How Financial Institutions Can Deal with GDPR
A variety of technologies and services can help financial firms achieve compliance with the new data regulation.
- by Mike Chapple
- Assistant professor of computer applications at the University of Notre Dame | October 30, 2018
The European Union’s General Data Protection Regulation, which went into effect earlier this year, may pose a major compliance challenge for financial institutions. Some banks, credit unions and other financial services firms may have a leg up on other businesses, as they have to deal with similar compliance demands from other regulations, but the additional weight of GDPR still poses a significant burden for these organizations.
As financial institutions undertake their GDPR compliance efforts, they may take advantage of a wide range of technology controls, third-party services and policy revisions designed to help them achieve compliance. One primary consideration that firms must keep in mind is that GDPR is not primarily a technology issue. Rather, GDPR requires that organizations think carefully about the policies and business processes that surround the handling of personal information.
What Key Technologies Can Help Financial Organizations Handle the Requirements of GDPR?
While financial institutions should approach GDPR as a business problem, several technologies can play a crucial role in achieving and maintaining GDPR compliance. These tools automate the routine work of compliance and serve as tracking tools to help the firm monitor its ongoing compliance efforts.
Electronic discovery tools have traditionally assisted organizations in identifying and preserving information that is subject to legal disclosure requirements. They comb through diverse information sources and perform keyword matches to discover hidden troves of information locked away on a desktop or server, in an email account or uploaded to a cloud service. These tools can also be used for GDPR tasks, helping an organization identify stores of personally identifiable information (PII) as it builds a data inventory. After locating information with a data discovery tool, business leaders may then map the flow of information throughout the organization and decide to either purge it or obtain appropriate consent. These tools may also play an important role in finding references to an individual who has requested access to information or is exercising his or her right to be forgotten under GDPR.
Advanced threat monitoring and protection tools also help to enhance an organization’s security posture by building profiles of normal activity and then detecting deviations from those behaviors. The use of these tools boosts the level of insight into security activities and assists with the breach detection and response provisions of GDPR.
GDPR compliance frameworks are designed for the specific purpose of storing and tracking compliance-related information. They monitor the user consent process and track compliance activities throughout the customer lifecycle. Compliance frameworks replace the manual tracking that many organizations currently perform in spreadsheets with an auditable solution that provides external auditors with the confidence that the organization is carefully managing GDPR compliance.
Subject access request portals also provide a boost to GDPR compliance efforts by offering a single interface to receive, track and respond to requests for information, as well as the exercise of a consumer’s rights over personal information. These portals track the full lifecycle of consumer requests and assist the organization with responding within legally mandated timeframes.
These are just a few of the technologies that can assist organizations in complying with GDPR. Organizations may also draw upon a wide range of existing tools to improve the security of their data processing environments. These include encryption for data at rest and in transit, as well as enhancing the security of workspaces, data centers and networks.
What Services Can Third Parties Offer to Help?
As financial institutions move to implement GDPR-compliant practices, providers have stepped up to offer services that assist with compliance efforts. In addition to compliance frameworks and subject access request portals, many firms offer GDPR compliance services to help organizations review their obligations and implement compliant business processes.
Law firms play a pivotal role in compliance efforts, helping financial institutions review their practices in the context of GDPR. Attorneys may also review compliance policies and ensure that an organization takes a standardized approach to compliance. They can also help sort out the precedence of overlapping privacy regulations from different jurisdictions.
In additional to turning to service providers for legal help, GDPR also permits organizations to hire a data protection officer on a contract basis. In cases where an organization fills the DPO role with a contractor, it must disclose the details of the arrangement to its supervisory authority.
In all cases, organizations must remember that they are themselves the data controllers and processors subject to GDPR. They may delegate the authority to act on their behalf in privacy matters, but they cannot delegate the accountability and responsibility for GDPR compliance. When firms engage third-party service providers, they remain liable for any failure to comply with the law’s provisions.
What Policies Should Financial Organizations Consider Implementing or Changing?
As a regulation that focuses on business processes, GDPR often requires that organizations adjust their existing policies or adopt new policies related to personal privacy. These include provisions around the design and implementation of systems and processes as well as employee training and awareness efforts.
One of the guiding principles of GDPR is that data processors should adopt approaches that incorporate privacy practices “by design and default.” Privacy by design simply means that privacy should be a foundation of any system or business process. Designers should use the technical and administrative controls at their disposal to build privacy requirements into their designs from an early stage. For example, designs should embrace the principle of minimization to reduce the amount of personal information collected and retained by an organization.
Privacy by default means that organizations should adopt practices that assume individuals will want to preserve the privacy of their information. This principle applies to the amount of information that a firm collects, the types of processing it performs, the length of time it retains data and the access it allows to personal information. Institutions must design systems that, by default, do not make private information accessible to the public without the subject’s specific approval.
The requirements of GDPR have an impact on the daily routines of employees throughout an organization. Financial firms should adopt training and awareness policies requiring that anyone who comes in contact with PII receive recurring reminders of their responsibilities and the organization’s privacy practices.
Before creating new privacy policies specifically for GDPR, financial institutions should examine the policies put in place for compliance with the Sarbanes-Oxley Act of 2002 (SOX) and the Payment Card Industry Data Security Standard (PCI DSS). Those policies may already cover many of the organization’s GDPR obligations, and it may be sufficient to tweak those policies to fill any remaining gaps.
To learn more about the impact GDPR will have on financial institutions, read the CDW white paper “Financial Institutions and GDPR: What You Need to Know.”