GDPR Impact on Financial Services Institutions
In the last blog in this series, we examined financial institutions’ readiness for the upcoming General Data Protection Regulation (GDPR). In today’s blog, we’ll discuss more of the details and why financial institutions, around the globe need a cross-organisational focus on GDPR compliance. Let’s examine some of the key elements of the regulation that are of interest to financial services institutions — from data breach notification, right to be forgotten requests, to managing external vendor requirements.
GDPR — a Significant Shift
The GDPR “was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.” GDPR represents a significant shift in privacy requirements governing how financial services institutions and other organisations manage and protect personal data, largely due to the extended jurisdiction stated in the definition — ALL EU CITIZENS.
GDPR applies to all companies processing the personal data of data subjects residing in the European Union, regardless of their location, the method for gathering personal data, storage, security, or how they process and use that data. While this regulation was approved by the EU Parliament on 14 April 2016, the end of transition period is fast approaching — 25 May 2018.
Data Breach Notification Requirement
One fundamental change that GDPR compliance will bring to financial institutions is the requirement that data breaches be reported within a 72-hour period. Discovering a breach, who it has affected, how wide it is and how it happened, all within 72 hours, takes a coordinated effort, across the organisation. Since historically, during the critical time immediately following a breach, financial institutions are largely focused on remediating damage caused by the breach, adherence to GDPR’s reporting mandate will require transparency and coordination across the entire organisation, infrastructure architects, information security officers legal, marketing — essentially all employees, senior management, and investors. To put this piece of the regulation in perspective, last year, according to Ponemon Research the mean time to identify a breach (MTTI) was 191 days and mean time to contain (MTTC) was 66 days.
Right to Be Forgotten
Because GDPR is ultimately about empowering EU citizens with the right to data privacy, GDPR gives consumers the right to request access to, or the removal of, their own personal data from financial institutions without the need for any outside authorisation. These requests are known as “data portability” and allow financial institutions to keep some data if it is necessary to ensure compliance with other regulations, but if there is no valid justification, the individual’s right to be forgotten applies. The reality is, that financial institutions can often be burdened with disconnected silos of data, making the data management practices needed to maintain the “right to be forgotten” difficult to achieve without transparency and coordination across the organisation.
Data Processors and Controllers — Cloud Service Providers (CSPs)
Financial institutions choosing a CSP must ensure that these providers have safeguards and security measures in place that meet the GDPR standards in order to remain compliant. Data is the lifeblood of every financial institution and that data may be shared across applications, and while some may be housed internally, some may be outsourced to vendors. It is the responsibility of the financial institution to have clear process and procedures in place across their own organisation and for all external vendors handling their customer data.
GDPR — Consequences
Financial institutions must comply or face significant fines of up to 4% of annual global turnover or €20 million, whichever is greater. Failure to comply could mean significant regulatory enforcement actions, reputational damage, and a loss of customer trust.
The key for financial institutions is to approach GDPR holistically, with a future-proof capability that is flexible enough to deliver on any new regulatory data requirement, whether ad hoc or scheduled. A holistic approach provides the visibility necessary to establish a clear understanding of the personal data they hold and the ability to react quickly to requests to destroy data across the organisation when it no longer has a purpose.
Learn More at Appian World
To hear more about compliance and the GDPR challenge, make sure you register for Appian World 2018. There, you’ll meet many of our customers in financial services and they can tell you how the Appian low-code development platform provides powerful case management and intelligent automation — including Robotic Process Automation (RPA) and Artificial Intelligence (AI) — required for digital transformation success.