GDPR and effective implementation for finance businesses

null

When it comes to industries embracing new technologies and digitisation, the finance industry leads the way. Over the last three years, the total global investment in fintech has risen to $31 billion, a significant increase from the $9 billion it was in 2008.  

With this digital boom the amounts of personal data collected within the industry has also followed on the same trajectory. Recent changes in Financial Crimes Regulation has seen a tenfold increase in the collection of personal data, and with the adoption of the single EU Digital Payment Service Directive (PSD2) predicted to increase the sharing of Customer Personally Identifiable Information (PII) by up to five times, structuring and securing this data has never been so important.  

An individual’s data is collected for a variety of purposes including Credit risk, Financial Crime, Profitability, Sales effectiveness or background verification checks. When GDPR is introduced on May 25th 2018 it will set a universal standard for how firms that control or process EU citizens information, whether within or outside the EU.    

This will see finance companies have to employ more sophisticated techniques to secure and manage individual data. With only two months to the introduction of the legislation, Wipro has compiled common considerations for financial businesses to plan and implement GDPR effectively. 

Building Personal Data Inventory   

For GDPR, having purpose and legitimacy of collecting and processing personal data is what counts. When you have this as a company you are able to store and use an individual’s data, however, businesses will be expected to trace and audit exactly where PPI data is being held quickly and effectively. To do this, it’s important to build a personal data inventory to host:  

  • Personal data – Personal data categories and a trail of personal data copies shared with other data controllers, processors and countries  
  • Surveillance Records – Textual, audio, video and other information collected  
  • Other inventories including Employee Practice Records – Health and safety, social media, personal devices  Business Operations – Retained records, cookies and tracking, marketing data 

PII data inventory and mapping activity can also be used to minimise the data collection points and to reduce the burden of data management. 

Data Portability  

With the introduction of Article 20 of GDPR, there is no doubt that this legislation empowers the consumer. Now, a citizen can request their personal data be transferred to another provider, meaning that a data subject’s information (telephone numbers, email addresses, etc.) which was consensually provided to a data controller can be withdrawn. When this request is received, it’s expected of those who are in control of the data to present it in a machine-readable format so that it can be easily transferred to another provider. The data controller must then also log the request and inform third parties to stop using the specific data that’s been withdrawn. 

Right to be forgotten  

Going one step further than data portability, the right to be forgotten gives an individual the authority to ask for their personal data to be erased from a firms system and any third-party systems that have copied replicated or linked to the original information. When it comes to actually doing this, businesses can achieve this requirement through anonymisation. De-identification protects individual privacy, while also enabling the information to be used for legitimate secondary purposes. However, data can continue to be held by the controller or processor to meet their contractual, legal or regulatory obligation for areas such as Financial Crime. 

Data Lifecycle Management  

As mentioned before if you have purpose and legitimacy storing data on an individual is allowed under GDPR. However, users do have the right to know what data is stored along with the purpose of storage and the duration of storage. Also, data erasure and portability requirements means that data must be permanently erased or moved after it has been ported. 

Consent Life Cycle Management  

Consent is a very important part of GDPR. The new legislation requires consent to be given freely, explicitly and that the amount of information collected is strictly for a specified and justifiable purpose. As a data controller, financial institutions will also have to be able to demonstrate that a consumer has consented to the processing of their data, as well as allowing data subjects to have the capability to view and update their consent profile at any time. This is likely to increase the need for Advanced Identity, Access and Consent Management Systems. 

Immutability and Traceability  

GDPR requires businesses to have evidence on the handling of a person’s data, and that it has been used within the boundaries of the regulation. This will see the traceability of data – knowing where it has been used and how it has been shared – become imperative. Blockchain could be worth considering as a means of ensuring immutability through data traceability to help this. 

Privacy goes beyond Information Security  

With GDPR being introduced, security and privacy techniques will need to evolve with technology. There will be extra pressure on ensuring confidentiality, integrity, availability and resilience of processing, as well as having the ability to restore data after an incident. Furthermore, there will be a need to encrypt data effectively and have in place a well-defined process to test and evaluate effectiveness of security.  Privacy concerns can arise at any point where PII is processed therefore the following areas need to be considered: 

  • PII Data Types, Format, Origination, Storage location  
  • PII Data Usage  
  • Storage and Archival  
  • Erasure and Deletion  
  • Security and Audit Mechanisms 

Going forward  

Compliance with GDPR must start with an inventory of PII data and applications that manage it. To accompany this, new standards for data withdrawal and erasure should be introduced as well as a continuous review cycle of existing standards and policies which are impacted by GDPR.  

With this new legislation, opportunity exists for the finance industry to look to innovative technologies, such as Blockchain, which can assist them in areas like data minimisation to substantially reduce compliance risk. Also, any existing investments in data lakes and centralised customer data systems can be leveraged to provide the initial basis for GDPR compliance.  

In summary, it’s important that finance businesses do not see GDPR compliance as an add-on to their data and processing, and instead view it as an integral part of their business which is supported by the appropriate policies, processes, controls and technologies. 

Mohan Bhatia, Global Head- Risk and Compliance Practice, Richard Thornton, European Head – Risk and Compliance Practice and Sunil Pai Global Head- Risk Practice at Wipro

Image Credit: Wright Studio / Shutterstock