Increasingly, in a digital and social age of unprecedented user empowerment, personal data breaches can spell the end of brand integrity and customer confidence.
At a time when information security scandals frequent our headlines (think cases like Equifax and TalkTalk), regulators have responded by toughening up on data protection laws.
Andrew Watson, head of regulatory change at JHC, discusses the implications of the new General Data Protection Regulation (GDPR) regulations, and how you can prepare for the 25th May 2018 deadline.
For many businesses, Mifid II and GDPR can be daunting.
Certainly, understanding the responsibilities that they enforce is a complex task, and invites discussion about how businesses can effectively operate in compliance with both legislative frameworks.
At a glance, Mifid II and GDPR might seem contradictory to one another.
Whilst aspects of Mifid II address the need to collect and share information with investors, GDPR emphasises the importance of holding minimal data, protecting what data you do hold and not doing anything with your customers’ data that they aren’t aware of.
However, what people fail to recognise is that GDPR does not forbid the disclosure of customer information, it simply sets rules in place for the way in which this information is shared.
The basic objective of GDPR is to enforce stronger data security, consent and privacy rules when it comes to looking after the personal data of customers.
With the right control processes and communication systems in place, you can work efficiently and effectively under both policies.
How will GDPR impact your business?
GDPR applies to all organisations that process the data of EU citizens, regardless of whether the actual processing takes place within the EU or not.
Don’t be fooled by the fact that it is an EU directive, the UK government has already confirmed that it will implement the new law regardless of Brexit negotiations.
Failing to comply with the new regulations could result in a significant penalty.
In short, you can be fined up to 4% of annual global revenue, or 20 million euros, whichever is greater. This is a huge upscale, Oliver Wyman predicts that the fines could amount to $6 billion in the first year.
Notably the highest fine to date under current data protection rules stands at £400,000, issued to TalkTalk last year for a breach of 150,000 customers’ personal information in 2015.
Additionally, it is important not to pigeon-hole GDPR as an ‘IT problem’. It affects everyone in your business, from customers to shareholders and employees.
The new regulations will impact day-to-day operations and decision-making processes, so make sure you get GDPR savvy before the 25th May 2018.
What initial steps can be taken to prepare for the deadline?
1: Map your organisation’s data
Ask yourself the following: Do you know where all your data is? Is it locked on a secure system, or is some of it in a spreadsheet on an employee’s laptop on the kitchen table? Or left on the 18.03 to Woking?
If you are unsure, you need to map all of the personal information that your business holds and identify where it resides, who can access it and potential risks.
If your organisation doesn’t need the data or does not have consent to use the data then stop holding it. The less data you hold, the less the chance of a breach.
2: Put controls in place
The following step is to establish multiple lines of defence within your business. Implementing security measures and procedures for handling personal data throughout your infrastructure will help to contain and prevent any potential security breaches.
Also make sure that the correct safeguards are applied and understood by external organisations that you collaborate with, such as suppliers and third-party data processors.
3: Ensure your data protection officer (DPO) is trained
Under GDPR, the DPO has a greater responsibility to monitor and ensure an organisation’s compliance with regulation, and to report directly to senior management.
This can help to reinforce accountability for data protection within your business but with Deloitte estimating that there will be 28,000 new DPOs in Europe alone, organisations need to ensure theirs is up-to-scratch.
4: Have a plan of action if a data breach occurs
If a data breach occurs, you need to have a step-by-step plan so that everyone is aware of the escalation process. You’ll need to:
Directly inform the Information Commissioner’s Office (ICO) within 72 hours of a data breach where it is likely to result in a risk to the rights and freedoms of individuals
Advise the ICO what you are doing to contain the breach
Learn from your mistakes: identify and inform the ICO of measures you’re putting in place to stop it occurring again. The ICO’s fines will take into account your processes and your willingness to cooperate.
You will need to inform the customer if the data breach has affected their rights. If you are unsure, the ICO will likely advise you when to contact them.
5: Secure your communications
On the face of it, it can seem like technology is the problem when it comes to data protection.
However, technology platforms that use centrally controlled and secured data can provide your users and investors with real time information that is more dynamic and in-depth than any printed report - and, if done right, does not leave unencrypted data behind on any devices outside of your network.
This can significantly improve communication with your customers.
Notably, MiFID II doubles the demand of providing valuation and performance reports to keep investors informed. To do this, data needs to leave your network.
Let’s consider the options: sending documents via email isn’t secure, and sending out printed packs is not only a huge expense for your own pocket as well as the environment, but also presents an extremely high-risk event when hard copies go astray.
The solution? By providing customers with access to a secure web portal where they can download their own copy safely, you maintain control of the data right until the point where it’s received directly by the customer - not to mention huge savings with reduced printing and postage costs.
Once in place, this platform becomes a two-way method of communication that helps to build and retain relationships with your customers, keep them better informed and ensure their data is safe and secure.
Although there can be resistance from some customers to switch to electronic forms of communication, this is a trend that is rapidly changing the landscape of data protection.
There’s an up and coming generation of millennials who will one day be your customers, and who will expect secure, two-way, digital channels as their primary method of communication.