Winning in a GDPR world: Five data security lessons for financial executives
You’ve no doubt noticed those privacy updates flooding your inbox and popping up all over the internet as companies announce their intentions to comply with the General Data Protection Regulation (GDPR), implemented in the European Union in mid-2018. Despite steep fines, Gartner estimates that more than half of companies impacted by GDPR still failed to comply as of the end of 2018. Beyond that, many U.S.-based companies have delayed overhauls because they believe the regulations will remain Eurocentric. Unfortunately, this rationale is tremendously misguided.
Lessons from the age of GDPR
GDPR reflects an ongoing shift to empower individuals and their data privacy. The regulation gives extended rights related to personal data, including the right to be “forgotten,” the power to be informed on data usage and the ability to challenge algorithms used for automatic decision-making. Moreover, individuals can opt out if they disapprove of how companies use their data.
For many businesses, international expansion is unrealistic; smaller financial firms, including local credit unions and small banks, operate within well-defined markets and know their clients will remain in the U.S. As such, they prioritize state and national regulations over global ones.
Most banks and financial institutions recognize the importance of enhancing cybersecurity and data security: 89 percent rank it as the top business priority for 2018. At the same time, they believe regulations such as GDPR exist beyond their purview. Thus they fail to account for the overarching security shift these regulations represent.
Keep in mind these five things as GDPR changes how we conduct business:
1. Don’t be lulled into a false sense of security
GDPR-like regulations will become the new normal across all geographies, markets and businesses. The California Consumer Privacy Act of 2018, for instance, will take effect in 2020 and like GDPR, it will require companies to disclose the data they collect and allow consumers to opt out of having their information sold.
This regulation will eventually become the international norm. By enhancing your security infrastructure now, you can put your business on track for compliance and avoid the need to scramble in a couple of years.
2. Adapt the most restrictive policies today
Anticipating increased regulation is smart; anticipating the most restrictive protections possible is even better. Right now, GDPR represents that standard.
The financial sector has a slight lead as 28 percent of firms achieve compliance within three to four years. When you address customer concerns, policies and processes that comply with GDPR, you can avoid increased financial and legal consequences down the line.
3. Raise expectations for third-party vendors
It’s not enough for your company to be GDPR compliant. If a breach occurs because of a third-party vendor that harbors your clients’ data, your company still bears responsibility. In recent years, financial institutions have reduced their third-party relationships and upgraded governance standards. This is essential as roughly half of financial service firms have experienced a data breach or outage because of a third-party vendor. Audit your vendors to ensure they meet GDPR standards and undergo routine security checks.
4. Know your systems and plan accordingly
Legacy systems can pose a greater compliance challenge. Newer financial firms have cloud-based systems with built-in searchability. For companies that operate on both legacy and cloud technologies, security and compliance can become far more complex.
These challenges can be greatly alleviated by the presence of a Data Protection Officer (DPO). Per GDPR, the DPO can be in-house or outsourced to a third-party firm. The position combines IT expertise with the data-protection experience necessary to ensure compliance.
5. Secure and grow
The increasingly efficient global marketplace has set new expectations, with diversified customer portfolios likely to include companies beyond the U.S. If your firm is not GDPR-compliant, your customers might look to other businesses with better offerings and more restrictive practices in place. Financial services executives recognize the growth opportunity for firms that meet these data protection standards. One study indicates that 80 percent of executives believe organizations that comply with the regulations will attract new customers.
Putting it all together: The pros of data protection
Consumer expectations will continue to drive increased data security regulation, which will require your company to step up. Your call is to stay on the leading edge of these changes and learn from your experiences. It will give you a competitive advantage, protect your company and, best of all, safeguard your clients’ data. For financial institutions—now more than ever—general data protection has very specific benefits.
Want more Banking Strategies? Sign up for our free newsletter!