Top 5 impacts of GDPR on the European Financial Services industry

With less than 98 days until the deadline to comply with GDPR, I’m taking a look at how the legislation will affect the Financial Services industry. Amid growing concerns surrounding the safety of personal data from identity theft, cyberattacks, hacking or unethical usage, the EU has introduced the General Data Protection Regulation (GDPR), which aims to standardise data privacy laws regardless of the nature or type of operations. Most importantly, GDPR aims to make EU citizens aware of the kind of data held by institutions and the rights of the individual to protect their personal information. All organisations must ensure compliance by May 25, 2018. I’m taking a look at 5 key areas of the GDPR legislation that will have the biggest impact on banks, hedge funds & the financial sector.

1) Client consent – Under the terms of GDPR, personal data refers to anything that could be used to identify an individual, such as a name, email address, IP address, social media profile or social security number. By explicitly mandating firms to gain consent from customers about the personal data that is gathered – with no automatic opt-in option – individuals know what information organisations are holding. Also, in the consent system, firms must clearly outline the purpose for which the data was collected and seek additional consent if firms want to share the information with third parties. In short, the aim of GDPR is to ensure customers retain the rights over their own data.

2) Right to data erasure – GDPR empowers every EU citizen with the right to data privacy. Individuals can request access to, or the removal of, their own personal data from institutions without the need for any outside authorisation. This is known as data portability. Financial institutions may keep some data to ensure compliance with other regulations (MiFID II), but in all other circumstances where there is no valid justification, the individual’s right to be forgotten applies.

3) Consequences of a breach – GDPR mandates that data protection officers report any data breach to the supervisory authority of personal data within 72 hours. The notification should contain details regarding the nature of the breach and approximate number of individuals impacted, and the contact information of the data protection officer. Notification of the breach, the likely outcomes and the remediation must also be sent to the impacted customer without undue delays. Liability in the event of any breach is significant. For serious violations, such as failing to gain consent to process data or a breach of privacy by design, companies will be fined up to €20m ($23m) or four percent of their global turnover – whichever is greater. Lesser violations, such as records not being in order or failure to notify the supervisory authorities, will incur fines of two percent of global turnover.

4) Vendor management – IT systems form the backbone of every financial firm, with client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, firms need to understand all data flows across their various systems. The increased trend towards outsourcing development and support functions means that personal client data is often accessed by external vendors, which significantly increases the data’s exposure. Under GDPR, vendors cannot disassociate themselves from obligations towards data access. Equally, non-EU organisations working with EU financial institution or serving EU citizens need to ensure vigilance while sharing data across borders. GDPR effectively imposes end-to-end accountability to ensure client data stays well protected; it does this by compelling not only the financial institution but also its support functions to embrace compliance.

5) Pseudonymisation – GDPR applies to all potential client data wherever it is found – whether it is in a live production environment or during the testing and development process. It is quite common to mask data across beta environments to hide sensitive client data. Under GDPR, data must also be pseudonymised into artificial identifiers in the live production environment. These data masking or pseudonymisation rules aim to ensure the data access stays within the realms of the ‘need to know’ obligations.

There are three steps that companies must now embark on: identify client data access and capture points; collaborate with clients to gain consent for justified usage of personal data; and remediate data access breach issues. Failure to do at least one of these now not only cause financial pain in the long run, but will also erode client confidence.

GDPR is being introduced on 25th May, 2018 and will have consequences for the way in which your firm manages its IT systems and your data. Understanding GDPR is the first step towards putting in place the necessary systems and processes to meet the new requirements.Contact Storm IT Financial for help & guidance about GDPR & it’s effects on your firm.

Storm IT Financial FinTech News & Trends picks: Week 12th Feb – 16th Feb 2018

Man Group boss says adopt big data or get ‘eaten alive’

Explosion of big data is changing the way professional investors are seeking to beat the markets:

https://www.fnlondon.com/articles/man-group-boss-says-adopt-big-data-or-get-eaten-alive-20180123

FCA in talks to iron out data protection rules

FCA in talks with the ICO to smooth out any inconsistencies between incoming data protection rules and the “wider regulatory landscape”:

https://www.ftadviser.com/regulation/2018/02/08/fca-in-talks-to-iron-out-data-protection-rules/

BBH: 5 Questions on The Year Ahead: An Asset Manager’s Perspective

Vanguard Asset Management Head discusses the key issues and trends shaping the global regulatory landscape:

https://ontheregs.com/2018/02/12/5-questions-on-the-year-ahead-an-asset-managers-perspective/

Finance and Accounting Robotic Process Automation a Priority As Over Half Plan to Improve Digital Controllership in 2018

Deloitte: 52.8 percent say their firm plan digital controllership improvements for financial and accounting processes, in the year ahead:

http://markets.businessinsider.com/news/stocks/Finance-and-Accounting-Robotic-Process-Automation-a-Priority-As-Over-Half-Plan-to- Improve-Digital-Controllership-in-2018-1015052971

The RegTech Paradox

Over the last ten years it has become increasingly possible to turn bright technology ideas into smooth, working, scalable solutions:

https://www.technative.io/the-regtech-paradox/

Thomson Reuters: An agile approach to managing operational risk

The ability to respond to multiple sources of operational risk data will set successful firms apart. How does platform technology enable this?:

https://blogs.thomsonreuters.com/financial-risk/risk-management-compliance/an-agile-approach-to-managing-operational-risk/

Why everyone should learn Fintech

Fintech is everywhere and everyone can now see how technology is changing finance…:

https://medium.com/the-centre-for-finance-technology-and-entrepreneur/why-everyone-should-learn-fintech-9dc0cf6df61e