With the continued focus on personal information and the privacy rights of individuals, the General Data Protection Regulation (GDPR) went into effect May 25 and it has an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. This includes the United States. The GDPR adds another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management that so many organizations are struggling to come to terms with.
The GDPR aims to establish the same data protection levels for all EU residents and will have a solid focus on how organizations handle personal data; these protections should help preserve and repair the damaged trust dynamic between businesses and consumers. It is also hoped that the uniformity introduced by the reform will benefit organizations by allowing them to bypass the current array of often-contradictory national data protection laws. The constructive repercussions may reach even further as countries in other regions dedicate more attention to defending mission-critical assets.
At the Information Security Forum (ISF), we believe that the GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.
Non-Compliance Carries Costly Consequences
Most countries have established supervisory authorities; these government-appointed bodies have powers to inspect, enforce and penalize the processing of personal data. In the US, a number of authorities enforce data protection requirements under the sectoral approach, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers. Supervisory authorities are granted investigatory powers by the GDPR, allowing them to investigate any complaint. Complaints may be received not only from the data subjects themselves but also from any organization or association that chooses to complain.
If an organization is found to be overstepping the requirements of the GDPR, supervisory authorities have a variety of corrective powers from which to choose. These include the ability to issue warnings and reprimands to controllers or processors; but also include far more substantial powers, which can compel an organization to process data in certain manners, or cease processing altogether, as well as force an organization to communicate data breaches to the affected data subjects.
While many companies still may not fully understand all the actions they need to take to become compliant, most have heard about the serious financial penalties stipulated by GDPR: up to EU 20 million or four percent of the worldwide annual revenue of the prior financial year, whichever is higher. Such fines can be issued for infringing: basic principles for processing, including conditions for consent; data subjects’ rights; transfer of personal data to a recipient in a third country or an international organization; or any non-compliance with an order issued by a supervisory authority.
U.S. Businesses Must Get on Board the GDPR Train
Implementing a GDPR compliance program is happening at the same time that public conversations about online privacy have reached a fever pitch. Between the Equifax breach, a seemingly continuous string of customer data breaches at major retail and restaurant brands, healthcare and financial services organizations, the American public is getting a crash course in the security and privacy weaknesses of online services, apps and networked systems. It may not happen immediately, but chances are that further regulation and more intense oversight mechanisms will be developed in response to these striking revelations, which have damaged public trust and corporate integrity.
As public sentiment shifts, organizations that rely on personal data — and individual users’ consent and trust — have an opportunity to go above and beyond GDPR in order to assuage worried and wary customers and partners. Apple has offered an example, announcing recently that they will offer GDPR protections to all their customers, not just EU data subjects specifically protected under the law. These protections — including a new privacy policy, easier access to important privacy settings, access to personal data stores, and ability to permanently delete accounts — will be available first to EU subjects and rolled out to every Apple customer worldwide in the months following GDPR enforcement commencement.
There are many lessons to be learned at this critical juncture in the era of digital transformation. Leading organizations will take the time to review how they are handling privacy concerns and how they are communicating about privacy to their customer base, supply chain, and partner ecosystem. Forward-looking strategic planning should include: monitoring Congressional and state legislative activity, regulatory guidance, and thought leadership; fine-tuning and rehearsing incident response plans; and keeping up with privacy and security best practices with regards to people, process, and technology.
Impact on the Financial Industry: More Regulations, More Risk
The latest ISF report, Threat Horizon 2020 highlights nine major threats, one of which focuses on how regulations, such as GDPR, increase the risk and compliance burden on the financial services sector. The ISF report looks ahead two years to when companies will experience the full impact from regulations stipulating that data sharing and processing should become more transparent.
It may seem counter-intuitive to say that increased regulation results in a broader attack surface, but in sectors like finance, where record-keeping is paramount, some regulations extend the amount of data that must be retained, the length of time it must be stored, and/or the number of separate entities that must or can have access to the data. Emerging protectionist policies related to international trade may force financial organizations to solicit and retain more in-depth records on prospective customers and suppliers. Obviously, these larger data footprints inherently increase the risk of a data breach.
For example, the second EU Markets in Financial Instruments Directive (MiFID II) requires that firms in the financial sector store recordings of conversations for five years (the previous retention period was six months). The second EU Payment Services Directive (PSD2) allows third parties to access customer accounts via application programming interfaces (APIs). Moreover, there’s the EU-US Privacy Shield, the NY DFS cybersecurity standards, and various other region-specific laws; most of these carry heavy penalties for non-compliance.
What will it look like when organizations have to share customer data with a range of organizations at widely varying security assurance levels? How and when will banks have to assume responsibility for customer data leakage under GDPR and additional regulations? What happens when expensive M&A activities are upended because one of the parties is being investigated for a compliance failure or consumer data breach?
Perhaps most confounding is the potential for conflicting regulations, another inherently risky dynamic.
Aiming to comply with one set of regulations may mean struggling to comply with another, leaving an organization open to fines as well as enforcement actions that could disrupt business operations. This struggle is representative of an overarching challenge that regulated industries will have to contend with for the foreseeable future: managing a growing amount of data under a growing level of scrutiny in the face of growing cyber threats.
Responding to regulations while managing risk will become a central balancing act. It’s important to clearly communicate the intricacies of maintaining this balance to senior stakeholders and board members. A strategic, enterprise-wide, and integrated approach to data governance, risk management, and compliance is essential. Mechanisms that automate and streamline recordkeeping, vendor management, and information asset inventories will help optimize the efficiency and accuracy of compliance-related activities. Likewise, services, libraries, and catalogues that help compliance teams stay up-to-date on regulatory changes and directives should be referenced regularly and used to map case law, conflicting regulations, and high-risk areas particular to your industry, client base, or business model.
First Steps for GDPR Preparedness
Most banks have achieved GDPR readiness. But some institutions may have discovered belatedly just how deeply the regulations reach into their operations, or that they want to be ready for EU-residing customers in the near future. Up-and-coming fintech firms may have been caught off guard by GDPR-related assessments required by their more established banking partners. Even after the enforcement date has passed, there will still be important steps to take the regulations seriously and continue compliance work in earnest.
A good first step is to show risk management readiness — a deliberate review of existing data privacy policies, processes, and plans. Get your team together and be sure to include representatives from every business function that touches personal data — this is not just a job for the marketing department. Consult legal advisors, figure out which internal security and data experts to work with, and work to get C-suite backing to make preparations a priority. Review products and services for data privacy hot spots; you may need to include product development or engineering teams in GDPR activities, especially if a non-critical feature introduces an outsized risk that could lead to expensive consequences. With a solid plan, a thorough risk review, and a multi-faceted team in place, companies can show they are being diligent, even if they aren’t technically compliant yet.
Assessing the extended ecosystem — third parties, vendors, and partners — for GDPR compliance, data risks, and required documentation is another important step for latecomers and well-prepared organizations alike. As the deadline nears, review vendors and third parties and ensure you have documented the necessary profiles and assessments. For most companies, technology vendors play an increasingly significant role in getting compliant with regulatory regimes like GDPR, PCI DSS and more. If you can’t tell enforcement agencies that you know exactly what data passes through or is held by your fintech partner or cloud provider, and what they’re doing to protect it, you can’t possibly show that you’re taking a serious and diligent approach to compliance. Look beyond obvious customer interfaces; failure to do so will signal lack of preparation.
For financial services organizations scrambling to catch up, it is imperative to stay laser-focused on top priorities. Determining the core tasks, building a cross-functional team, and securing C-suite support will make it easier to expedite the remaining steps. Be sure to document all activities, especially third-party assessments, and begin to establish workflows and procedures to ensure efficiency and accountability. Once an organization has made a game plan, it is time to dive in to the real work: data inventory, data flow analyses, and data audits. An organization that doesn’t fully understand how personal data is being used, processed, and stored cannot establish viable “legitimate interest” justifications or offer its customers transparency and full disclosure when it comes time to seek their consent.
Go Beyond Compliance to Maximize Benefits
No organization that operates on a global footprint of suppliers can afford to not prepare for changes that will result from new GDPR compliance rules. Falling out of compliance with data regulation can really hit you in the pocket. The checklist of rules requires extreme preparation and responsibility all of which must shouldered by the organizations who cannot look solely government or regulators for help.
The GDPR strengthens the requirements for protecting personal data. It affords individuals new and enhanced rights and freedoms and holds organizations responsible for enabling them. It promises to penalize organizations unable to uphold these rights and freedoms – a risk best managed by establishing an enterprise-wide GDPR compliance program.
Leading organizations are looking beyond compliance, by extending the breadth of GDPR compliance programs to leverage additional benefits. Examples include:
- Consolidating activities into broader information governance programs
- Embedding information security into the design of business applications and technical infrastructure
- Improving data protection and privacy practices
- Extending information security’s reach within the business
While every organization should judge the risks and rewards of its own data protection investments, the GDPR offers a unique opportunity to translate necessary compliance actions into tangible business benefit. Leading organizations are structuring GDPR compliance programs to exploit these opportunities, mindful of their increased responsibilities to handle personal information appropriately and responsibly. Although the GDPR is now in effect, it is not too late to start of the journey to ongoing protection of personal information, something that will be with us for some time to come.
Steve Durbin is managing director of the Information Security Forum (ISF).