Treasury Today Country Profiles in association with Citi

Power to the people: the essence of GDPR

Person on iPad whilst being virtually protected by data security systems

The EU GDPR will come into force immediately on 25th May 2018. Here’s what you need to know.

General Data Protection Regulation (GDPR) is just months away. When it arrives, it will govern in quite strong terms the way organisations collect, use and store personal data concerning EU citizens. It affects organisations regardless of where they are located, and that includes cloud-based operations.

Its purpose is to establish an EU-wide harmonised legal approach to data protection. At its core is the demand for the unambiguous consent of the individual for their data to be held, and the granting of new rights to secure their protection. Most affected organisations will have a lot of work ahead of them in order to comply in time. And comply they must, as the penalties will potentially be severe.

A digital response

In an age when cloud computing and connected devices have transformed the ways in which people live and work, personal data is commercial gold dust.

Informed consent is easy enough to comprehend with cookies on a website, but how much control do people have over their personal information? Not enough, the authorities say.

In the old days of EU Directive 95/46/EC, the rules had been crafted when digital was barely on the radar. GDPR is a way of giving protection and rights to EU citizens in an age where most organisations – from public to private, from commercial to non-commercial – source and use data in wholly different digital ways.

Once in force, GDPR requires companies to obtain customers’ consent prior to collecting and processing their personal data. They will also have to carry out detailed audits of the data that they already hold to ensure that consumers have actively opted-in.

The new protections and rights enshrined in GDPR demand that every affected organisation should have a plan in place by now. Even UK-based organisations not operating in the EU who may have been uncertain as to how to react with the impending exit from the EU, now have clarity on the matter. This comes in the form of the UK government’s issuance of its statement of intent to adopt a new data protection bill along the lines of GDPR as part of its planned reforms.

The requirements of GDPR are similar to the old EU Data Protection Directive. The type of personal data covered by the old data protection rules – names, addresses, dates of birth and so on – remain on the list. GDPR, in its pursuit of digital protection, not only includes photographic and CCTV images but also online identifiers such as an IP address, certain encrypted data, and even biometric data used for security identification.

The European Commission claims it will make it simpler and cheaper for companies to do business in the EU. It says it could also save an estimated total €2.3bn per year by consolidating supervision into one authority.

Foundations of success

Under GDPR, it is essential that information is protected. According to Communisis Data Intelligence, a UK-based independent data and analysis services company, the need is for a wide-ranging, multi-layered approach to security. This should address areas including:

  • User awareness and education.

  • Incident management.

  • Information risk management regime.

  • Home and mobile working.

  • Management of user privileges.

  • Removable media controls.

  • Monitoring.

  • Secure configuration of technology.

  • Malware protection.

  • Network security.

People power

In a world where individuals are increasingly data-savvy, tech-firm IBM has said that there is a clear understanding of how brands use personal data for sales and marketing purposes, an awareness of rights with regard to personal data, and a genuine concern about the well-publicised threat of cyber data theft.

New powers handed to individuals will enable them to demand to see any data held by organisations concerning them, for the organisation to immediately make amendments to any errors, and for the individual to have that data removed from almost any system as part of their ‘right to be forgotten’. Additionally, there is an ‘opt in’ clause where organisations seek sensitive data from individuals.

GDPR also introduces 72-hour breach notification requirements. The fine for a slow or poor-quality response to a data breach are materially significant.

Indeed, organisations failing to comply could face a sliding scale of punishments, ranging from a simple warning up to fines of €20m or 4% of global turnover. The right of aggrieved parties to sue for compensation could also see the rise of so-called ‘legal claims farms’, as seen in the aftermath of the UK’s PPI mis-selling scandal.

Findings from Lloyds Insurance show that cyber risk rose from twelfth place to third in the priorities of global business owners between 2013 and 2015. A re-examination of insurance arrangements to ensure that any applicable indemnity limits will cover the costs associated with investigations and breaches under the GDPR may be appropriate.

A job for business

The EU has said that GDPR responsibility specifically applies to “the natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of the processing of personal data”.

This translates into either ‘controllers’ (those who make decisions on how and why personal data is processed) or ‘processors’ (those who carry out the data controller’s requirements).

The individual rights and legal framework that supports GDPR means organisations must have quick access to any relevant personal data they hold. There is also a requirement for all controllers to ensure their processors are compliant, and for processors to keep records of all data processing activities for inspection on-demand by a single data protection authority. In the UK, for example, it will be the Information Commissioner’s Office (ICO).

In large and fragmented organisations, this may be difficult. Some businesses have said they will struggle to comply. Speaking at a panel discussion at London’s InfoSecurity Europe 2017 conference, John Lewis Group Data and Information Security Officer, Steve Wright, noted that, as a retailer, the Right to be Forgotten “is going to be incredibly difficult to fulfill within 30 days”. With lengthy warranty periods up to ten years in some cases, the firm will be unable to entirely delete that data when requested.

On the same panel, HSBC’s Deputy General Counsel, Cameron Craig, criticised the ICO’s guidance, noting that although GDPR mirrors existing rules, “unfortunately instead of having a single black line saying ‘these are the changes’, you have to work out what is actually different”.

The fundamental requirement of GDPR compliance is thus to ensure that organisations are absolutely clear as to why they are collecting an individual’s data, have secured the right to do so, and then have the means of securely managing it, accessing and deleting it (either upon request or when it is no longer needed).

Banking on compliance

Research from management consultancy Baringa Partners shows that banks are in a strong position when it comes to data governance. However, banks still risk losing customers should they experience a data breach. The issue is further complicated by the arrival of PSD2 payments regulation. This pushes banks towards a new open-banking model in which third parties are allowed to connect to banking front-ends – and customer data – using APIs.

PSD2 effectively creates a data access point which some banking clients may not wish to be exposed to. In Italy, transposition of PSD2 into national legislation allows banks to block access to third parties should a client request it. Other jurisdictions may follow.

The issue is perhaps a moot point anyway. Banks top the rankings when it comes to who consumers trust with their personal data. More than three quarters (77%) of people said they trust their bank, compared to 62% for insurers, 59% for energy companies and 58% for TV, phone or internet providers.

These high levels of trust seem to be driven by knowing what personal data is currently held on them. This is true for more than half (54%) of bank customers, compared to 42% of insurance and TV, phone or internet customers, and just 40% of energy customers. Banks also score highest for communicating the right amount with their customers about their personal data, at 55%, compared to 46% for insurers, energy companies and TV, phone or internet providers.

“Despite the financial crisis, it is clear that people’s faith in banks has not disappeared entirely,” says Daniel Golding, Director at Baringa. He believes customer loyalty has a big role to play. Trust is highest where people feel there is a long-standing relationship, so the low churn among banking customers compared to energy or internet providers works in their favour. “While banks are the guardians of our hard-earned savings, we are happy for them to be guardians of our personal data, too.”

However, the firm’s research also reveals that banks face significant risks when GDPR comes into force. Almost a third of people (29%) say that they would immediately switch to another bank if their provider suffered a major breach where their personally identifiable data was leaked.

In addition, three quarters (72%) said they are likely to ask what personal data is held on them if their bank is obliged to respond. If companies fail to provide a free electronic copy of their full personal data within a month it will be considered a Tier 1 breach of the rules, leading to the kind of penalties mentioned above.

Firms that lack centralised data governance systems will struggle to respond in an efficient and timely way and will face higher costs.

The task in hand

For many firms, large and small, this will require a complete review of how their data is managed, including its acquisition, storage, access and distribution. In most cases, an approach from a technological, process and policy angle will be necessary. Analysis, design, implementation, operation and maintenance phases such as those suggested by IBM may be necessary to achieve this. The tech-firm explains that the key areas are governance, people and communication, processes, data and security and states that the initial focus of any GDPR programme should be on where a company’s biggest risks are.

It will also be vital for all organisations to educate data-handling staff to know what its requirements are, and to make them fully aware of the possible impacts of infringement. Training will be essential.

Need a DPO?

One of the key requirements of GDPR is the establishment of the role of Data Protection Officer (DPO). The problem is that the rules are not clear as to which firms need one and which are exempt. Initially, it was all organisations with more than 250 employees. This has changed. According to law firm Field Fisher’s ‘Privacy Law Blog’, Article 37 of GDPR makes it clear that the obligation to appoint a DPO applies:

To all public authorities processing personal data (except for courts acting in their judicial authority); or

Where the “core activities” of an entity involves “regular and systematic monitoring of data subjects on a large scale”; or

Where the “core activities” of an entity involves “large scale” processing of “special categories of data” (such as data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, as defined in Articles 9 and 10).

“Core activities” and “large scale”, it notes, are yet to be subject to clear guidance, “but on the face of it, these requirements seem to broadly capture companies who deal in Big Data”. Peter Brown, Senior Technology Officer of the UK’s ICO, has been reported as saying: “unless it is obvious organisations don’t need to appoint a DPO, they should keep records of their decision-making process”.

If one is needed, the DPO can be a staff member or third-party contractor. The role is effectively the conduit between the public and the organisation’s employees in relation to the processing of personal information. They are also the point of contact for all data protection queries, reporting directly to top level management. The fundamental requirement is to ensure compliance with the legislation, including the undertaking of all necessary assessments prior to launching new products and services that use customer data, and as such they must be given all the resources necessary to carry out their functions.

Taking measures

In security terms, all companies have weak points. It might be the systems, the processes or the people that risk data breaches. A working practice such as ‘Bring Your Own Device’ in which employees use their own mobile phones, laptops and tablets leaves networks vulnerable unless formal processes for the management of remote connections are in place.

Where the ongoing menace of cybercrime is amplified under GDPR, companies seeking cyber-security baseline standards could consider seeking accreditation under the ISO 27001 certification in Information Security Management. The standard caters for all sizes of organisation, aiming to provide best practice and thus confidence in data procedures.

Large companies are often targets for hackers but smaller firms need not think they are immune and must too seek to protect their data. It might make sense to use third-party professional cloud services to store data as a way of mitigating risk. For smaller firms in particular, this can offer more protection than an on-premises solution. All sensitive data on mobile devices needs to be encrypted and employees should not be using the cloud for unauthorised storage.

GDPR in 30 seconds

  • Individuals will be given greater controls over their personal data.

  • The right to be forgotten is central to the individual’s rights.

  • Non-compliance could lead to fines of up to €20m or 4% of global turnover.

  • Organisations will be required to share information on their data processes in a clearer way.

  • Transfer of personal data between service providers will be easier for individuals.

  • Serious data breaches must be reported to authorities within 72 hours.

  • All companies, regardless of location (even cloud-based) must to adhere to the same rules when using EU-citizen data.

  • SMEs and larger firms will have to appoint a data protection officer: some smaller businesses will be exempt.

An opportunity not a threat

GDPR is not going away; seeing it as a nuisance or threat is ultimately counterproductive. A positive view is that where systems, processes and policies align, there will be improved data-handling efficiencies across the business.

According to insurance firm, Marsh, competitive advantage could be gained where organisations develop their cyber-security and information management systems around the requirements of GDPR.

In its report, ‘Data is an asset: it deserves protection; it offers opportunity’, it suggests that those firms which embrace GDPR as a means to improve their data management strategies – as opposed to a costly, compliance-driven exercise – stand to benefit from greater client trust.

“Rather than regarding compliance with the GDPR to be a costly and disruptive undertaking, firms should see it as an opportunity,” says Peter Johnson, UK Cyber Risk Leader, Client Advisory Services at Marsh. Of course, a single set of rules will make it simpler and cheaper for companies to do business across the EU. But, adds Johnson, organisations “can improve how they safeguard personal information, boost their understanding of how data can add value to their business, and forge a new relationship with clients based on enhanced transparency and security that can further build trust”.

GDPR will help maintain or repair the breakdown in trust between clients and organisations in terms of how personal data is used. For Johnson, this means “enabling proactive businesses to take greater advantage of the data-driven economy”.