gdpr: what global financial services organizations need … · whitepaper | gdpr: what global...
TRANSCRIPT
GDPR: WHAT GLOBAL FINANCIAL SERVICES ORGANIZATIONS NEED TO KNOW
W H I T E P A P E R
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 2
INTRODUCTIONData protection laws in Europe are more important than
ever—individuals are increasingly sensitive about privacy,
data protection breaches are daily headline news, and the
regulatory landscape is toughening up.
Along with changes in data protection laws, the world of
financial services regulation is also changing. Regulators
are more intensely scrutinizing the way financial services
organizations hold and manage data—particularly when
the actions of the organization could expose customers to
identity theft. As a result, financial services organizations
are facing a challenging environment for the foreseeable
future.
The past few years have brought significant developments
in data protection, including increased exercising of rights
and more aggressive enforcement by national regulators.
The biggest change to the data protection landscape is
now taking place with the introduction of newly revised
rules. Many significant changes will come with the EU’s
General Data Protection Regulation (GDPR) process,
and data protection should be high on your compliance
checklist.
A NEW DATA PROTECTION LANDSCAPE FOR THE EU The new rules make European Union (EU) privacy laws
fit for the 21st century. There is a major emphasis on
enforcement, with increased fines of up to €20 million or
4% of an organization’s annual global revenue (whichever
is greater). In addition, it introduces data breach reporting
requirements similar to those that exist in most US states,
REGULATORS ARE INCREASINGLY
CONCERNED ABOUT THE WAY IN WHICH
F INANCIAL SERVICES ORGANIZATIONS
HOLD AND MANAGE DATA.
REGULATORS ARE INCREASINGLY CONCERNED ABOUT THE WAY THE FINANCIAL
SERVICES SECTOR HANDLES DATA. FIND OUT HOW YOUR ORGANIZATION CAN BEST
COMPLY WITH THE GENERAL DATA PROTECTION REGULATION (GDPR).
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 3
often with a deadline of 72 hours from detection of the
breach.
EU data protection rules prior to the GDPR were a reflection
of their time. They came into force in 1995, when the
internet was still in its infancy and only about 1% of people
were online. Much has changed, and now we collectively
create, send and store huge amounts of data, which can
create serious data security breaches that impact all
sectors through reputation loss and regulatory actions.
The financial services sector has been affected in its own
way. For example, the effects of the financial crisis of 2008
caused the EU to issue some 40 new pieces of financial
legislation over a six-year period. As a result, the European
Data Protection Supervisor (EDPS), an independent EU
supervisory authority whose responsibilities include
advising on legislation and policies that affect privacy,
issued new guidelines responding to concerns about the
onslaught of financial legislation.
OVERVIEW OF THE REGULATIONThe new rules should be considered a reform rather than
a refinement of current data protection rules. The GDPR is
a recognition of a political impetus to have tougher laws,
as many people care more about data and breaches than
they did 20 years ago. The political fallout of the Snowden
and WikiLeaks revelations cannot be underestimated. That
tide of opinion has influenced the courts—for example,
the Google “right to be forgotten” case in 2014 and the
Schrems “Safe Harbor” case in 2016—and it will influence
the law on a much wider scale in the future.
GDPR SECURITY BREACHESIf a data breach is likely to result in a risk to the rights
and freedoms of data subjects, the GDPR requires data
processors (such as vendors) to notify a data controller
(such as financial services organizations) of the breach
without undue delay. The data controller is in turn required
to report such a data breach to a data protection regulator
within 72 hours of becoming aware of the breach. Any
delay beyond 72 hours must have a reasoned justification.
In addition, data controllers must notify data subjects
without undue delay after becoming aware of a breach, if
that breach is likely to result in a high risk to their rights and
freedoms. The primary responsibility to report a security
breach to data protection regulators and data subjects
will be on the data controller, but many breaches occur
within vendors’ operations. As a result, vendors must
be contractually obligated to notify financial services
organizations in a timely manner, to allow them to deal
with their reporting obligations.
Data security breaches within the financial services
sector have been widely reported in the press in recent
years. In the UK, the Information Commissioner’s Office
(ICO) compiles statistics on security breaches, which
are likely to be underestimated as there is no general
data breach reporting requirement. The ICO’s figures put
financial services as fourth of 10 on the top-offenders list.
As a vulnerable sector, financial services will have to take
special care to put in place adequate policies, procedures
and training to ensure that breaches are reported within
the 72-hour period. In addition to reporting a breach to
data protection regulators and those individuals and/or
companies affected, organizations may need to notify
financial services regulators and other financial services
companies.
IF DATA PROTECTION IS NOT ALREADY HIGH ON
YOUR COMPLIANCE CHECKLIST , IT SHOULD BE.
A SINGLE SET OF RULES Two of the complaints about pre-GDPR data protection
rules were inconsistent enforcement and discretionary
implementation that changed between EU member
states. As a result, global organizations had to comply
with different rules and laws in each EU member state
where they did business. A key aim of the new rules is
to streamline and unify the enforcement process across
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 4
Europe. While the GDPR allows member states some
leeway in creating some additional rules and determining
how to deal with existing data protection laws, the main
set of laws and compliance structure is cohesive and
unified.
The single set of rules is expected to save organizations
money and time. The ICO estimated that the new rules will
result in business savings of around €2.3 billion per year.
They have been reluctant, however, to provide any details
on cost savings.
ONE-STOP SHOPA very important aspect of the GDPR is that an organization
should have to deal with only one data protection
regulator, officially referred to under the new rules as a
(national) “supervisory authority.” However, the reality is
more complex.
• If organizations carry out data processing activities
that affect multiple EU member states, the
supervisory authority in the EU member state where
the organization is based will take the role of “lead
supervisory authority.” This means that other member
states’ regulators may also be involved.
• A national supervisory authority will have apparent sole
competence to regulate when either a data protection
complaint is made to that supervisory authority or there
is a possible infringement of the regulation, where the
issue either relates only to the organization located
in the member state of the supervisory authority or
substantially affects data subjects located only in that
member state.
Those in financial services operating in different EU
countries should pay attention to other member states’
regulations as their pronouncements can be quite specific.
• Banks should accept the data in identity papers as
authentic and not require photocopies for further
verification.
• Banks should not process data on the criminal
background of prospective customers in order to
conclude loan agreements.
• After a negative credit score, customers must
specifically consent to the processing of their data.
Finally, it is worth noting that under the new rules, there is no
longer a requirement for a data controller to register with a
data protection regulator for basic data handling. However,
when data processing activities would result in a high risk
in the absence of measures taken by the organization as
data controller to mitigate the risk, organizations will be
required to engage with a data protection regulator and
perform a “data protection impact assessment.” Under
the 1995 directive, organizations can voluntarily carry out
a privacy impact assessment process in order to identify,
understand and address any privacy issues that might
arise when developing new products and services, or
doing any other new activities that involve the processing
of personal data. Under the GDPR, this process has been
redefined and will be mandatory in certain circumstances.
It will work as follows:
• First, organizations will have to conduct a data
protection impact assessment before proceeding with
“risky” personal data processing activities in order to
consider the likelihood and severity of the risks—more
specifically, these are activities which present “high
risks for the rights and freedoms of individuals.”
• Second, if the organization in question cannot find
ways to mitigate those risks, then the organization
must consult with a data protection regulator to try to
find remedies to deal with these risks.
REGULATORS ARE REALIZ ING THE DANGERS IN
THE MODERN MOBILE WORLD.
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 5
UNDERSTANDING THE NEW PENALTIES There are three material differences in the new data
world. First, there has been a significant increase in the
amount of personal data held by organizations, including
sensitive personal data about employment, home life
and health. Second, there have been many serious data
security breaches; hardly a week goes by without a report
of another major breach. Third, regulators are realizing the
dangers in the modern mobile world.
Many breaches occur outside the office environment with
lost or stolen laptops, papers or devices left on trains
or other public spaces and inadequate security training
for modern ways of working, including telecommuting.
Regulators are also becoming increasingly concerned
about lax cybersecurity, as cyberattacks are now a fact of
life, and regulators expect organizations to put up proper
defenses or face the consequences.
Under the new rules, data protection regulators have
the power to impose higher fines for infringement. Three
ranges of fines will be applied, in relation to three different
categories of infringements, with the largest ones
skyrocketing up to €20 million or 4% of total worldwide
annual revenue (whichever is greater).
For example, one organization received a fine of £250,000
from a UK regulator in 2013 for failing to prevent a
cyberattack. Based on its 2014 revenue, that company
could be fined up to £198 million under the new rules.
Because the fee for data protection registrations is
abolished under the GDPR, fines will be the main source of
income for data protection regulators.
WHERE DOES IT APPLY? The new law applies not only to organizations located
within the 28 member states of the EU, but also to
businesses geographically situated outside the EU in
cases where:
• A business processes the personal data of EU residents
and offers them goods and services, irrespective of
whether payment is required; or
• Where the processing by a business relates to the
monitoring of the behavior of EU residents insofar as
their behavior takes place within the EU.
For example, a US online payments processor—with all its
offices in the US—that handles the data of EU residents
can be investigated, fined and even prosecuted by an
EU regulator. This applies not only to EU residents, but
also to any natural person who is a data subject within a
European Union member state.
Determining whether an organization based outside the
EU is affected may prove challenging. Under the new rules,
the fact that a company’s website or its email address is
accessible in the EU will not be enough. However, other
factors—such as the use of a language or a currency
generally used in one or more EU member states—may be
enough to indicate that an organization is offering goods
or services to people in the EU and therefore bring it within
scope. Additionally, an organization located outside the
EU must have a representative in the EU if it falls within
the new rules, even if the business does not have an EU
presence already. The changes here are far-reaching,
and EU regulators may find it a challenge to enforce this
aspect of the rules in practice.
THE ICO ESTIMATED THAT THE NEW RULES WILL
RESULT IN BUSINESS SAVINGS OF AROUND €2.3
BILL ION PER YEAR.
NEW RIGHTSThe GDPR introduces a number of new rights, including
the right to portability (transmitting personal data from
one data controller to another freely) and the right not
to be subject to profiling (i.e., using data to evaluate
personal aspects about an individual such as analyzing or
predicting their economic situation, health or performance
at work).
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 6
There is also a statutory right to be forgotten, which is the
right to have personal data erased “without undue delay”
based on certain grounds—for example, where data is
no longer necessary for the purposes for which it was
collected or otherwise processed.
Any organization that fails to remove personal data “without
undue delay” following a request to do so faces penalties
of up to €20 million or 4% of its global revenue (whichever
is greater). Again, financial services businesses might
have particular issues, especially where their obligations
to hold onto data for regulatory purposes conflict with an
individual’s right to request its deletion.
Companies will need more stringent data deletion policies
and to be far more organized when handling data deletion
requests. We have seen an increase in people exercising
their data protection rights in the past year or so, and
ignoring a data deletion request could be a very costly
mistake. Part of the solution for large organizations will
include the ability to manage data across its device estate
to ensure rapid response and, if necessary, deletion.
Under the new rules, subject access requests will have
to be answered within one month of receipt of the
request, with the potential to extend two further months.
For example, under a pension scheme, the trustees are
considered to be data controllers. The trustees should
put in place a clear procedure and guidelines to deal with
subject access requests. Under a subject access request,
individuals have a right to access information about only
themselves, meaning that any information given to an
individual should be redacted to remove information about
third parties. Responding to a subject access request
can often be challenging, and the shorter deadline will
force trustees to adapt their procedures and guidelines
accordingly.
THE IMPLICATIONS OF BYOD AND WORKING REMOTELY As well as the law changing, modern working practices
create their own issues. BYOD (bring your own device) and
working remotely increase the risks for an organization;
even if an employee works from home or from his or her
own device, the company will still be responsible for
securing personal data.
For the majority of organizations, working practices have
changed for good, and the idea of a mobile or remote
workforce is commonplace. It is essential that policies
and training be implemented that require employees
to work in a more secure way. This could include the
provision of better technology (such as secure internet
tunnels) and better steps to protect mobile devices. More
and more companies are moving to mobile devices and
working remotely. One organization revealed that all their
employees work from laptops and that if all of them were
present at the workplace at the same time, there would
be seating for only 40% of them. If an employee’s tablet
containing the details of 100,000 customers goes missing,
there could be heavy sanctions if the organization is unable
to remotely disable and/or wipe the device. Remote data
and device security software can also prevent an errant
employee from stealing or losing valuable company data.
CHANGING ORGANIZATIONAL RESPONSIBIL IT IESThe new rules say:
“With regard to the state of the art and the costs
of implementation and taking into account
the nature, scope, context and purposes of
the processing as well as the risk of varying
likelihood and severity for the rights and
freedoms of individuals, the controller and the
processor shall implement appropriate technical
and organizational measures, to ensure a level of
security appropriate to the risk.”
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 7
So, what does this actually mean? In simple terms, the new
rules oblige an organization to have security measures
proportional to the risks. After a data breach, it will be hard
to escape scrutiny—how will an organization be able to
credibly say that it took appropriate security measures
after a breach proves those measures to be insufficient?
A detailed analysis will need to be done on the risks faced,
with particular sets of data and the technology available to
reduce those risks. On a practical level, every organization
will have to do this on a regular basis; risks change, with
new forms of attack cropping up almost every day. At the
same time, new technological solutions may reduce some
of these risks.
FOR MOST ORGANIZATIONS, CYBERATTACKS
ARE NOW A FACT, AND REGULATORS EXPECT
ORGANIZATIONS TO PUT PROPER DEFENSES IN
PLACE OR FACE THE CONSEQUENCES.
REPORTING DATA BREACHES A personal data breach means “a breach of security leading
to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed.” In this new
GDPR paradigm, data breaches become increasingly
important, because a data breach compromises the
data subject’s freedoms and rights—rights to privacy and
personal anonymity without expressed consent to anyone
in possession of personal data. To be sure, any data breach
is, by its very nature, in conflict with the stated purpose of
the rights guaranteed to EU residents and is contrary to
the spirit and letter of the GDPR.
The new rules also contain two specific data breach
regulatory requirements.
First, breaches will have to be reported against set criteria
to a data protection regulator without delay and “where
feasible” no later than 72 hours after a data controller
has become aware of the breach, unless “the personal
data breach is unlikely to result in a risk for the rights and
freedoms of individuals.”
This puts huge pressure on companies. If employees lose
their smartphones containing customer details during a
week’s vacation, then they are unlikely to tell the company
until they return to the office (if at all). This means that
there will be cases where a data breach occurred but
went unreported within the mandated 72-hour period,
making privacy class actions more likely. A failure to report
a breach in time will increase the likelihood of a successful
civil action by the victims.
Reporting a breach will most likely mean that the
organization will have infringed upon its security obligation
by failing to have “a level of security appropriate to the risk.”
This obligation puts the onus squarely on the organization;
a company cannot simply pass the responsibility to its
employees or vendors for data loss. For example, if a
device is lost, stolen or hacked, the company, not the end
user, will be held accountable for any data that’s at risk.
Second, the breach must be communicated without
delay to the person whose data has been breached, if the
breach is likely to result in a high risk to their rights and
freedoms. Exceptions to this communication obligation
also apply, for example, where the data affected by the
breach has been encrypted.
This means that if an employee loses a laptop that has
100,000 customer records stored on it, the company
is obliged to inform every customer that their data has
been compromised. The legal consequences could be
considerable, and the brand damage, litigation and media
reporting of an incident would all be significant. However,
if a company has technology in place to prevent this data
from being accessed by an unauthorized user, then the
company could avert the disaster.
In terms of data security, organizations now face
significant challenges:
• Tough reporting requirements;
• Greater responsibility to keep data secure; and
• Heavier fines.
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 8
Technology that prevents a data breach from occurring
could be all that stands between a company and the
wrong end of the law.
Best practices for the logistics involved in reporting a breach
should be started as soon as possible. Under the GDPR,
you may have to inform data protection regulators as well
as concerned individuals. Financial services businesses
are likely to have additional reporting obligations after a
breach—even if personal data was not compromised. You
might have to report in multiple languages on different
forms prescribed by each regulator. Legal advice will
be very important, especially in the first 24 hours after
the breach. You will also need good legal agreements in
place to ensure that vendors cooperate and that they
have enough financial incentive to help you. The logistics
around handling a data breach are complicated, and the
more you do now to make sure you have the information
you need to report a breach, the better.
DATA PROTECTION OFFICER APPOINTMENTS Another important feature of the new rules is that
organizations may need to have a data protection officer
(DPO) to deal with data protection compliance issues. This
is required “where the core activities of the data controller
or the processor consist of processing operations which,
by virtue of their nature, scope and/or purposes, require
regular and systematic monitoring of people’s data
on a large scale.” It is also required when there is “core
activity processing on a large scale of special categories
of personal data,” namely those revealing racial or ethnic
origin; political opinions; religious or philosophical beliefs;
trade union membership; and the processing of genetic
and biometric data in order to uniquely identify a person or
data concerning health or sex life and sexual orientation.
These special categories of data can be processed only
under certain strict conditions, such as when consent has
been given.
The DPO must be independent in the performance of tasks
and report directly to the highest level of management.
NEW OPPORTUNITIESThe new EU rules may also bring opportunities for some
parts of the financial services sector, such as insurance.
The new rules are stricter, which should mean that the
cyber insurance market will find opportunities for growth
as financial institutions seek risk mitigation.
Additionally, some insurers have avoided cyber insurance
as they felt that sufficient metrics were not available
for them to price their premiums. The greater reporting
obligations of the GDPR should allow for more data to
help with this. While the US cyber insurance market has
grown significantly over the years, the EU market has not
grown so fast. These new laws may kick-start the London
insurance market, in particular, and the introduction of
new cyber insurance products.
WHILE BYOD MAY LEAD TO GREATER PRODUCTIV ITY ,
WE ALSO KNOW THAT IT CAN LEAD TO SERIOUS
DATA BREACHES.
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 9
NEXT STEPSWe know that the new data protection regime brings
considerable responsibility and sanctions for companies
that handle data. Financial services businesses have
more risk than most; the responsibilities are so great that
it is important to get the correct advice and to act now. So,
what should you do? Best practices that can be followed
in order to prepare your organization include:
1
Thoroughly review vendor contracts—
vendors’ help will be needed, especially in
reporting security breaches very quickly.
Organizations should make sure they have
the contractual rights to insist on this, and
they should make sure they can hold their
vendors to account.
2Prepare to update everything and ensure
new detailed documentation and records are
ready for regulatory inspection—factor this
into overhead costs.
3Review key practical aspects, from data
retention, destruction, etc. to all means of
collecting data used by the organization.
4Ensure that new aspects such as explicit
consent, the right to be forgotten and
the right not to be subject to profiling are
included in policies and procedures.
5Put in place a data breach notification
procedure, including detection and response
capabilities; also consider purchasing
special insurance.
6 If applicable, appoint a DPO.
7 Put in place a data protection impact
assessment policy/procedure.
8 Create compliance statements for annual
business reports.
9 Train staff on all of the above.
10 Set up and undertake regular compliance
audits in order to identify and rectify issues.
There are considerable challenges in complying with
the new rules. It will take some time to implement the
necessary policies and infrastructure, and there will
inevitably be some uncertainties. What is certain is that
organizations must act now to ensure their compliance.
Evaluate your GDPR data risk today with a free assessment
highlighting potential areas of exposure.
DISCLAIMER:The information in this white paper is provided for informational
purposes only. The materials are general in nature; they are not
offered as advice on a particular matter and should not be relied on
as such. Use of this white paper does not constitute a legal contract
or consulting relationship between Absolute and any person or
entity. Although every reasonable effort is made to present current
and accurate information, Absolute makes no guarantees of any kind.
Absolute reserves the right to change the content of this white paper
at any time without prior notice. Absolute is not responsible for any
third-party material that can be accessed through this white paper.
The materials contained in this white paper are the copyrighted
property of Absolute unless a separate copyright notice is placed
on the material.
ABSOLUTE FOR GDPR COMPLIANCEGDPR compliance starts with visibility across
every endpoint to ensure data protection for any
personally identifiable information (PII). Learn how
to improve your GDPR compliance with endpoint
visibility and control.
ABSOLUTE FOR GDPR COMPLIANCE:IMPROVE YOUR GDPR COMPLIANCE WITH ENDPOINT VISIBILITY AND CONTROL
S O L U T I O N S H E E T
DOWNLOAD THE SOLUTION SHEET
W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 1 0
© 2018 Absolute. All rights reserved. Absolute and Persistence are registered trademarks of Absolute. Self-healing Endpoint Security is a trademark of Absolute. All other trademarks are property of their respective owners. ABT-GDPR-What-Financial-Orgs-Everywhere-Need-to-Know-WP-E-053118
ABOUT ABSOLUTEAbsolute provides visibility and resilience for every endpoint with self-healing endpoint security and always-
connected IT asset management to protect devices, data, applications and users — on and off the network. Bridging
the gap between security and IT operations, only Absolute gives enterprises visibility they can act on to protect every
endpoint, remediate vulnerabilities, and ensure compliance in the face of insider and external threats. Absolute’s
patented Persistence technology is already embedded in the firmware of PC and mobile devices and trusted by
over 15,000 customers worldwide.
EMAIL :[email protected]
SALES:absolute.com/request-info
PHONE:North America: 1-877-660-2289 EMEA: +44-118-902-2000
WEBSITE:absolute.com