Data breaches in the financial sector have been on the rise in the last couple of years. Stories about financial institutions suffering unintentional data disclosures or being hit by hackers have dominated the headlines. Most recently, a report from Accenture revealed that financial services firms are targeted more than any other sector, with breaches tripling over the past five years. In light of the proliferation of security and data breach accidents, customers increasingly demand reassurance from their financial institutions about their data being safe. While the sector is already heavily regulated, the coming GDPR will impose new, stricter rules on how financial institutions manage their clients’ personal data.
Does the GDPR apply to companies in the financial sector?
The General Data Protection Regulation (GDPR) is a comprehensive set of data protection rules issued by the European Union which will have a great impact on any company that processes EU citizens’ data. The GDPR applies even if the company is located outside the EU. Organisations, irrespective of their establishment, that process personal data of individuals who are in the EU in order to offer them goods or services, irrespective of whether a payment is required, or to monitor their behavior within the EU will have to comply with the new rules. Hence, financial organisations will have to take measures to protect any personal data of EU data subjects (the person whose personal data is being collected, held or processed) in line with the GDPR requirements that will apply from May 25, 2018.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (data subject) such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. A bank account or credit card number also falls into the category of personal data. The GDPR requires organizations to take measures to minimize the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.
How will the GDPR affect the financial industry?
Many organisations in the finance industry use customers’ personal data for decision making and marketing such as fraud detection, risk management, or customer segmentation. The GDPR will radically change the way these organisations now use and store personal data and will require them to tighten their data policies and procedures.
Are financial institutions responsible for their data managed by third parties?
Yes, financial institutions are responsible to protect personal data whenever they use third-party services (data processors) to manage data on their behalf. Hence, they need to understand all the data flows across their IT systems and should use services that provide the highest protection. With the GDPR, all data processing must have a lawful basis, such as explicit consent from the data subject. Data controllers (the entity that determines the purposes, conditions and means of the processing of personal data) have to further process data with third-party vendors (processor) in a compatible way with the original legal basis and apply safeguards like encryption. If financial institutions work together with non-EU organisations they need to make sure their client data stays well protected.
What are the risks of non-compliance?
Companies that do not comply risk being fined up to €20 million, or 4% of their worldwide annual turnover of the prior financial year, whichever is higher. Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million. Given the GDPR requires data controllers to communicate the personal data breach to data subjects if it is likely to result in a high risk to the rights and freedoms of natural persons, companies will also have to face serious reputational damage in case of a data breach. According to a recent poll, many within the financial sector believe that banks will be among the first organizations to be audited for GDPR.
What security measures does the GDPR recommend to protect personal data?
The GDPR prescribes that controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including for instance the pseudonymization and encryption of personal data. Moreover, the GDPR outlines the principles of Data Protection by Design, which means organizations must develop data protection processes and products with privacy in mind from the ground up, and Data Protection by Default which ensures that only personal data that are necessary for each specific purpose of the processing are processed.
How Tresorit can help you towards GDPR compliance?
⇒ Tresorit’s end-to-end encryption protects personal data against the risks of the cloud. Given Tresorit doesn’t have access to your encryption keys or to the personal data you manage in your files, even if the servers of Tresorit were hacked, no one could read the personal data in your files. As data can only be obtained in an unintelligible way, Tresorit can protect you against confidentiality breaches (unauthorised or accidental disclosure of, or access to, personal data) and against integrity breaches (unauthorised or accidental alteration of personal data).
⇒ Tresorit’s Admin Center enables you to set up security policies to avoid accidental data breaches caused by employee errors. The owner and admins of a Tresorit Business Account can apply policy templates to a set of users and create different policies to each template such as two-step verification, IP filtering, timeout policies, and sharing policies. Tresorit also enables admins to monitor and decide which devices are allowed to be used to access files within their company, and where users are allowed to log into the company account to safeguard business-critical documents. Furthermore, Tresorit Advanced Control enables Tresorit Business admins to enhance the security of their organization by resetting their users’ lost passwords and revoking access from lost or stolen devices. This way, you can minimze the risk of a data breach that would, for example, originate from a stolen device as with Tresorit you can log out from devices remotely and wipe the files in case a device gets lost or stolen.
⇒ Tresorit helps you to ensure and demonstrate data confidentiality and integrity with permission settings which control that personal data is shared with only those who really need it for their work. Tresorit DRM adds a further layer of control by extending security and control to files once they have been shared and downloaded locally.
⇒ Tresorit’s link based file sharing enables you to replace insecure email attachments and other file transfer methods and share financial documents across internal users, clients securely. Your clients can instantly access important business files without downloading a software or creating a Tresorit account. In addition, it gives you control over the shared files as it allows you to set up download limits, expiration dates, or even a password for extra protection. Links can also be revoked in case they are accidentally shared with the wrong person. Therefore, data breach that would result from sending an attachment with personal data to the wrong recipient can be mitigated.
⇒ Tresorit allows you to work securely from anywhere on any device. You can access, review and edit files on your smartphone or tablet wherever you are. Files and folders are synced and encrypted automatically, without you noticing it. When you upload your files to Tresorit, nothing leaves your devices unencrypted. End-to-end encryption keeps your file content private even when sending or downloading files on the go.
⇒ Tresorit helps you to turn your cloud-based collaboration GDPR-friendly with EU datacenters and legal guarantees. Tresorit keeps your data in secure, EU-based data centers that are audited for ISO27001:2005, SSAE 16 and several other certifications. Furthermore, Tresorit provides a Data Processing Agreement (DPA) with legally binding data protection guarantees to help you demonstrate your compliance to clients and data protection authorities.
With Tresorit’s end-to-end encryption and wide range of security features you can minimze the risk of data breaches and implement the principles of privacy by design and by default. Tresorit can help you avoid the notification requirement that would apply in case of a data breach, and you might also avoid fines up to 4% of your global annual turnover. Using Tresorit can also enable you to show your clients that their security matters to you and that you are taking serious steps to protect their personal data.
The materials available on this website are for informational purposes only and does not constitute legal advice. To obtain advice with respect to a particular issue, you should contact your attorney.