As data protection breaches have become daily headline news and everyone becomes increasingly sensitive about privacy, the regulatory regime is getting tougher. Data protection laws in Europe are more important than ever before – especially as the implementation deadline of the General Data Protection Regulation (GDPR) looms.
Regulators are subsequently increasingly concerned about the way in which financial services organizations hold and manage data – particularly where the actions of a financial services organization could expose customers to identity theft. But according to a new study by Veritas Technologies, just 2% of organizations are GDPR compliant today, with less than a year to go before full compliance will be required in May 2018.
GDPR: radical changes
The overall aim of GDPR is to make privacy laws fit the needs of the 21st century. There is major emphasis on enforcement as the new regime has increased penalties for breaches, with fines of up to 4 percent of a corporation’s annual global turnover. In addition, it introduces mandatory data breach reporting requirements similar to those that exist in most US States, but with a requirement to report a breach usually within 72 hours.
To describe the new rules as an update or a refinement in the current data protection regime is not accurate. This is not a fine-tuning of the law; a far more fundamental change is taking place. The new rules are much more detailed, demanding and onerous. GDPR is a recognition that there is a political impetus in having new and tougher laws. Many in Europe care much more about data – and especially data breaches – than they did 20 years ago.
Achieving the 72 hour reporting window
To have a realistic chance of reporting a breach in 72 hours (under the new rules) it would be necessary for a security vendor to advise of the breach within 24 hours. The primary responsibility to report a security breach will be on the data controller but most of the breaches we see are the responsibility of a vendor. Firms will need a contractual obligation to make sure the vendor tells them in time so that they can deal with their reporting obligations. Even when you know of a breach you still have work to do to get it into the right format to make a report.
As a vulnerable sector, financial services will have to take special care to put in place adequate policies, procedures and training to ensure breaches are reported within the 72-hour period. Bear in mind that as well as reporting a breach to data protection regulators they may also need to tell financial services regulators, other financial services companies (for example because of contractual requirements you have agreed to) as well as the individuals affected.
The need for a DPO
Another important result of the new rules is that organizations may need to have a data protection officer (DPO) to deal with data protection compliance issues.
In the past, some organizations have not applied enough rigor in their approach to data protection. A few people may have had some training within the company but it’s now likely that organizations will feel obliged to appoint a properly trained DPO. The appointment of a good DPO will be useful when dealing with data breach issues and ensuring that an organization takes a proportionate view of its risk to keep its customers and reputation safe. The DPO should be independent in the performance of their tasks and report directly to the highest level of management.
We know that the new data protection regime will bring considerable responsibility and sanctions for companies that handle data, and financial services businesses are more at risk than most. As such, there will be considerable challenges to comply with the new rules and it will take some time to implement the necessary policies and infrastructure. What is certain today is organizations must start now in order to be properly compliant when the new rules are in place.
The information in this blog post is provided for informational purposes only. The materials are general in nature; they are not offered as advice on a particular matter and should not be relied on as such. Use of this post does not constitute a legal contract or consulting relationship between Absolute and any person or entity. Although every reasonable effort is made to present current and accurate information, Absolute makes no guarantees of any kind. Absolute reserves the right to change the content of this post at any time without prior notice. Absolute is not responsible for any third party material that can be accessed through this post. The materials contained in this blog post are the copyrighted property of Absolute unless a separate copyright notice is placed on the material.