Original posted on FinTECHTalents on 6 April 2021
The following is the first in a six part part series on GDPR & Financial Services from Keepabl.
Keepabl will review how Finance is doing against GDPR now, so you can benchmark your firm’s performance. And, over the following five blog posts, we’ll lead you through 10 Steps to GDPR Compliance to give your firm a competitive advantage!
TL;DR: Finance is taking GDPR seriously but isn’t as compliant as it thinks it is.
We’ve pulled together some great insights for you on GDPR and Finance, starting with risk and reporting.
Accenture’s 2020 Privacy Study found that 70% of Financial firms recognise Privacy as a key material risk. 50% also identified ‘privacy risk monitoring as a key residual risk, highlighting the need for capabilities commensurate with privacy’s status as a material risk’.
This recognition of the risk involved, and ongoing monitoring required, has resulted in a massively increased need for clear reporting on Privacy Governance to the highest levels. Cisco’s 2021 Data Privacy Benchmark Study confirmed that 93% of organisations across industry sectors report on Privacy metrics to the Board.
While you’re considering how good your firm’s Privacy reporting really is, it’s worth recapping just why Privacy (or more correctly, Data Protection) has become such a key risk area for Compliance and Boards in Finance.
The EU General Data Protection Regulation, or GDPR, came into force on 25 May 2018, and significantly changed the Privacy landscape for Financial Services, and indeed every industry.
The four key changes that raised Privacy to the Board-level risk register were:
We’re all aware, from sadly regular media reports, of high-impact data breaches resulting in risk for individuals and PR damage, business interruption and the new, significant, regulatory fines for firms. So let’s look at some good news in Security.
According to the DCMS study from August 2020, Impact of the GDPR on Cyber Security Outcomes, Financial Services was the only industry declaring 100% of improvements in their CyberSecurity in the last three years ‘were a result of the GDPR, at least to a small extent’.
GDPR has clearly had a huge impact on Security in Finance, which makes sense as:
GDPR is a principles-based law. Keeping personal data secure is perhaps the most fundamental of those Seven Principles: you can’t have data protection without good security.
These data protection principles have been in international legal structures for decades, importantly in the Council of Europe’s Convention for the protection of individuals with regard to automatic processing of personal data, usually referred to as Convention 108.
When it opened for signature in 1981, Convention 108 was the first legally-binding international instrument on data protection, requiring signatories to pass implementing laws.
Don’t be misled by the ‘Council of Europe’ part, the Convention is open to any country and, at the time of writing, 55 states have ratified Convention 108, from Austria to Uruguay.
The 2018 update of the Convention is known as Convention 108+ and renamed the Convention the Convention for the protection of individuals with regard to the processing of personal data. At the time of writing, 43 states have signed Convention 108+.
Security is the focus of Article 7 of Convention 108 an Convention 108+, which are reflected in GDPR’s 6th principle, which states that personal data must be:
‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’
Despite all the positives from CyberSecurity improvements, ‘Finance, insurance & credit’ was the third biggest source of personal data breaches reported to the UK ICO in Q3, 2020.
To put this in context:
There’s obviously a myriad of interpretations, factors and reasons behind these figures. Perhaps it’s because Finance has a concentration of valuable information? Or that Finance has a more sophisticated compliance culture?
It’s worth remembering that GDPR is not all about Security, which is only one of its seven Principles. Indeed:
Again, the comparison with other industries is interesting. Across the board, CyberSecurity Incidents accounted for 28% of personal data breaches reported to the UK ICO, compared to 39% for Finance.
There’s clearly a need for broad Privacy Governance, not just on Security. Though whatever the reasons, Finance has clearly been right to see GDPR as a reason to improve CyberSecurity – and Privacy as a key material risk.
With that context, let’s turn to the big question – just how compliant is Finance with GDPR?
While we can draw certain conclusions from the figures we reviewed above, statistics on compliance overall are sparse. So PwC Luxembourg’s surveys on GDPR and Finance Industry in Luxembourg in December 2018 and January 2020 offer valuable insights.
According to PwC’s 2020 survey, while 70% of Financial Services respondents in Luxembourg said they’d implemented most of GDPR’s requirements (compared to 52% in 2018), for example only 12% had enforced retention periods in their IT systems, 50% had not mitigated risks for data subjects and 33% hadn’t completed their Data Protection Impact Assessments, or DPIAs, which are the basis for estimating and remediating areas of likely high risk under GDPR.
This suggests that the 70% figure is perhaps a little bullish.
A very different figure – although not focussed on Finance – was published by Capgemini in 2019, again as a re-run of an earlier survey:
Capgemini ran a cross-industry survey of over 1,000 organisations before GDPR took effect, asking if they’d be compliant with GDPR in June 2018, the month after it took effect. A pleasing 78% said they would be.
However, when Capgemini ran the same survey for June 2019, a full year after GDPR took effect, the results showed just how overconfident respondents had been. Only 28% claimed to be GDPR-compliant. The figures were surprisingly consistent across geographies. What happened to the other 72%?
The benefits of GDPR compliance are now clear for all to see. For example, Capgemini’s study revealed that a whopping 81% of respondents who declared themselves compliant reported positive impacts on reputation and image.
While much of the activity may at first feel defensive in nature, GDPR compliance has been shown to deliver many positive benefits. As well as an average 1.9X ROI on privacy spend, Cisco’s study confirmed that two-thirds of respondents reported significant benefit in each of these six areas, all areas Finance are discussing at present in fields such as digitisation, challenger banks, and digital identity:
In the next five blogs, we’ll be taking you through 10 Steps to GDPR Compliance, dealing with two Steps per post. By the end of the series, you’ll have a clear framework for judging how you’re doing against GDPR, and achieving compliant Privacy Governance at your firm.
Watch out for the second post in this series, where we’ll deal with:
You can also see an overview in our short Privacy Kitchen video, taking you through the 10 Steps in less than 9 minutes.
In a very welcome speech on 12 September 2018 to the CBI Cyber Security: Business Insight Conference, James Dipple-Johnstone (ICO Deputy Commissioner, Operations) summarised the UK ICO’s approach to security under GDPR and…