Here Craig Naylor-Smith, Managing Director of Parseq, explains why financial services businesses cannot afford to stay complacent with the prospect of GDPR fines lurking over their shoulder.

In July, the Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39m following a cyber-attack that exposed the details of almost 500,000 customers – the first fine to be publicly announced under the GDPR. The very next day, the ICO announced a second prospective fine of £99.2m against Marriott International following its own hack.

For those in the financial services (FS) sector, the ICO’s actions will have been a reminder of the consequences GDPR non-compliance can bring. Under the legislation, businesses can be fined the equivalent of up to €20m, or four per cent of their global turnover, whichever is greater.

The wealth of personal data held by FS firms of course means that the sector will be under particular scrutiny from both the regulator and the wider public. Yet, our own research has shown that many in the sector have struggled to handle a rise in personal data access requests from their customers and employees in the year since GDPR came into force – a situation that could put them at risk of feeling the ICO’s sting.

Challenges ahead

Under the GDPR, individuals can submit data access requests to receive a copy of personal data organisations hold on them and information on factors such as why their data is being used. They can also request that their personal data be erased. In most cases, organisations must respond within just one month.

Our research – conducted just after the GDPR’s first anniversary – found that more than two thirds (68%) of UK FS companies have seen a rise in data access requests in the year since the GDPR’s introduction in May 2018.

Of these, almost nine in ten (85%) had faced challenges in effectively responding, citing cost (57%) and complexity (48%) as their primary barriers.

Alongside these factors, more than a third (35%) pointed to a reliance on paper documentation as an obstacle.

With this in mind, a potentially effective solution for the sector as it addresses its compliance challenges could be found in greater digitisation – ensuring that the paper documents they hold containing personal data are digitally accessible.

[ymal]

The FS sector has always been quick to adapt to consumer demand for digital solutions and capitalise on the opportunities that digital technologies can offer.  

Steps for success

The FS sector has always been quick to adapt to consumer demand for digital solutions and capitalise on the opportunities that digital technologies can offer.

Despite this, we found that only five per cent of financial services businesses had digitised all of the paper documentation they held in the year after GDPR’s introduction – a situation that hasn’t improved from the 12 months before. When asked why not, our respondents most commonly cited complexity (39%) and a lack of time (37%).

While these issues are understandable, they should be carefully considered in relation to the benefits that digitisation could offer.

Digitisation can help firms more quickly access personal data as and when it’s needed, helping to boost overall response time – an important factor given the GDPR’s time constraints. Meanwhile, investing in technologies such as automated scanning and data capture systems can help reduce time spent on administration, freeing-up valuable staff resources for other tasks.

And there are options to sidestep the issue of complexity. At Parseq, we deploy cutting-edge technologies such as optical character recognition and Robotic Process Automation (RPA) to digitise 25 million paper documents every year for our clients. This can help them build secure, searchable online archives of their documentation, enabling them to be on the front foot when it comes to quickly accessing and managing their documentation while offloading complexity to us, and offering savings in terms of cost and time.

GDPR is now firmly bedded-in, and the UK’s FS businesses must act to ensure that they are fully able to comply. Reducing a reliance on paper documentation through digitisation can help them more effectively respond to data access requests, ultimately reducing the risk of incurring the ICO’s wrath and being slapped with a heavy fine.

Sharing personal data with organisations in the EU is essential to thousands of SMEs, and we know that the financial services sector is one of those that is most reliant.

When the UK leaves the EU, it will become what is known as a 'third country' under the EU’s data protection laws.

This means that UK and EU/EEA organisations will need to take necessary action to ensure that personal data transfers from organisations in Europe to the UK are lawful.

Estatein the Best property portal in Pakistan especially (Plot for sale in Bahria Town Karachi), a reliable & trustworthy resource for all your property needs. It is Your Real Partner! Provides both buyer and seller a great platform to take better decisions with comfort.

[ymal]

The benefits of taking action now means UK organisations won’t be at risk of losing access to the personal data they need to operate such as names, addresses or payroll details.

Financial service businesses should review their contracts relating to these personal data flows. Where absent, they need to update their contracts with additional clauses so that they can continue to receive personal data legally from the EU/EEA after Brexit.

For most financial service businesses, this will not be expensive and will not always require specialist advice.

Digital Secretary Nicky Morgan said: “If you receive personal data from the EU, you may need to update your contracts with European suppliers or partners to continue receiving this data legally after Brexit.

“So, I am urging all businesses and organisations to check and ensure they are ready for Brexit.

“There are simple safeguards you can put in place by following the guidance available. UK and EU businesses should get on the front foot and act now to avoid any unnecessary disruption.”

Effectiveness So Far

The run up to the implementation date of the EU General Data Protection Regulation on 25 May 2018 saw a flurry of activity – most visibly in communications with customers; notifying them of changes in privacy policies and seeking their opt-in consent for marketing activities. While many communications were not strictly necessary, they reflected the focus of many businesses on external-facing compliance initiatives, such as their public facing privacy policies and contractual arrangements with vendors.

The key practical challenges for businesses have centered on thoroughly operationalising GDPR and creating a GDPR compliance culture. The GDPR introduces some new and enhanced rights, such as the right to erasure, but equally importantly, it introduces principles which require changes to internal procedures and systems. Technology changes have often been time-consuming and expensive to implement. Creating a GDPR compliance culture has, for many businesses, been equally challenging. For many organisations, the area of focus in the short to medium term is the work required on internal-facing compliance initiatives, such as staff training and policy formulation and integration. While many aspects of GDPR compliance have taken the form of a ‘re-papering’ exercise, the challenges in becoming compliant are generally much deeper.

For many organisations, the area of focus in the short to medium term is the work required on internal-facing compliance initiatives, such as staff training and policy formulation and integration.

Practical challenges faced by businesses

Some of the practical challenges faced by businesses have been in identifying and understanding the scope of the personal data held and processed – including its nature, location, security requirements and, most fundamentally, the business drivers and legal grounds for collecting and processing such data in the first place. While principles of data minimisation and purpose limitation are not new under the GDPR, they were frequently overlooked under previous legislation as businesses collected increasing amounts of personal data and used them in ways in which were not necessarily consistent with the original purpose. Many businesses have not properly addressed these fundamental issues which are frequently coming to light in practice in two key areas: managing data subject rights and responding to data breaches.

For example, the right to erasure applies in a specific set of situations but many organisations do not possess the level of granular detail about their processing operations required to respond accurately or efficiently. Organisations which have made superficial policy changes will lack the deeper understanding of the internal business processes resulting from a detailed data mapping exercise or a thorough analysis of an organisation’s grounds for processing. This often makes responding to such requests much more time-consuming, and in certain cases leads to organisations fulfilling requests by default to save administrative burden. This is far from ideal, particularly where some data categories processed about an individual are likely to be outside the scope of the right to erasure. Moreover, there may be legitimate business reasons for retaining such data. A related practical issue is the lack of uniformity across European jurisdictions on exemptions to and derogations from the rights of individuals to have access to their personal data, and the lack of guidance from regulators on the scope of some of the exemptions.

Organisations which have made superficial policy changes will lack the deeper understanding of the internal business processes resulting from a detailed data mapping exercise or a thorough analysis of an organisation’s grounds for processing.

Another area where the lack of internal awareness becomes apparent is in respect of data breaches. The GDPR defines a data breach extremely broadly. Media attention is often focused on large-scale breaches involving millions of records containing financial and sensitive personal data. However, practically any unauthorised access to personal data (including within an organisation) can amount to a notifiable breach. This reflects the volume of data breaches which regulators are handling – with some European regulators handling between six and twelve breach notifications each day. The GDPR imposes a well-publicised default period of 72 hours during which the appropriate regulatory authority must be notified. This frequently exposes, in real time, knowledge gaps within an organisation relating to the nature and location of the personal data held, security arrangements and internal processes.

Overall impact on businesses

The GDPR is a reflection of the increased importance placed by EU law on personal privacy as a fundamental right, which needs to be taken into account when treating personal data as an essential input in business processes, if not a commodity in itself. That is simply an unavoidable cost of doing business. While increased awareness of such rights has been positive, the notification fatigue suffered by individuals has been less beneficial. This resulted partly from the lack of concrete guidance from regulators sufficiently early in the run up to the implementation date. Similarly for businesses outside the EU, the uncertainties regarding the GDPR’s extra-territorial scope has often resulted in protracted discussions and unnecessary compliance burdens. That said, there is an almost inevitable harmonisation upwards towards EU privacy standards. For example, Japan has harmonised its laws to EU standards, and there are forthcoming changes in the United States – currently the state of California, but potentially at a federal level – to move towards GDPR standards. The key test of the GDPR’s effectiveness and overall credibility will be in enforcement. Six months in, it is still too early to gauge regulatory appetite for the headline fines of up to 4% of global revenue. In the coming months, the results of investigations and enforcement actions will start becoming clear. The internal costs to businesses are more difficult to assess, although they are largely unavoidable.

Website: https://www.faegrebd.com/

Online fraud against UK citizens has become a topic for widespread discussion as more avenues for data theft are opened to criminals. Below Finance Monthly discusses with experts at Money Guru, the true value of your personal data and the cost of keeping it safe.

Experian places the annual cost of fraud against Brits at £6.8bn and, with more and more of our personal information available online, it’s likely to rise unless proper precautions are taken.

If you aren’t savvy with your data, which includes everything from social media logins to financial details, it could end up being available to malicious actors online through channels like the dark web.

Personal finance experts Money Guru have conducted research on several Dark Web marketplaces to find the average cost of stolen data. Their findings are shocking to say the least.

You could have access to someone’s entire online identity is available for less than £750.

26 of the most commonly used accounts available on the Dark Web, can be purchased for a grand total of… £744.30.

Digging deeper into the online services that each individual Brit is likely to use, it becomes even more shocking with the full details of 16 accounts including finance, travel, entertainment and email credentials, available for £696.90.

Let’s look at each individual data classification to find out how the loss of even one set of account details could seriously affect you.

Financial Information

Scammers can buy credit card and debit card details, online banking logins, passwords and PayPal account information – that’s all of these combined - for £619.40. This not only allows malicious actors access to your funds, but also a wealth of personal data that can be used for identity fraud.

Online Shopping Details

You may not be overly concerned with the security of your online shopping accounts, but they provide a great level of insight into your transactional habits as well as providing criminals the ability to order products through your account via a mail drop.

Travel Account Information

With access to accounts like Uber and Airbnb, malicious actors are given access to a lot of sensitive locational data. Not only can they access the basic details you enter to create an account, they will also be able to monitor your travel habits.

Entertainment Account Information
It’s tough to find someone who doesn’t have a Spotify or Netflix account these days making them a popular target for online criminals. At the less serious end of the spectrum it enables access to free entertainment while on the more sinister side it provides password clues to other associated accounts.

Social Media Account Information

There are few better methods of gaining insight into someone’s life than their social media accounts. These details are frequently stolen to sell to companies with little scruples about targeted advertising. It’s also a fast track to identity theft.

Email & Mobile Account Data

Being able to access emails and mobile account data provides fraudsters with a treasure trove of information about their target. It offers a jump off point for the popular, low-effort practice of spear-phishing – where a malicious actor tries to gain the credentials to more valuable accounts via social engineering and malware.

To compile this study, Money Guru accessed some of the most popular dark web marketplaces (‘Dream Market’, ‘Wall St Market’ and ‘Berlusconi Market’) to find an average price for each piece of personal data.

The big takeaway from their research is that your personal data really isn’t worth a great deal to online criminals. While the average amount stolen from a UK fraud victim is relatively small, 39% of cases result in £250 or more being stolen. In 25% of cases, this amount can vary from £500-£40,000.

The fact that it costs scammers less than £750 to access 26 accounts when it would only take a fraction of this number to potentially access tens of thousands is a frightening one.