The General Data Protection Regulation (GDPR) takes effect on May 25, 2018, and the anticipation of its arrival has left many financial services companies questioning how they collect, store, and protect their customers’ Personally Identifiable Information (PII). For global financial services companies that regularly process sensitive customer data, particularly that of EU citizens, staying on top of GDPR compliance requirements presents both significant opportunities and challenges.
Despite the arrival of GDPR, many financial services companies still can’t confidently identify where PII resides within their organizations, let alone monitor and protect that data. Additionally, many organizations are not well versed in how unstructured data (and other overlooked sources of PII) factor into the compliance equation.
Here’s what global financial services companies need to know to stay two steps ahead of GDPR.
What is General Data Protection Regulation (GDPR)?
Since the first data protection principles were created in the EU in 1980, the pace of technological change, increasing data volumes, and high-profile data breaches have put pressure on governments to close the gap between data protection reality and regulation. GDPR was created to bridge that divide and shore up the processes and policies that protect the PII of EU residents. The new legislation includes sweeping changes that will impact financial services organizations around the globe. Highlights include:
A. Increased Territorial Scope
GDPR applies to any organization, anywhere in the world, that offers goods or services to individuals in the EU and/or monitors the data of subjects within the EU. All financial services organizations, even those based in North America and other markets, must comply with the new regulations if they store any customer data on EU residents.
Companies can no longer use convoluted terms and conditions filled with legalese to ask for consent to use data. Consent requests must be clear and easily understandable.
C. Breach Notification
Customers must be informed when their data has been compromised.
D. Right to Access
Customers have the right to know how their data is being used, and to receive a copy of their data upon request.
E. Right to be Forgotten
Customers have the right to have their data removed, and for the organization to stop using it.
F. Data Portability
Customers have the right to receive their own data (in a machine-readable format) and transmit it to another organization.
G. Privacy by Design
Customer privacy should be designed into all new systems within an organization, not added on at a later date.
H. Data Protection Officers
Companies should install a point person to handle data protection, who becomes the contact for local data protection agencies.
Why should your organization become GDPR compliant?
There are significant benefits to becoming GDPR compliant. GDPR compliance enables greater protection of PII and gives customers increased control over their own data. It also allows financial services organizations to wave their “privacy flag” and build a more trustworthy brand. Today’s discerning customers are increasingly concerned about the protection of their personal information, and becoming GDPR compliant may become a point of differentiation.
On the other hand, non-compliance can result in severe penalties for all organizations who work with EU residents’ private data. In the most serious cases—such as not having sufficient customer consent to process data or violating the Privacy by Design concepts—failing companies can be fined up to four percent of their annual global turnover or €20 million, whichever is greater.
What challenges does GDPR present to financial services organizations?
Most financial services companies have already implemented processes and policies to comply with existing regulations, but now they face even greater operational challenges in adapting those practices to the higher GDPR standards. The changes are so sweeping that they affect all parts of the organization. GDPR is more than just an IT headache—it requires that the highest levels of management plan for data privacy, that the appropriate architectures are put in place to ensure customer data is handled properly, and that all staff understand how to manage PII.
At a more granular level, one of the biggest challenges facing financial services organizations transitioning to GDPR compliance is identifying all of the PII stored within the company. Before anything can be done to manage personal customer data, it must first be found within the millions of files stored in different repositories across an organization. Some of that data will be born-digital and searchable, but much of it will be unstructured.
To identify and protect each piece of PII, a company must convert all of its unstructured data into a format that can be easily searched for, found, and leveraged.
Manually processing millions of files is an expensive, time-consuming, and error-prone undertaking. Instead, an automated process is needed. All data should be automatically put through a nearly 100 percent accurate Optical Character Recognition (OCR) process, followed by the creation of metadata and the appropriate attributes. This ensures that document fidelity stays intact, and that a document with PII is flagged for processing according to the company’s GDPR procedures.
Once the legacy unstructured data has been transitioned to a searchable format, the organization still has to deal with the tens or hundreds of thousands of new documents ingested each day. Any comprehensive GDPR solution needs to be designed with an architecture that takes into account how those incoming files will be processed, so that they can be searched and manipulated to achieve GDPR compliance.
How can financial services organizations prepare for GDPR?
To efficiently and effectively transition to GDPR compliance—and embed data privacy and protection processes into every facet of business—financial services organizations need to follow several key steps:
1. Develop a GDPR strategy: Check existing data privacy policies and processes against GDPR requirements. Identify what changes are needed. Develop a transition plan for implementing the necessary process and policy changes.
2. Appoint key personnel: Companies whose core activities consist of regular and systematic monitoring of data subjects, or those who process sensitive information on a large scale, must appoint a Data Protection Officer. For any planned processing of personal data that is likely to result in a high risk to customers’ rights and freedoms, the controller will have to carry out a Privacy Impact Assessment (PIA) before being allowed to continue.
3. Convert unstructured data: Define and implement accurate and automated OCR processes for both legacy and incoming data. Identify all areas where PII is stored, and all PII data to be processed.
4. Define the ongoing compliance process: Set up a holistic concept for GDPR along the entire customer lifecycle. Create the architecture for how PII will be managed. Define what data will be redacted, deleted, stored and how it will be accessed.
Whether an organization does business in the EU or not, adhering to GDPR requirements is a necessity. GDPR is expected to set a new global data privacy standard and will likely set the pace for similar regulatory changes across North America and other key markets. Becoming GDPR compliant not only helps your organization to better serve its customers, but it also allows you to future-proof your business and stay on the cutting edge of global data privacy protection.