Written by Steve Inglessis, Commercial Director at DataRaze
The financial services industry is under increasing pressure regarding compliance and is facing a three-pronged assault from the General Data Protection Regulation (GDPR), the Markets in Financial Instruments Directive (MiFID II) and the EU’s incoming Payment Services Directive (PSD2).
It is not surprising therefore that many businesses are falling behind on data security.
While the trio of regulations all present challenges, GDPR is, at the moment, the biggest concern. Statistics from Gartner suggests as many as 50% of companies affected by the regulation are still not in full compliance.
However, according to data from Network Group Events’ 2017 Financial Services Information Security Network, 52% of chief information security officers working in the finance sector have made GDPR compliance an investment priority.
Evidently, the finance sector is fully aware of GDPR regulations, but they will undoubtedly face tough challenges on the road to compliance. And recent cyber attacks such as WannaCry and Petya will have placed a renewed emphasis on data security.
Adhering to GDPR might seem like a compliance burden, but it could yet be turned into an opportunity for businesses.
DataRaze’s Commercial Director Steve Inglessis discusses how financial services firms can prepare ahead of GDPR – sharing some top tips and highlighting why GDPR is not a compliance burden but, actually, an opportunity.
Know where your data is
Not only is the volume of data we create increasing – every day we create 2.5 quintillion bytes of data – but so too is its complexity. Businesses are increasingly data-driven, using big data to understand performance and identify opportunities to improve. This process typically involves a number of individual solutions, each collecting, managing and analysing data. While businesses benefit tremendously from this, it means that data is often scattered across a number of systems, from legacy hardware to cloud-based platforms. Subsequently, it becomes difficult for the business to have a unified and holistic view of its data.
Knowing where your customers’ data is kept at all times is a major step to being GDPR compliant. Traditionally, the view has been that more data equals more value, but this is not the case – it’s about data quality. Also, employees within the business might be using a variety of Shadow IT solutions (i.e. solutions outside of the business’ standard IT infrastructure) to manage data – making it harder for you to understand your current data procedures, as well as exposing your business to potential data security risks.
Taking the time to understand how your business captures, stores and processes data will help to streamline the process and standardise the systems you use. Taking these steps will enable you to assess current risk levels and develop an approach to GDPR-compliant data management.
Establish data governance framework
With data volume growing so fast – and GDPR fast approaching – information management needs to change. GDPR states that businesses can only capture data for the purpose it is required, meaning firms will not be able to record information other than that which is stated. Therefore, financial firms need to first establish a data governance framework, one that ensures that only the right, high-quality data is collected and for the intended purpose, and then proceed to carefully dispose of data which they do not need.
This will involve updating existing IT infrastructure and improving data security measures, moving to scalable cloud-based solutions to support more streamlined data management in line with new policies. It is vital however, that legacy IT assets and data is completely destroyed and financial firms need to be sure any data disposal is compliant with new regulations.
Enlisting the services of a professional, external data disposal firm, could help with this and ensure any destruction is carried out professionally.
It is important to remember though, that even if you outsource the data destruction, your company is still responsible if this isn’t carried out properly so businesses should make sure they obtain a robust chain of custody to ensure data is destroyed safely and correctly to avoid potential problems down the line.
Remember, good data governance is not just about the collection of high-quality data, but also having a robust, industry-compliant and risk-free data disposal method.
Protect your data and achieve transparency
Many financial service firms share information with third parties, such as clients, suppliers, regulators or partners but as GDPR puts increased accountability on data processors, the controller/processor relationship becomes even more important.
Should one fail to protect that data in line with GDPR standards, the other will be held accountable too. To ensure ongoing compliance, financial services firms must have a handle on all of its existing data.
This includes data ownership, as well as access and data usage, and record that information in a central location. As that data is transferred to a third party, the interaction needs to be recorded and the third party must have a system in place that compiles clear and detailed reports on how the data is being used and interacted with.
Ultimately, while GDPR and other incoming, stricter, data security regulations present a lot of work for financial firms, taking the steps above will pave the way to ongoing compliance, enabling them to increase efficiency and productivity. Companies which are ultimately able to demonstrate better compliance and data security will inevitably gain the trust of customers, as well as avoiding the fines and punishments facing them from May 25, 2018.