If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at firstname.lastname@example.org.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
Last week I chaired a seminar jointly organised by the Worshipful Company of Marketors and the Financial Services Forum at Cass Business School on the impact of the EU General Data Protection Regulation (GDPR) on the financial services sector.
EU-Reg-seminar-at-Cass-BusiOn the panel (L-R) were Martin Hickley, a data governance, protection and privacy specialist; Hazel Grant, partner and head of privacy and information law at Fieldfisher LLP; myself; Jenny Moseley, director and co-founder of Opt-4 and Chris Wood, head of business compliance in the UK for HSBC.
The journey of the GDPR to the present day has been a long and at times controversial one. In January 2012, the European Commission (EC) issued a proposal for a European-wide data protection reform.
In March 2014, a first reading of a draft bill went through the European Parliament and a second version was voted on by the Council of Ministers – in effect creating two drafts of the same Regulation with significant differences between them with the Council of Ministers declaring that nothing is agreed until everything is agreed.
To date these drafts have had more amendments than any previous body of EU regulation and given the priority to gain consent on this landmark regulation by EC President Jean-Claude Juncker, many believe that the GDPR will be agreed by all parties by the middle of 2015.
Although differences remain, the feeling among the panel was that the financial services sector can’t adopt a ‘wait and see’ approach in the vain hope it will go away. It won’t.
Data protection and the security of data is perhaps the biggest issue facing the sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five percent of global turnover or €100m.
To underlie the vulnerability that large organisations have to becoming a victim of a data breach on grand scale, just 30 minutes before the seminar begun, both Facebook and Instagram were hacked by Lizard Squad, resulting in a ‘denial of service attack’ – denied by Facebook.
Either way, 1.6bn users of the social network couldn’t access their accounts for over half an hour. Lizard Squad and other hackers like them represent a continuing threat to the data that financial services firms hold on servers that can be infiltrated by those who are determined to carry out such attacks.
Under the new GDPR, data protection authorities (DPAs) will ‘hold hands’ and in doing so provide a so-called one-stop shop for complainants of financial services firms irrespective where the issue took place within the EU.
The GDPR will effectively replace the former Data Protection Directive 95/46/EC as well as make the existing Data Protection Act 1998 redundant by bringing in a European-wide approach to data protection and security that moves away from the patchwork approach that exists at present. It also places data processors and data controllers with equal legal responsibilities with respect to the transfer and use of data.
A proposed ‘data protection seal’ will notify consumers that the financial services firm complies with the supervisory authority and can transfer data to third parties on a lawful basis in the hope that consumers will be reassured about the higher standards of data protection that such a firm complies with.
The obligation to report breaches – however small – will be the responsibility of the Data Protection Officer (DPO) who will work independently within a large financial services organisation and the reporting of such breaches is likely to be done within 24 hours.
Some of the concerns on the panel of data protection experts was around slippage in the timetable to introduce the GDPR and that delays had created a false sense of comfort for senior executives who may not appreciate the threat to business continuity that the GDPR actually represents.
The issue of customer consent was also widely discussed and it’s clear that many banks are re-wiring their approach from the position of protecting the customer as the paramount principle in how they manage their business.
Under the new EU Regulation, financial services firms must obtain consent and this must be freely given for a specific purpose rather than for some blanket purpose. However, there’s still some argument between lawyers as to whether implied consent is a dead duck – and some lawyers feel that implied consent in certain circumstances will still be lawful under the GDPR.
A major cause for a data breach can be identified as human error and clearly the issue of education and training will be core to the way in which this risk within financial services can be reduced.
However, there was a recognition, particularly with junior staff, that such a risk could never be 100% eradicated, leaving open the possibility of fines and sanctions as a real possibility under the GDPR. Typical human error includes the failure to encrypt data, a lack of privacy policies and even mis-directed communications, whether post, fax or email.
As well as fines, DPAs like to ‘name and shame’ those firms that have fallen below the standards expected of them and the reputation damage to the brand in such cases could easily outstrip the financial penalties imposed. For example, the French authorities recently forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.
Article originally published here.
Thanks for finally talking about >Significant Impact of
GDPR on Financial Services | EU Data Protection & Privacy <Loved it!
I absolutely love your blog.. Excellent colors & theme.
Have you ｅver considereԁ publishing an e-book or gueѕt authoring on othｅr
websites? Ӏ hаve a blog based on the same іnformatіon yoᥙ discuss and would reаlly like to have you share some stories/informɑtion. I know my readeгs
would appreciate ʏour work.