The financial industry may be touched by a regulation coming out of the European Union. It's called the General Data Protection Regulation (GDPR), and the main focus is protecting the data of EU citizens. If your organization has EU citizens as customers, this legislation pertains to you. With fines in the millions of euros, the regulation goes into effect this year on May 28.
The looming deadline has many organizations asking what specific aspects of GDPR should be the focus to avoid compliance violations. The first step in that determination requires seeing how GDPR applies to all businesses and organizations handling customer data of anyone in the EU. The key is in how this applies regardless of whether the data processing takes place in the EU or not.
There are three important ways the regulations may affect your financial institution. The goal is to build a plan of action using the best practices for ensuring GDPR compliance for banks and credit unions that concludes this blog.
Third-Party Vendor Management
It’s common for financial institutions to have products, services, and support function arrangements with third-party vendors. As a result, external vendors pass client data through multiple IT applications that could leave it exposed to theft in a number of ways.
One way that GDPR ensures client data protection is by imposing end-to-end accountability in the form of compliance enforcement on third-party support functions. This is in addition to those imposed on primary financial institutions. The result is that non-EU organizations that share data with EU banks or that serve EU citizens should comply with the regulation as well.
Under the terms of GDPR, personal data refers to anything that could identify an individual, such as name, email address, IP address, social media profiles, or social security numbers. The mandate calls for financial organizations to gain explicit consent from customers for all gathered personal data.
The regulations specifically prohibit automatic opt-in scenarios common with secondary services, such as credit card offers. Also, in the consent system, firms must clearly outline the purpose for data collection and seek additional consent to share the information with third parties. This can add another layer of data verification, security, and encryption for your financial institution.
Digital Identity Protection
While financial institutions routinely deal with encryption for sensitive data in transit and at rest, GDPR also calls for digital identity protection, also known as pseudonymization. This is a different form of encryption that translates identifiable parts of personal data to unique artificial identifiers or so-called pseudonyms.
The purpose is to decouple the “personal” aspects of personal data to make it appear anonymous within a limited context. This is the process of using artificial identifiers of personally identifiable information (PII) so data access stays within the realms of the ‘need-to-know’ obligations.
GDPR Compliance Best Practices for the Financial Services Industry
Given the wide reach of the GDPR legislation, the use of best practices in GDPR compliance for financial institutions is the ideal place to start. These best practices will be the guide for any needed IT system or network modifications/new additions, such as data loss prevention systems. They ultimately serve as the foundation for embedding a holistic privacy design into all aspects of your institution’s operation.
The first step on the GDPR journey is understanding the extent your financial institution and your customers will be affected by the compliance changes. This can quickly be determined by answering one question: Do you currently have EU citizens as clients in your financial organization? If the answer is no, then your exposure to GDPR regulation will be negligible. If your answer is yes, then you may want to consider a few things:
- Check you social media and see if you have controls for addressing EU customers. There is some risk with posting information about an EU customers.
- Make sure there is no content in your social posts or announcements that is not acceptable with the GDPR regulations in terms of Client Consent and Digital Identity Protection.
Auditing and consulting experts can provide your organization with specific insights about which applications process personal data and how you can evaluate potential risk. . This accomplishes important goals that are foundational to GDPR compliance:
- Clarifying whether your organization has any EU citizens that use your services
- Identifying the data being stored and processed on EU citizens
- Understanding the associated risks of PII data access vulnerabilities within applications as well as on-premise and cloud IT infrastructure
- Outlining and implementing measures that can mitigate the risks of PII data exposure whether at rest or in transit
Even though the May 25 deadline is coming up fast, many organizations aren’t sure about being prepared to meet the needs of GDPR compliance for financial institutions. It may help knowing that the likelihood of an event triggering a GDPR fine is relatively low at this time. Yet, there can be many controls to consider and a high degree of complexity in creating and implementing a plan of action to address GDPR regulation. .
Many organizations will benefit from partnering with a managed service provider (MSP) that has an established track record of success serving the financial industry and is up-tp-date on the latest regulations and compliance news on the horizon. Your MSP team should be equipped with members that have certifications such as CPA, a Certified Information Systems Auditor (CISA), or other similar applicable certifications (CISSP, CISM, etc..)
By providing a team of IT professionals familiar with the Financial sector, DataComm serves as an extension of your organization. This takes the burden off of your organization by providing the means to evaluate options and implement a plan that ensures regulatory compliance and data security in an evolving regulatory world.
Financial institutions remain an attractive target for cybercriminals. Learn how to keep your customer data safe.