Why Is GDPR Not Compliance As Usual for the Financial Services Sector?
For the financial services sector, few things are new under the regulatory sun. While the acronym has barely left the lips of privacy and information security professionals outside of financial services for at least six months (and potentially longer), GDPR joins dozens if not hundreds of existing regulations that IT and information security teams at global financial organizations are required to meet.
GDPR, while the most comprehensive privacy protection regulation to date, is hardly the first mandate enacted for ensuring data protection. So, it is hardly surprising that many financial organizations initially framed GDPR as a regulation that sets an information security bar for other industries that the financial services sector has been held to for years.
However, the GDPR is not simply another regulation to add to the list. What characterizes the new regulations – among other things – is the focus not only on protecting information but specifically on protecting privacy.
Security Controls and Privacy Constraints
Protecting privacy is not the same as protecting data. The technology tools available were developed to address the security problems – and compliance mandates focused on implementation of controls. Privacy requirements center on understanding whose data it is, in order to ensure that any operations on and access to the data is consistent with considerations like consent and legitimate business interest.
Privacy protection is not regulatory compliance as usual for a number of substantive reasons:
1. Subject Access Rights – The data subject (for example, the customer) is now entitled to a record of all the information held about him, and at any given time she may request to review, amend or delete it.
2. Record of Processing Activities – Organizations are required to report at any time how they use private information in their business processes, how they were given consent to collect the information, and what is the purpose of using the information.
3. Breach Response Notification – In case of a data breach, a report must be made to the data protection authorities within 72 hours and shortly after that to the affected persons.
Information protection tools can indicate where private information is stored (at some level of accuracy) but cannot tell who the information belongs to or what it is used for. In order to protect not only information but also privacy, you must know who the information is and why it is used for:
• If a customer wants to be deleted – how do you know where here information is held to delete it?
• If your database is compromised – how do you know who has been impacted to notify them? Having no choice, you will have to inform all your customers, at a huge price with lingering consequences.
Data as far as the eye can see
In the nearly 100 years of the modern financial sector operations, vast amounts of information have been collected and retained by various clients, businesses, and business partners. Some might sit in a warehouse in the desert, or a backup server, but the ability to collect and process data are outpacing the capability to delete – or even apply retention policies.
The data is stored in databases, file servers, Big Data systems, without little-centralized governance of why the information is being collected, who the information belongs to, and why it is used. How can we now report about the legality of the use of the information if it is not monitored or controlled?
Of course, financial services firms have invested heavily in understanding their structured data. But the rate at which structured data is becoming unstructured because of any number of transformations is unprecedented.
The regulatory environment of financial organizations makes the process of data deletion a complex process, as many regulations dictate different and sometimes contradictory restrictions on the preservation of information.
Privacy Tools For Privacy Needs
The complexity of the financial environment, the lack of appropriate tools, and the complacency of some of the organizations have brought many financial organization to a less than optimal preparation to the GDPR. Some of the largest financial organizations in the world have had to deal with the new demands of GDPR using manual processes, Excel spreadsheets, and Powerpoint.
Now that the deadline is behind them and data subject access requests are beginning to pile up, many organizations realize that GDPR requires an automated set of processes. The challenge for organizations is now to find ways to automate manual processes based on the information they maintain and more in-depth insights into the data.
At BigID, we identified the need for purpose-built tools to protect private information and privacy from the outset. At the heart of the technology lies the ability to not only to find and map private information in all types of data sources, but also to know who the information belongs to and to be able to operationalize data subject rights, accurately report on data breaches, and document the record of processing activities. Among our clients are some of the largest organizations in the world who have understood very early on the real challenges in privacy protection, and the need for technological tools to solve them.