Preparing for GDPR: What the Financial Services Industry Should Know

Businesses around the globe are becoming increasingly data driven. This, in large part, has to do with the expectation of customization across the user experience. Financial institutions, for example, have been able to use customer data and customization to offer tailored services to their customers, such as loans or insurance, based on recent purchases or financial history.

However, consumers are now being encouraged to re-take control of their own personal data. The new emphasis being placed on individual rights to data is clearly demonstrated by the General Data Protection Regulations (GDPR) that will be implemented across the European Union on May 25^th, 2018.

GDPR promises to affect all businesses that operate within the E.U., regardless of where they are based. However, given the amount of personal data collected and processed by the financial services industry, including credit card numbers, financial records, and other personally identifiable information, it’s safe to say that regulators will be especially strict when enforcing financial services GDPR compliance.

Gartner predicts that 50 percent of businesses affected by the GDPR will not be in full compliance by the time the regulations take effect. With less than a year until GDPR is put into motion, the financial services industry must focus its attention on transitioning data collection, processing, and security protocols to meet compliance. This means understanding individual data rights as well as data collection and processing accountability, and implementing required protective measures.

What is GDPR?

In addition to standardizing the data processing regulations for international businesses throughout the E.U., GDPR seeks to put individuals back in charge of their data. Residents of the E.U. have the ability to dictate how their data is handled under several new stipulations.

First and foremost, under GDPR, individuals must actively give consent for companies to process their data. Pre-ticked boxes, silence, or inactivity is not considered sufficient for compliance. Rather, users must explicitly give permission for each data processing operation, and have the ability to withdraw consent at any time.

Users also now have the right to request access to their data and confirm how it’s being used. Moreover, under the data portability stipulation, consumers can transfer this data to reuse across organizations and services. In this case, organizations must have the technical ability to send this information to a specific user in a machine-readable format.

In addition to consumers now having greater freedom to access data and broad rights to use it for their own purposes, they can now also request its deletion under the Right to Be Forgotten. In this case, users can request to have data erased, or prevent its processing, when they withdraw consent, or if the data is no longer necessary for the purpose for which it was originally collected.

Awareness of Data Locations and Usages

To comply with the individual rights provisions under GDPR, financial services providers must ensure they have high visibility into every instance of user data, how it is used, for what purpose, and by whom, and to meet user requests regarding the use or deletion of their data in a reasonable amount of time. Additionally, organizations must ensure they are only collecting the minimum amount of data required for the consented purposes, and will have to implement a system by which to manage where and whenever consent has been given and withdrawn. To avoid penalties and liabilities, financial institutions will need to keep strict track of their data inventory, and prove that they have removed data no longer necessary to core functions in order to minimize risks. 

Technical and Operational Requirements

Aside from the ability to quickly find, transfer or remove data, organizations are expected to implement data protection by “design and default.” This means that security and accountability must be a core focus from the outset of all data monitoring and collection programs. Compliance accountability rests on data controllers, authorities that determine the purposes and means for data collection, and data processors, who process data on behalf of the controller. Regulators make it clear that controllers and processors are expected to perform regular risk assessments and updates to compliance-necessary infrastructure as new threats emerge, thus sustaining “state-of-the-art defenses.”

While network security and visibility are necessary for keeping track of data movement, it will also be increasingly important for intrusion detection and mitigation. GDPR requires that organizations report qualifying data breaches to authorities and individuals within 72 hours of detection. This only provides minimal time to perform necessary tasks such as incident response, forensics, and containment. As it becomes more difficult to prevent all threats at all times, early detection and mitigation will be key in minimizing lost data and breach expenses, as well as avoiding compliance failure.

Failure to demonstrate that an organization has made a sincere effort to comply with GDPR on all technical and operational fronts can result in enormous fines. GDPR mandates fines of €10 million, or 2 percent of worldwide annual turnover, whichever is higher, for lesser infringements such as not notifying authorities of a breach, or not conducting an impact assessment. Severe infringements, such as lack of consent to process data or other violations of privacy rights can result in fines of €20 million, or 4 percent of global turnover, whichever is higher.

Updating Technical Abilities for Compliance

Financial services firms need to be able to comply with these rights through the implementation of technical and operational infrastructure that meets compliance at both controller and processor levels.

While compliance with GDPR will require many changes in business operations, it also means developing the technical skills and resources needed to deal with data privacy. Fortinet offers comprehensive network security that provides deep visibility into data movement across your network, without compromising speed or the accuracy of data requests.

The Fortinet Security Fabric couples this visibility into data movement across the cloud, the edge and core of the network, IoT and user-based endpoints, and applications with powerful security automation that prevents known and unknown threats and decreases breach detection and response times. In addition to faster breach detection, internal segmentation prevents one successful intrusion from compromising the data of your entire network.

Additionally, the fabric provides broad automated protections against known malicious code, and leverages the extensive threat intelligence provided by FortiGuard Labs to detect and block previously unknown iterations of malicious code. This includes the use of sandboxing to execute suspected malicious code in a virtual environment before it can access your network. Real-time updates to signatures and threat intelligence assist in these efforts by ensuring data protection by design and default.

Final Thoughts

As we get closer to the implementation of GDPR, financial institutions must understand how their data inventory affects the rights of individual users, and implement consent and data visibility operations to ensure compliance. While the adoption of new technology will not be enough to fully comply with GDPR, network security solutions that can evolve with the growing threat landscape, and facilitate data visibility, will provide ease of data management, broad visibility across your complex ecosystems of networks, and the protection capabilities expected by regulators to minimize risk of non-compliance.

Let’s get a conversation going on Twitter! What steps are you taking to prepare for GDPR