EU GDPR: The Why and How for Financial Services
EU GDPR: The Why and How for Financial Services

As data protection breaches have become daily headline news and everyone becomes increasingly sensitive about privacy, the regulatory regime is getting tougher. Data protection laws in Europe are more important than ever before – especially as the implementation deadline of the EU General Data Protection Regulation (GDPR) looms.

Regulators are subsequently increasingly concerned about the way in which financial services organizations hold and manage data – particularly where the actions of a financial services organization could expose customers to identity theft. But according to a new study by Veritas Technologies, just 2% of organizations are GDPR compliant today, with less than a year to go before full compliance will be required in May 2018.

EU GDPR: radical changes

The overall aim of GDPR is to make privacy laws fit the needs of the 21st century. There is major emphasis on enforcement as the new regime has increased penalties for breaches, with fines of up to 4 percent of a corporation’s annual global turnover. In addition, it introduces mandatory data breach reporting requirements similar to those that exist in most US States, but with a requirement to report a breach usually within 72 hours.

To describe the new rules as an update or a refinement in the current data protection regime is not accurate. This is not a fine-tuning of the law; a far more fundamental change is taking place. The new rules are much more detailed, demanding and onerous. GDPR is a recognition that there is a political impetus in having new and tougher laws. Many in Europe care much more about data – and especially data breaches – than they did 20 years ago.

Achieving the 72 hour reporting window

To have a realistic chance of reporting a breach in 72 hours (under the new rules) it would be necessary for a security vendor to advise of the breach within 24 hours. The primary responsibility to report a security breach will be on the data controller but most of the breaches we see are the responsibility of a vendor. Firms will need a contractual obligation to make sure the vendor tells them in time so that they can deal with their reporting obligations. Even when you know of a breach you still have work to do to get it into the right format to make a report.

As a vulnerable sector, financial services will have to take special care to put in place adequate policies, procedures and training to ensure breaches are reported within the 72-hour period. Bear in mind that as well as reporting a breach to data protection regulators they may also need to tell financial services regulators, other financial services companies (for example because of contractual requirements you have agreed to) as well as the individuals affected.

The need for a DPO

Another important result of the new rules is that organizations may need to have a data protection officer (DPO) to deal with data protection compliance issues.

In the past, some organizations have not applied enough rigor in their approach to data protection. A few people may have had some training within the company but it’s now likely that organizations will feel obliged to appoint a properly trained DPO. The appointment of a good DPO will be useful when dealing with data breach issues and ensuring that an organization takes a proportionate view of its risk to keep its customers and reputation safe. The DPO should be independent in the performance of their tasks and report directly to the highest level of management.

We know that the new data protection regime will bring considerable responsibility and sanctions for companies that handle data, and financial services businesses are more at risk than most. As such, there will be considerable challenges to comply with the new rules and it will take some time to implement the necessary policies and infrastructure. What is certain today is organizations must start now in order to be properly compliant when the new rules are in place.


Richard Henderson
Richard Henderson is global security strategist at Absolute Software where he is responsible for spotting trends, watching industries and creating ideas. He has nearly two decades of experience and involvement in the global hacker community. He is a researcher and regular presenter at conferences, and skilled electronics hacker. He was one of the first researchers in the world to defeat Apple's TouchID fingerprint sensor on the iPhone 5S. Richard was a technical editor of a book on IoT Security: RIoT Control: Understanding and Managing Risks and the Internet of Things. He is currently co-authoring the second edition of Cybersecurity for Industrial Control Systems.