The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

GDPR One Year On

Share article

By Nick Murphy, Associate Director, GDPR Integrated Technology and Solution, 3 Lines of Defence Consulting.

A lot was written about GDPR in the press and a lot was discussed prior to go-live last year, including at the A-Team Group RegTech Insight conferences. Now just into its second year, we ask: how successful is the regulation in protecting the PII data it was designed for? And are you sure that you comply with the law?

Our findings, as a specialist GDPR consulting firm, mirror what the Information Commissioner Office (ICO) has previously highlighted, namely that many companies that say they have a GDPR framework in place, on further investigation, still have gaps and failings within their processes.

We have found whilst most have a privacy policy in place, they often lack adequate staff awareness, Cyber security, processes to support the rights of the individual and ineffectively manage their vendors -and therein lies the danger: risks of fines and data breaches.   Think of the privacy policy as the roof on the house. You don’t build a house with just a roof. You need the foundations, walls and infrastructure to create the house!

GDPR fines and breaches

We have all read in the press how Google was hit. This created headline news. Due to this, people are now more aware of GDPR and their data rights. In fact complaints to the regulators are now nearing 200,000 and data breach reports are just under 100,000. The ICO will be increasing its focus and issuing fines to smaller companies.

Focus will increase on the sharing of data through online marketing and distribution of data to third parties – even if for valid business reasons.

We have charted some of the data recently published (see Chart 1) – it makes interesting reading:

Reported incidents generating the by far the greatest level of complaint are incorrect disclosure of data and data security breaches.

Interestingly, inaccurate data and failed SARs are not that high. This is maybe due to the fact that these have not yet generated the expected level of interest with customers.

Breaking this down by industry type it is not a surprise that the major culprits in data breaches are the Education Sector and the Health Sector.

However, Financial Services is the next largest – which is worrying given the amount of spend that has gone into data and data regulations across this sector over the last few years. Quite clearly more still needs to be done here, and quickly!

Key points to consider going forward

Awareness and Understanding: Can you guarantee that your staff are fully compliant and fully informed of their responsibilities towards GDPR? If you work for a large organisation there maybe a sound GDPR process in place but at branch level can you know that this is being implemented. It is imperative that staff understand that if they are processing peoples data that they have specific responsibilities. Responsibilities that carry weight with the ICO. Again, during our training sessions this was an area where we found most lacking in organisations.

What Data is Held: Do you know what data you hold, where you got it and where it is?  It may sound simple, but this is often something firms have not really thought about.   You need to work this out, removing data you do not need. The ICO will expect you to know this and have supporting processes documented.

Beware of Breaches. Data breaches are manifold, ranging from mishandling of mailing lists through to mis- use of CCTV footage. By example, in a recent discussion we found a company whose cleaners disposed of documents, containing unshredded client data, into clear bin bags and placed them on the street. A vigilant police officer saw them and raised a serious complaint to the company. This could have lead to a data breach being reported.  Be very aware.

Ongoing compliance: Compliance is an ongoing process, not a one-off exercise. Think about when you take on new employees, or change your service offerings. All need to be incorporated within your GDPR framework; training, impact assessments, privacy policy changes etc. – and this all requires time and effort. It’s essential to “fire test” your processes and procedures so that if you have a data request or a suspected breach you know “when, how, who, and what” you need to do.

Data Security: GDPR is just one element of the wider IT security remit that you need to adopt. Remember if a laptop or mobile device is lost that contains personal data, as defined by GDPR, and is not protected and/or encrypted, then this is a data breach. You would need to inform all contacts that their data has been lost – could you do that? Using email encryption when sending personal data is also a good safeguard.

New regulations: GDPR is a living regulation and open to changes and modifications as it grows. Stay informed. Monitor blogs and the ICO for advance notice.

The new regulation e-Privacy 2019 and SMCR come in at the later part of this year.

E-Privacy will focus on electronic communications of personal data: emails, social media, etc. Your policies will need to be amended to support this.

SMCR also has a GDPR connection and impact, senior managers will be responsible for their companies actions – and that includes data breaches!

In summary

Ensure you at least meet the minimum standards, stay focused, stay up to date and stay vigilant. GDPR is here to stay, even after Brexit, and will only grow.

Remember that personal data is not going to be safe just because you have a policy and switch to black bin bags.  It is now time for you to look again at what you have in place, what you are doing with the data and consider if you need a “top up” to your processes.

Data breaches continue to increase – don’t let it happen to you.

Leave a comment

Your email address will not be published. Required fields are marked *

*

Related content

WEBINAR

Upcoming Webinar: Last minute preparations for SFTR: What still needs to be done and are we ready?

Date: 5 March 2020 Time: 10:00am ET / 3:00pm London / 4:00pm CET The regulation clock is ticking. Financial firms, especially those subject to Phase I of implementation, are well aware of the impending April 2020 deadline for the Securities Financing Transactions Regulation. The question is, are they ready? Tactical, i.e painful, approaches to compliance...

BLOG

Developing Smart Analytics – Firms Seek a New Approach to Business Partnership

Enhanced analytics – or better decision-making information – are one of the key goals of data transformation. However, it is a goal that financial services firms continue to struggle to achieve. Panellists at the recent A-Team Group Data Management Summit in New York City discussed challenges the industry faces and potential approaches to getting analytics...

EVENT

Data Management Summit New York City

Now in its 9th year, the Data Management Summit (DMS) in NYC explores the shift to the new world where data is redefining the operating model and firms are seeking to unlock value via data transformation projects for enterprise gain and competitive edge.

GUIDE

Regulatory Data Handbook 2019/2020 – Seventh Edition

Welcome to A-Team Group’s best read handbook, the Regulatory Data Handbook, which is now in its seventh edition and continues to grow in terms of the number of regulations covered, the detail of each regulation and the impact that all the rules and regulations will have on data and data management at your institution. This...