January 04, 2019
Transparency and culture change in finance are crucial for data compliance
Recent high-profile reports about alleged data breaches involving FTSE 100 companies have added to the ongoing concerns about the safety of personal data from identity theft, cyber-attacks, hacking or unethical usage. These data breaches have been particularly pertinent as the principles of the European Union’s General Data Protection Regulation (GDPR) become better understood and companies in all industry sectors continue to try to get to grips with its implications.
The GDPR is the biggest change to data protection law in two decades, but many businesses – large and small – are still not fully compliant, as shown by the fact that just 44% of large organisations had assigned a data compliance officer in time for the GDPR’s implementation in May 2018 while, for small firms, this number dropped to 17%.
Evidence collected for Shred-it’s State of the Industry report, which was compiled using data that had been independently collected by IPSOS, suggested that while most of the public focus was around data capture for marketing emails and the opt-in process for website cookies, firms were struggling even more with the behind-the-scenes work around administering the GDPR.
The GDPR has posed specific challenges for the financial sector because of the vast quantity and types of data they are entrusted with – all of which represents high value for hackers. Financial services companies have had to increase their staff and invest in new technology but, in general, they have done well in ensuring compliance, thanks in no small part to the fact they have always had to be aware of the importance of data security. However, the financial implications remain, with compliance for UK banks believed to have run to an average of £66 million, the highest investment of any industry sector, according to Sia Partners.
However, they remain in a tough position as they not only have a huge obligation to protect their consumers but also to comply with several other provisions designed to protect people generally. In addition, the data they hold isn’t always easy to access as it could be stored on a host of legacy systems which simply weren’t designed to talk to each other.
They are also required to gather extremely personal information; as well as knowing what customers spend and where, there are also stringent requirements designed to clamp down on fraud and money laundering. This wealth of data has driven the need for additional personalised services but the downside is that, under the GDPR, managing consent and how customers control their information has become even more of a hazard.
Financial services companies must also improve records on how that data has been destroyed because accountability is just as important under GDPR compliance as the control of data. However, this could be good news as it should lead to more efficient and more secure storage, processing and destruction processes. The business benefits of this are clear as it necessitates total transparency within companies as well as persuading the more traditional banks to replace their disparate IT systems with more joined-up digital technology. However, the question remains - can all financial institutions honestly say that they are ready for this level of scrutiny?