5 Things the Financial Services Industry Needs to Know About the EU GDPR

The data regulation landscape is changing rapidly. Recent research found that in 2014 data breaches increased by 49% with more than a billion data records stolen or compromised - that’s 32 records lost or stolen every second. Incidents involving these institutions have shone the data regulation spotlight firmly on to financial institutions and this will only intensify with the upcoming EU General Data Protection Regulation (GDPR). The industry is already facing a steep challenge as it struggles to maintain public favour, and this new legislation could easily be its undoing unless the proper measures are taken.

What is the EU GDPR?

Back in 2012 the European Commission (EC) revealed its plan to completely revamp the 1995 EU Data Protection Directive, bringing it out of the Stone Age and making it fit for the Technology Age. Although this regulation is still only in its draft stage and is not expected to come into force before 2017, it is imperative that financial services organisations are aware of what’s on the horizon.  They need to start preparing for the colossal upheaval the regulatory changes will cause.

How will the EU GDPR affect the financial services industry?

1. 1.      Global reach - Not only will the new law apply throughout the EU, but also to organisations based outside of the EU that are active in the market and offer services to EU citizens. So, even though a bank may have all of its offices based in the US, if it handles the data of EU citizens, it can still be investigated, fined and even prosecuted under the upcoming regulation.
2. 2.      Customer notification - Where a data breach has occurred, the organisation has to notify all those affected by it unless it can prove that data is unreadable by anyone not authorised to access it. So, if 100,000 customers’ data is lost, via a stolen employee laptop for example, then a company must inform each customer that their data may have been compromised, unless it can show that device has been rendered inoperable. This can lead to significant brand damage, litigation and media reporting of the incident, as well as leading to significant cost in contacting the people affected.
3. 3.      Involvement of the authorities - Organisations will need to report a data breach within 24 hours. While it could be in the best interest of the organisation to report a breach within 24 hours, this is easier said than done. An employee may lose their device on a Friday evening and only report it on Monday morning or may be completely unaware that they’ve uploaded data onto the cloud for all to see.  Breaches also take time to deal with, so the first priority must lie with ensuring that the authorities are notified as soon as possible.
4. 4.      The need for a data protection officer – Organisations over a certain size will be obligated to appoint a properly trained data protection officer. And with the penalties set that much higher, it is advisable for large banks and other financial services organisations to seek out sound legal advice before choosing the correct candidate.
5. 5.      Heavy penalties - There are increased sanctions including fines of up to £100 million or up to two per cent of annual global turnover. Compared to the current maximum fine in the UK of £500,000 from the Information Commissioner’s Office, this new law dramatically increases the financial sanctions for data loss placed on organisations, and could be potentially devastating. A fine may be avoided if a company can prove it had data protection policies in place, provided suitable education to employees, and used the correct technology software.

With data comes responsibility

Technology and data carry great potential for change, and can revolutionise the way the financial sector operates and delivers its services. However, while the benefits are becoming clearer, there remains a great deal of scepticism regarding the safety of sensitive and critical information. There is a lot at stake should any organisation get this wrong: namely risks of heavy, potentially crippling fines as well as a massive blow to brand reputation. This could prove crucial in an age when banks are struggling to keep branches open and maintaining public favour will be the only way they can survive.  In an industry where public trust is already at an all-time low, the financial sector needs to work extra hard to stop its public image being damaged any further.

It’s clear that under the new laws with data comes great responsibility. As we get closer to the official launch of the legislation, there will be two types of financial services organisations; those that will only reactively make changes to their data protection policies once the law comes into force, and those who are proactively preparing for it. Given just how much is at stake it is imperative that the financial services sector takes active steps now to ensure they are ready for the new data regulation landscape.