By Michael Corcione, Managing Director, Cybersecurity and Data Protection Consulting Services, Cordium
Michael Corcione, Cordium
The incoming General Data Protection Regulation may be an EU initiative, but it is having a worldwide impact. The new rules have a significant extraterritorial reach, so that any organization that services or controls the data of European Union residents, regardless of where the company is located, must comply.
Investment firms that are not already preparing for these new rules need to put a program in place urgently. GDPR goes live in May 2018 – and punishment for non-compliance will be severe, with fines of up to €20 million or 4% of annual turnover.
GDPR contains a tough set of data privacy and security requirements – spanning 99 articles and 173 recitals. This provides an enormous amount of regulatory detail, but key requirements include:
• Consent – To be able to process Personally Identifiable Information (PII), investment firms must ask for and receive consent from the EU citizens they are engaging with. That consent must be “freely given, specific, informed and unambiguous.”
• Understanding – Individuals have the right to know if an investment firm is holding their PII and what PII it has. The individual also has the right to have that data rectified if it is inaccurate, and erased.
• Erasure – The new GDPR creates a right for PII to be removed at the request of the individual, known as the “right to be forgotten.”
• Portability – Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This rule enables individuals to move, copy or transfer personal data easily and securely.
• Product creation – The new rule contains a requirement for “privacy by design”, which means that all GDPR requirements must be built into products, projects, processes and systems from the point of their creation, rather than being added on later.
• Pseudonymization – Investment firms that wish to analyse customer data for trends and other insights must pseudonymize it first, to ensure the core data protection rules at the heart of the GDPR are not violated.
• Data Protection Officer (DPO) – Investment firms whose work involves the “regular and systematic monitoring of data subjects on a large scale” or extensive processing of “special categories of personal data” (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, etc.) will have to appoint a DPO. Organizations are allowed to appoint a third party to serve as the DPO.
• Broader liability – Organizations that act as data processors now fall within the EU’s PII regime, not just those who perform data controller functions. As well, the definition of what constitutes a data breach is much wider.
• Notifications – Investment firms must notify a supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” In addition, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
UK-based firms should review their existing information security and data protection framework with a view to GDPR compliance – the government has confirmed that this will be implemented in spite of Brexit. Although the GDPR builds on a pre-existing legislation, many elements are new and it is a regulation, not a directive.
Firms need to perform a readiness assessment – a process that will tease out the “real world” requirements which align with the specific articles for GDPR. The completed assessment will generate a gap analysis that reveal the firm’s deficiencies in its current policies, procedures, and controls. Finally, the firm needs to decide how it will bridge those gaps – with new policies, procedures, and technology solutions.
Investment firms not within the EU need to review whether or not they fall under the GDPR – if they market products to EU citizens then the chances are that they probably do. The good news is that in some jurisdictions, such as the US, firms that are compliant with existing data protection regimes – such as ISO 27001 or the National Institute of Standards and Technology (NIST) framework – should already have made some progress towards GDPR compliance. However, firms still need to perform a gap analysis to understand the areas in which they need to implement additional policies, procedures, and controls.
All firms who need to comply with the GDPR – no matter where they are located – should consider incorporating its requirements into their overall information and cyber security strategy. By doing this, the firm will benefit from tighter data controls, operations, and a stronger information and cyber security program. The new regulation can provide the internal momentum for investment in key tools and solutions that will not just deliver compliance, but also strategic value for the organization overall.