5 Key Considerations for GDPR in Finance

0

The arrival of the GDPR (General Data Protection Regulation) is less than a week away. However, many businesses are still not prepared for the legislation shake-up that could see huge sanctions imposed for non-compliance. Experts at UK based IT support solutions company, TSG, explain for Finance Monthly what the key considerations are when it comes to the finance sector.

If your business is unprepared for GDPR, you are not alone. A Populus survey conducted only this year revealed that 60% of UK businesses do not consider themselves “GDPR ready”. It’s definitely not too late to put measures in place to ensure compliance with the regulation. Following the introduction of GDPR on 25th May, complying with GDPR will be a continuous journey.

What are the key areas you should be considering in light of the looming GDPR deadline?

Cyber-security tops the list

In this digital world, we produce, store and disseminate huge amounts of data. And a significant portion of that will be Personally Identifiable Information (PII); this is the data that matters under GDPR.

Even if, as a business, you don’t store customers’ sensitive data, you’ll still store the data of your employees. Therefore, all businesses must put measures in place to safeguard that digitally-stored data.

Encrypt everything

Arguably the most valuable cyber-security tool at your disposal is encryption. Not only is it a robust way to keep your data inaccessible to cyber criminals, it’s the only method that’s explicitly mentioned multiple times in the GDPR. Should any PII data you hold fall into the wrong hands – whether deliberately or accidentally – encryption will render it unintelligible. Encryption can operate at a file, folder, device or even server level, offering the level of protection most suited to your business needs.

Review your policies and processes

The GDPR requires you to implement policies that detail how you intend to process personal data and how you will safeguard that data. It also states that data controllers – that’s your business – must “adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” All new policies, whether specifically related to GDPR or not, must be compiled with a ‘privacy by design’ model. Existing policies, including your data protection policy, privacy policy and training policy should also be reviewed in light of GDPR.

Don’t forget subject access requests

Much of the coverage of GDPR has focused on two areas: data breaches and the potentially eye-watering fines. An area that’s arguably been overlooked is complying with subject access requests. Individuals can request access to the data you hold on them, verify that you’re processing it legally and, in some cases,, request erasure of their data – also known as the ‘right to be forgotten’. Under GDPR you’ll have only a month to respond to these requests, otherwise you’ll be at risk of non-compliance. More guidance on this can be found on the Information Commissioner’s Office (ICO) GDPR guide.

Don’t forget your reporting obligations either

Another element that’s received significantly less coverage is your reporting requirements. In the event of a data breach, businesses must report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. It’s especially important to note this, as failing to meet this obligation could be considered a bigger breach of the GDPR than the data leak itself. Both Uber and Equifax have come under fire in the past year for covering up breaches, reporting them late and keeping the extent of the breaches under wraps.

A good example to follow is Twitter. Following the discovery of a bug that stored users’ passwords in plain text – which is a bigger deal than it sounds – Twitter not only reported on the breach, but immediately informed its users of the bug, what caused it and the potential repercussions, and advised customers on how to keep their data safe. The second element of this is critical to GDPR too – if the breach poses a risk to individuals’ “rights and freedoms”, the victims of the breach must be informed too.

The key takeaway

The GDPR wasn’t created to punish businesses or to catch them out, but rather to empower individuals and consumers. Whilst there has been a lot of confusion around exactly what has been required for businesses, it’s clear that cyber-security is imperative, as is clueing up on your reporting and response obligations. It’s important to note that simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment; the GDPR clearly states that, should you prove you put in place measures to protect your PII data, you won’t be hit with the most severe fines.

Comments
Loading...