Ian Osborne, Vice President UK & Ireland for Shred-it, discusses the challenges the finance industry faces to ensure compliance with new legislation.
The European Union’s General Data Protection Regulation (GDPR) is the biggest change to data protection law in two decades, and although it’s now more than half a year since it came into force, it’s still too early to say what its overall impact will be. This is partly because heightened awareness of the GDPR around the world is already having an impact on overseas regulations, as other regimes respond to consumer demand for better data protection laws. It’s also because we’re still waiting for test cases to show how EU regulators will interpret GDPR when it comes to handing out fines.
Mostly, however, it’s because many businesses were poorly prepared for GDPR to come into effect, despite the fact that they were given two years to ready themselves. Shred-it’s latest State of the Industry report, which is compiled using data that has been independently collected by IPSOS, found that only a minority of firms could be said to be ready for the GDPR’s implementation in May. Evidence suggests that while much of the public focus has been around data capture for marketing emails and the opt-in process for website cookies, it’s in the kind of behind-the-scenes work around administering GDPR that firms have struggled with the most.
This is highlighted by the fact that just 44 per cent of large organisations had assigned a data compliance officer, in accordance with GDPR, and for small firms this number dropped to 17 per cent.
Likewise, only 39 per cent of large companies and 15 per cent of small businesses had updated their procedures for detecting, reporting and investigating data breaches.
GDPR Compliance in the financial sector
In general, the financial services world has done well in ensuring compliance with the GDPR. Certainly, as far as data security goes, banks and other service providers have long been aware of the importance of security. Some challenges still seem almost insurmountable – credit card numbers still go missing via third parties, for example, as with the recent breach at British Airways. But as a rule financial services are ahead of the game when it comes to protecting data “using appropriate technical or organisational measures”.
But beyond data security, GDPR does still pose significant challenges for the world of finance. Banks, inevitably, have access to the most sensitive of a customer’s data – what they spent and when. Furthermore, they are obliged to gather yet more extremely personal information, thanks to stringent Know Your Customer requirements designed to clamp down on fraud and money laundering. That wealth of data has driven innovation, giving critical insights for product development and ever more personalised services. Under GDPR, it’s vital that oversight is tightened up, and that proper processes are in place to manage consent and customer control over this information.
Handling sensitive financial data in an effective manner
The onus, then, is on financial services companies to improve not just the way they handle data, but the records they keep about the way data has been handled or destroyed. Being able to demonstrate accountability is a key part of compliance, according to national regulators who will be responsible for enforcing GDPR. This will require a combination of technical measures, as well as tough internal processes that provide total transparency into the data protection regime within a company. That means developing explicit control mechanisms, staff training and regular policy reviews, for a start.
The good news, as Accenture points out, is that compliance with GDPR could have business benefits as organisations become better aware of the data that they are responsible for, leading to more efficient – as well as more secure – storage, processing and destruction . Furthermore, there are firms out there with the expertise required to help the financial industry understand, protect and manage the confidential data it handles every day.
But this level of accountability is an ongoing process and will often require an institution-wide culture change. It can only be achieved by creating the right kinds of checks and processes and embedding them into the heart of operations. Can all financial institutions honestly say that they are ready for this level of scrutiny yet?
To learn more about the current state of play in the security and compliance industries, read our Information Security Report.
Ian Osborne, Vice President of the UK and Ireland for Shred-it, a Stericycle solution
An experienced leader of B2B services companies, Ian is responsible for managing all of Shred-it’s solutions and has worked in senior management roles across the healthcare and retail sectors, while also focussing more recently on compliance and resilience. Prior to joining Stericycle, Ian was managing director of a division within a workplace service business PHS and spent more than 15 years with the company.