In: Finance
The impact of Personal Data Protection Act 2010 on banking industry & ways to manage the impact
Solution) The General Data Protection
Regulation (GDPR) will undoubtedly have an
impact on how businesses manage compliance in the coming years. The
banking and
finance sector is not immune. It does however already operate in a
heavily regulated
environment, because the type of personal data banks receive, while
not generally fitting
the definition of ‘sensitive personal data’ in the EU, is still
highly vulnerable data that could
see the data subject becoming a victim of fraud or other financial
crime. With the fast and ever changing information communication
technology, the financial service transactions today can be
conveniently conducted online from anywhere in the world. In recent
years we have seen an increase in number of incidents of
cyber
threat, security breach, data loss, identity theft and computer
crimes making headlines in
the media. This has prompted lawmakers and regulators across the
globe to engage in
implementing new legal frameworks and defining new obligations for
data security. But
the ever increasing number of data security breach continues to be
a top concern for the
government generally and the financial service sector in
Malaysia specifically.
So, what does the introduction of GDPR actually mean for financial institutions, and which areas should they be focusing on? Brickendon’s data experts take a look at five key areas of the GDPR legislation that will have the biggest impact on the sector.
1) Client consent
Under the terms of GDPR, personal data refers to anything that could be used to identify an individual, such as a name, email address, IP address, social media profile or social security number. By explicitly mandating firms to gain consent from customers about the personal data that is gathered – with no automatic opt-in option – individuals know what information organisations are holding.
Also, in the consent system, firms must clearly outline the purpose for which the data was collected and seek additional consent if firms want to share the information with third parties. In short, the aim of GDPR is to ensure customers retain the rights over their own data.
2) Right to data erasure
GDPR empowers every EU citizen with the right to data privacy. Under the terms, individuals can request access to, or the removal of, their own personal data from banks without the need for any outside authorisation. This is known as data portability. Financial institutions may keep some data to ensure compliance with other regulations, but in all other circumstances where there is no valid justification, the individual’s right to be forgotten applies.
3) Consequences of a breach
Previously, firms were able to adopt their own protocols in the event of a data breach. Now, however, GDPR mandates that data protection officers report any data breach to the supervisory authority of personal data within 72 hours. The notification should contain details regarding the nature of the breach, the categories and approximate number of individuals impacted, and the contact information of the data protection officer. Notification of the breach, the likely outcomes and the remediation must also be sent to the impacted customer without undue delays.
Liability in the event of any breach is significant. For serious violations, such as failing to gain consent to process data or a breach of privacy by design, companies will be fined up to €20m ($23m) or four percent of their global turnover – whichever is greater. Lesser violations, such as records not being in order or failure to notify the supervisory authorities, will incur fines of two percent of global turnover. These financial penalties are in addition to potential reputational damage and loss of future business.
4) Vendor management
IT systems form the backbone of every financial firm, with client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, firms need to understand all data flows across their various systems. The increased trend towards outsourcing development and support functions means that personal client data is often accessed by external vendors, which significantly increases the data’s net exposure. Under GDPR, vendors cannot disassociate themselves from obligations towards data access. Similarly, non-EU organisations working in collaboration with EU banks or serving EU citizens need to ensure vigilance while sharing data across borders. In effect, GDPR imposes end-to-end accountability to ensure client data stays well protected; it does this by compelling not only the bank but also its support functions to embrace compliance.
5) Pseudonymisation
GDPR applies to all potential client data wherever it is found – whether it is in a live production environment, during the development process, or in the middle of a testing programme. It is quite common to mask data across non-production environments to hide sensitive client data. Under GDPR, data must also be pseudonymised into artificial identifiers in the live production environment. These data masking or pseudonymisation rules aim to ensure the data access stays within the realms of the ‘need to know’ obligations.
Given the wide reach of the GDPR legislation, there is no doubt that financial organisations need to re-model their existing systems or create newer systems with the concept of Privacy by Design embedded into their operating ideologies. With the close proximity of the compliance deadline, firms must do this now.
There are three steps that companies must now embark on: identify client data access and capture points; collaborate with clients to gain consent for justified usage of personal data; and remediate data access breach issues. Failure to do at least one of these now not only cause financial pain in the long run, but will also erode client confidence.
A study published earlier this year by Close Brothers UK found that an alarming 82 percent of the UK’s small and medium businesses were unaware of GDPR. Recognising the importance of GDPR and acting on it is therefore the need of the hour.