameworks and defining new obligations for data security. But
the ever increasing number of data security breach continues to be a top concern for the
government generally and the financial service sector in Malaysia specifically.

So, what does the introduction of GDPR actually mean for financial institutions, and which areas should they be focusing on? Brickendon’s data experts take a look at five key areas of the GDPR legislation that will have the biggest impact on the sector.

1) Client consent

Under the terms of GDPR, personal data refers to anything that could be used to identify an individual, such as a name, email address, IP address, social media profile or social security number. By explicitly mandating firms to gain consent from customers about the personal data that is gathered – with no automatic opt-in option – individuals know what information organisations are holding.

Also, in the consent system, firms must clearly outline the purpose for which the data was collected and seek additional consent if firms want to share the information with third parties. In short, the aim of GDPR is to ensure customers retain the rights over their own data.

2) Right to data erasure

GDPR empowers every EU citizen with the right to data privacy. Under the terms, individuals can request access to, or the removal of, their own personal data from banks without the need for any outside authorisation. This is known as data portability. Financial institutions may keep some data to ensure compliance with other regulations, but in all other circumstances where there is no valid justification, the individual’s right to be forgotten applies.

3) Consequences of a breach

Previously, firms were able to adopt their own protocols in the event of a data breach. Now, however, GDPR mandates that data protection officers report any data breach to the supervisory authority of personal data within 72 hours. The notification should contain details regarding the nature of the breach, the categories and approximate number of individuals impacted, and the contact information of the data protection officer. Notification of the breach, the likely outcomes and the remediation must also be sent to the impacted customer without undue delays.

Liability in the event of any breach is significant. For serious violations, such as failing to gain consent to process data or a breach of privacy by design, companies will be fined up to €20m ($23m) or four percent of their global turnover – whichever is greater. Lesser violations, such as records not being in order or failure to notify the supervisory authorities, will incur fines of two percent of global turnover. These financial penalties are in addition to potential reputational damage and loss of future business.

4) Vendor management

IT systems form the backbone of every financial firm, with client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, firms need to understand all data flows across their various systems. The increased trend towards outsourcing development and support functions means that personal client data is often accessed by external vendors, which significantly increases the data’s net exposure. Under GDPR, vendors cannot disassociate themselves from obligations towards data access. Similarly, non-EU organisations working in collaboration with EU banks or serving EU citizens need to ensure vigilance while sharing data across borders. In effect, GDPR imposes end-to-end accountability to ensure client data stays well protected; it does this by compelling not only the bank but also its support functions to embrace compliance.

5) Pseudonymisation

GDPR applies to all potential client data wherever it is found – whether it is in a live production environment, during the development process, or in the middle of a testing programme. It is quite common to mask data across non-production environments to hide sensitive client data. Under GDPR, data must also be pseudonymised into artificial identifiers in the live production environment. These data masking or pseudonymisation rules aim to ensure the data access stays within the realms of the ‘need to know’ obligations.

Given the wide reach of the GDPR legislation, there is no doubt that financial organisations need to re-model their existing systems or create newer systems with the concept of Privacy by Design embedded into their operating ideologies. With the close proximity of the compliance deadline, firms must do this now.

There are three steps that companies must now embark on: identify client data access and capture points; collaborate with clients to gain consent for justified usage of personal data; and remediate data access breach issues. Failure to do at least one of these now not only cause financial pain in the long run, but will also erode client confidence.

A study published earlier this year by Close Brothers UK found that an alarming 82 percent of the UK’s small and medium businesses were unaware of GDPR. Recognising the importance of GDPR and acting on it is therefore the need of the hour.


Related Solutions

The impact of Personal Data Protection Act 2010 on banking industry & ways to manage the...
The impact of Personal Data Protection Act 2010 on banking industry & ways to manage the impact
what are ways to manage the impact of Personal Data Protection Act 2010 on banking industry?
what are ways to manage the impact of Personal Data Protection Act 2010 on banking industry?
what is the impact of Personal Data Protection Act 2010 on banking industry? and ways to...
what is the impact of Personal Data Protection Act 2010 on banking industry? and ways to manage the impact. answer in essay
what is the impact of Personal Data Protection Act 2010 on banking industry?
what is the impact of Personal Data Protection Act 2010 on banking industry?
This is the challenges/impact PDPA 2010 on banking industry. 1. Market Access The revised Payment Services...
This is the challenges/impact PDPA 2010 on banking industry. 1. Market Access The revised Payment Services Directive has resulted in the expansion in the list of activities that payment institutions can carry out. Payment institutions can provide account information for accounts held at other payment service providers. This is weaken the banks market power. 2. Consumer Preferences Retail consumers now demand to be able to integrate e-commerce, social media and retail payments. There is also an expectation to be able...
9. The Patient Protection and Affordable Care Act of 2010 (ACA 2010) resulted from which of...
9. The Patient Protection and Affordable Care Act of 2010 (ACA 2010) resulted from which of the following? a. A large number of lawsuits that occurred from lack of quality healthcare. b. Several protests among the healthcare system that occurred in the late 20th century. c. Bills that were introduced in Congress in 1980 and 1990. d. A disproportionate number of long-term care facilities available for the older adults in need. 10. Which of the following will be necessary to...
Which of the following are goals of the Patient Protection and Affordable Care Act of 2010?...
Which of the following are goals of the Patient Protection and Affordable Care Act of 2010? Select all that apply. A. Expand access to those without health coverage B. Eliminate insurance companies C. Improve affordability to those who are already covered D. Slow the annual rise in health care costs while not adding to the federal budget deficit
what could be the Impact of the blockchain on banking industry ?
what could be the Impact of the blockchain on banking industry ?
The Patient Protection and Affordable Care Act (PPACA) was passed into legislation in March of 2010....
The Patient Protection and Affordable Care Act (PPACA) was passed into legislation in March of 2010. Identify the impact of this legislation on your nursing practice by choosing two key nursing provisions outlined in the topic material "Nursing and Health Reform." Discuss how these two provisions have impacted, or will impact, your current practice of nursing.
One of the main goals of the ACA (Patient Protection and Affordable Care Act of 2010,...
One of the main goals of the ACA (Patient Protection and Affordable Care Act of 2010, aka Obamacare) was to provide affordable health care to the uninsured. 1. What were the THREE primary pieces of the law that were meant to provide coverage for everyone (other than undocumented immigrants, who were not going to be covered)? 2. Which of these three pieces was not able to be fully enacted because of a Supreme Court case in 2012 (ruled unconstitutional) and...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT