GDPR: three things most businesses haven’t thought about – but should
GDPR: The four letter acronym the world of banking and finance has become all too familiar with. A number of regulations have already come into force this year, but none as wide-reaching as GDPR, which affects all businesses processing the personal data of EU citizens.
This regulation, which came into play on 25 May 2018, proved to be the most fundamental change to data privacy laws in twenty years, yet in the “rush” to become compliant, it seemed that most people were thinking and talking about the same implementation issues, such as how to process client data, or how to respond to data subject access requests (DSARs).
We’ve identified three crucial areas that don’t seem to be getting the attention they require: how firms will manage the “right to be forgotten” (truly forgotten) in an industry where backups are essential; the need to balance cybersecurity mandates with user experience; and the corporate governance challenges associated with appointing a data protection officer (DPO) in the quest for GDPR-compliance.
- The back-up challenge
Under GDPR individuals have the “right to be forgotten”, meaning all of the data that the organisation in question holds on them must be deleted upon request. This personal data must also be deleted from any backups. However, in the rush to catalogue “live” data by 25 May, many financial organisations were not also considering how they will delete specific (personal) data from their back-ups.
This presents a significant challenge – when backups are retrieved they are often used in their entirety, and it can be almost impossible to trawl through that data and delete individual records without destroying the integrity of the data. In theory all records must be deleted, but in practice it’s often extremely difficult to do this without corrupting the back-up.
If a data breach occurs on a backup containing personal data that should have been physically deleted under a previous DSAR, and that data is leaked, the organisation could be liable for a substantial fine.
In order to overcome this issue, you may be required to invoke each back-up containing the personal information that needs to be deleted, then remove that data and back it up again. However, this can be highly costly and inefficient, particularly when there is a large amount of data to process.
To add to the cost and complexity, most financial organisations have a large number of back-ups, meaning the same process would have to be repeated across all versions containing the personal data that needs to be removed.
The other approach that some firms might consider would be a soft delete, “flagging” particular data as a record that shouldn’t be used anymore i.e. that you can no longer send marketing materials to that individual. As far as the organisation is concerned, for all intents and purposes, that data doesn’t really exist, although it does still physically exist. As such, this is an approach that could prove questionable from a legal standpoint. Furthermore, many systems don’t have the functionality to earmark particular data as defunct and may therefore require additional configuration, which can be costly and time-consuming.
Perhaps the biggest challenge is that there isn’t a clear solution out there. At best, most providers of GDPR solutions can flag this as a risk, help to identify the relevant data on backups, and examine the potential approaches. Ultimately, the ability to do a “soft” delete or a “hard” (physical) delete by rehydrating the data and restarting the backup from scratch, will depend on the data management systems and processes in place at your organisation.
- Cybersecurity – stuck between a rock and a hard place?
Cybersecurity is a large, and growing, cost for financial businesses. But under GDPR, the stakes have never been higher. Under GDPR, if personal data is leaked, details of the data breach must be detected, reported and investigated. Breaches of this nature can no longer be hidden from public view, as some organisations have tried to do in the past.
There is a fine balance to be struck between having robust and secure cybersecurity systems, without reducing the usability of your systems and website(s). To use the analogy of a home security system, you can keep adding locks and alarms to your home to make it more and more difficult for a criminal to enter, but as you add more locks and alarms, the system becomes harder for you to use too.
Customers of financial organisations want secure data and a good user experience. So when it comes to cybersecurity, the real challenge is finding a balance between how secure the system is, how usable it is, and your level of protection against a fine.
When securing your systems, keep a good user experience at the heart of your plans because it’s easy to lose customers if your system becomes difficult to use. For this reason, when it comes to cybersecurity, many organisations are finding themselves stuck between a rock and a hard place.
If you store data in the cloud, The National Cyber Security Centre (NCSC) has created 14 Cloud Security Principles, a rigorous best practice guide for cloud security. The list is not exhaustive, and how your organisation applies these principles will depend on your current data management systems and processes, as well as a number of other factors. But for many firms, these principles provide a great starting point. Again, a balance must be struck between having the most rigorous data security standards and keeping good user experience at the centre of everything that you do.
- Corporate governance – buffering the C-suite
Many financial organisations appointed a DPO in preparation for GDPR, though for most organisations in the UK, a DPO isn’t mandatory. Rules in other European countries may be different. For example, in Germany, you must appoint at DPO if ten or more of your employees are processing personal data. Most of the DPOs we speak to have either a legal or IT background, but don’t necessarily report directly to the CEO.
Under GDPR, fines for non-compliance are payable by the organisation, rather than a particular individual. However, those holding directorships can also be personally liable if it can be proved that they have shown negligence.
Additionally, many DPOs we speak to are concerned about the challenges and risks associated with the role. Firstly, how you de-risk the DPO position, a position that often comes with a large amount of risk? Secondly, where should the C-suite place a DPO in the organisational structure, so they can carry out their role effectively and efficiently?
One of the best ways to de-risk the DPO and CEO positions is by having the appropriate data management systems and processes in place. Ultimately, businesses need to be able to gain the level of visibility necessary to accurately comprehend the scope of data they hold. They also need to have an effective means of assessing the business’s level of compliance in key areas such as communicating privacy information, managing DSARs and monitoring reasons for consent. DPOs can use this insight to effectively manage the firm’s compliance and all of the customer data pertaining to the regulation.
When it comes to corporate governance, there is no “one size fits all” answer or approach. Where the DPO position sits in your organisation will very much depend on your existing corporate governance structure. From speaking to DPOs we find they are usually reporting to either general counsel or the CIO. Regardless of who they report to, one thing is for certain: as data becomes ever more important, DPOs need to be in a position where they can closely collaborate with the C-suite and have direct access to key decision makers.
Therefore as we all adjust to GDPR compliance, it’s crucial for organisations to look at this fundamental regulation in a holistic manner to ensure continual compliance across the board. For those who choose to only look at the most obvious elements of this regulation, the consequences could be severe.
By Leo Martins, founder of Pontus Vision