GDPR & finance: Security, progress & 10 steps to compliance

Original posted on FinTECHTalents on 6 April 2021

The following is the first in a six part part series on GDPR & Financial Services from Keepabl.

Keepabl will review how Finance is doing against GDPR now, so you can benchmark your firm’s performance. And, over the following five blog posts, we’ll lead you through 10 Steps to GDPR Compliance to give your firm a competitive advantage!

Where is finance on GDPR?

TL;DR: Finance is taking GDPR seriously but isn’t as compliant as it thinks it is.

We’ve pulled together some great insights for you on GDPR and Finance, starting with risk and reporting.

Accenture’s 2020 Privacy Study found that 70% of Financial firms recognise Privacy as a key material risk.  50% also identified ‘privacy risk monitoring as a key residual risk, highlighting the need for capabilities commensurate with privacy’s status as a material risk’.

This recognition of the risk involved, and ongoing monitoring required, has resulted in a massively increased need for clear reporting on Privacy Governance to the highest levels. Cisco’s 2021 Data Privacy Benchmark Study confirmed that 93% of organisations across industry sectors report on Privacy metrics to the Board.

While you’re considering how good your firm’s Privacy reporting really is, it’s worth recapping just why Privacy (or more correctly, Data Protection) has become such a key risk area for Compliance and Boards in Finance.

GDPR confirmed data protection as a board-level risk

The EU General Data Protection Regulation, or GDPR, came into force on 25 May 2018, and significantly changed the Privacy landscape for Financial Services, and indeed every industry.

The four key changes that raised Privacy to the Board-level risk register were:

• Increased fines. Before GDPR, there was perhaps a view in Finance that fines for data protection breaches were so low that compliance was not a complete necessity and that fines were unlikely and, at worst, a cost of doing business. GDPR radically changed this calculation by introducing maximum fines for non-compliance of €20m or 4% of global turnover, whichever is higher.
• Liability extended to processors. Before GDPR, EU data protection laws only applied to controllers – and many in Finance see themselves as processors. GDPR imposes key obligations such as Security, and fines, on processors (as well as confirming that controllers cannot off-load their compliance and liability to processors).
• Territorial scope extended. The territorial scope of pre-GDPR data protection laws in the EU was confusing and, arguably, limited. GDPR’s reach is clear and greatly extended, clearly capturing Finance players in the US and other key markets.
• New breach reporting. GDPR introduced an obligation on every controller to notify any breach to regulators within just 72 hours, unless it was unlikely to result in a risk to the rights and freedoms of data subjects. As well as increased publicity, this has led to increased regulatory interest in broader Privacy Governance measures.

We’re all aware, from sadly regular media reports, of high-impact data breaches resulting in risk for individuals and PR damage, business interruption and the new, significant, regulatory fines for firms. So let’s look at some good news in Security.

Finance, GDPR & security

According to the DCMS study from August 2020, Impact of the GDPR on Cyber Security Outcomes, Financial Services was the only industry declaring 100% of improvements in their CyberSecurity in the last three years ‘were a result of the GDPR, at least to a small extent’.

GDPR has clearly had a huge impact on Security in Finance, which makes sense as:

• Security is one of GDPR’s Seven Principles,
• GDPR imposes a positive obligation to put in place appropriate technical and operational measures to secure personal data, and
• Finance is over-weight in terms of reporting personal data breaches to the UK ICO, which reflects business interruption, regulatory risk and possible damage to customer relationships.

Why security is 1 of GDPR’s seven principles – and crucial for compliance globally

GDPR is a principles-based law.  Keeping personal data secure is perhaps the most fundamental of those Seven Principles: you can’t have data protection without good security.

These data protection principles have been in international legal structures for decades, importantly in the Council of Europe’s Convention for the protection of individuals with regard to automatic processing of personal data, usually referred to as Convention 108.

When it opened for signature in 1981, Convention 108 was the first legally-binding international instrument on data protection, requiring signatories to pass implementing laws.

Don’t be misled by the ‘Council of Europe’ part, the Convention is open to any country and, at the time of writing, 55 states have ratified Convention 108, from Austria to Uruguay.

The 2018 update of the Convention is known as Convention 108+ and renamed the Convention the Convention for the protection of individuals with regard to the processing of personal data. At the time of writing, 43 states have signed Convention 108+.

Security is the focus of Article 7 of Convention 108 an Convention 108+, which are reflected in GDPR’s 6th principle, which states that personal data must be:

‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

Is it working?

Despite all the positives from CyberSecurity improvements, ‘Finance, insurance & credit’ was the third biggest source of personal data breaches reported to the UK ICO in Q3, 2020.

To put this in context:

• ‘Finance, insurance & credit’ accounts for 12% of all personal data breaches reported to the UK ICO, yet ‘Finance and Insurance’ comprises just 2.3% of VAT or PAYE registered enterprises in the UK according to ONS data.
• Only Health (17%) and ‘Education & childcare’ (13%) report more breaches.
• Compare the number of breaches reported by Finance with ‘General Business’ (4%), Central Government (3%), ‘Transport & Leisure’ (3%) and ‘Online Technology & Telecoms’ (2%).

There’s obviously a myriad of interpretations, factors and reasons behind these figures.  Perhaps it’s because Finance has a concentration of valuable information?  Or that Finance has a more sophisticated compliance culture?

Culture & security

It’s worth remembering that GDPR is not all about Security, which is only one of its seven Principles. Indeed:

• Only 39% of personal data breaches reported to the UK ICO in that period by ‘Finance, insurance & credit’ were CyberSecurity Incidents,
• 61% were down to non-cyber incidents such as showing personal data to the wrong person.

Again, the comparison with other industries is interesting.  Across the board, CyberSecurity Incidents accounted for 28% of personal data breaches reported to the UK ICO, compared to 39% for Finance.

There’s clearly a need for broad Privacy Governance, not just on Security. Though whatever the reasons, Finance has clearly been right to see GDPR as a reason to improve CyberSecurity – and Privacy as a key material risk.

Key takeaways on security

• Financial Services will be subject to GDPR-style Security obligations under data protection laws not just in the EEA, but around the globe.
• Security is fundamental to, but not solely determinative of, Privacy compliance.

How GDPR-compliant is Finance?

With that context, let’s turn to the big question – just how compliant is Finance with GDPR?

While we can draw certain conclusions from the figures we reviewed above, statistics on compliance overall are sparse. So PwC Luxembourg’s surveys on GDPR and Finance Industry in Luxembourg in December 2018 and January 2020 offer valuable insights.

According to PwC’s 2020 survey, while 70% of Financial Services respondents in Luxembourg said they’d implemented most of GDPR’s requirements (compared to 52% in 2018), for example only 12% had enforced retention periods in their IT systems, 50% had not mitigated risks for data subjects and 33% hadn’t completed their Data Protection Impact Assessments, or DPIAs, which are the basis for estimating and remediating areas of likely high risk under GDPR.

This suggests that the 70% figure is perhaps a little bullish.

A very different figure – although not focussed on Finance – was published by Capgemini in 2019, again as a re-run of an earlier survey:

Capgemini ran a cross-industry survey of over 1,000 organisations before GDPR took effect, asking if they’d be compliant with GDPR in June 2018, the month after it took effect. A pleasing 78% said they would be.

However, when Capgemini ran the same survey for June 2019, a full year after GDPR took effect, the results showed just how overconfident respondents had been. Only 28% claimed to be GDPR-compliant. The figures were surprisingly consistent across geographies. What happened to the other 72%?

How to reap the benefits of GDPR?

The benefits of GDPR compliance are now clear for all to see. For example, Capgemini’s study revealed that a whopping 81% of respondents who declared themselves compliant reported positive impacts on reputation and image.

While much of the activity may at first feel defensive in nature, GDPR compliance has been shown to deliver many positive benefits. As well as an average 1.9X ROI on privacy spend, Cisco’s study confirmed that two-thirds of respondents reported significant benefit in each of these six areas, all areas Finance are discussing at present in fields such as digitisation, challenger banks, and digital identity:

1. reducing sales delays,
2. mitigating losses from data breaches,
3. enabling innovation,
4. achieving operational efficiency,
5. building trust with customers, and
6. making their company more attractive.

10 Steps to GDPR compliance

In the next five blogs, we’ll be taking you through 10 Steps to GDPR Compliance, dealing with two Steps per post. By the end of the series, you’ll have a clear framework for judging how you’re doing against GDPR, and achieving compliant Privacy Governance at your firm.

Watch out for the second post in this series, where we’ll deal with:

• Step 1 – Key People
  Step 2 – BenchMarking your GDPR Readiness

You can also see an overview in our short Privacy Kitchen video, taking you through the 10 Steps in less than 9 minutes.