GDPR post Brexit and the impact on financial services
By Ian Osborne, UK & Ireland VP, Shred-it
October 31st has been and gone. Yet despite the Prime Minister promising to deliver Brexit by this date, the UK remains part of the EU at least until January 31st 2020, following last week’s confirmation of the extension. And even then, it is still not clear exactly what will be, as MPs are interrogating the deal while preparing for a General Election on 12th December.
Like many industries, financial services have felt the effects of uncertainty surrounding if, how and when the UK will leave the EU. With London the epicentre for financial services in Europe, the wider potential impact is enormous.
The biggest fear amongst the business community has been that global companies will move their operations from the UK to other countries within the Eurozone. Another cause for concern has been that companies will increasingly pause or divert investment in the UK, leaving Britain’s economy in stagnation.
On a more operational level however, there remain questions around EU regulations and how Brexit will impact financial services businesses from a regulatory perspective. Take data protection, which was brought to attention last year with the introduction of the EU’s GDPR, and is today a big challenge for the industry.
According to data from the Ponemon Institute in 2017, financial services companies that experienced an information breach suffered the highest cost per capita than any other industry, at £154. Furthermore, data left in insecure locations was the number one source of reported incidents in the finance sector in the UK (PwC for the ICO 2017).
Guidance from the Information Commissioners’ Office has recently confirmed that most of the data protection rules affecting businesses will remain the same post-Brexit. The good news is that financial services companies that comply with GDPR and have no contacts or customers in the EEA (which constitutes EU countries plus Iceland, Norway and Liechtenstein) don’t need to do much more to prepare for data protection after Brexit.
However, organisations that receive personal data from contacts within the EEA must take additional steps to ensure they are fully compliant after Brexit, which may require designating a representative in the EEA.
Brexit aside, there remain questions as to how compliant with GDPR businesses are across the UK, despite it being a year since the legislation was introduced. Financial services organisations that saw the introduction of GDPR as an opportunity to get their data-house in order and to improve the quality of the personal data they store are certainly reaping the benefits of last year’s GDPR efforts.
To assess the attitude of businesses in general, Shred-it commissioned a survey of 1,439 UK-based SMEs (under 500 employees) which found that 72 per cent of respondents said they were very aware of GDPR.
While this presents positive news, the biggest concern is whether that confidence in GDPR-readiness is justified. Less than half (45 per cent) of the firms who said they were ready to deal with data protection requirements also said they had reviewed their policies recently. Just over a third had contacted their customers to confirm consent to data use, less than a quarter had published a privacy notice, and just over two in 10 had reviewed, deleted or destroyed personal data.
These results suggest that businesses across all sectors – including financial services – need to take a more proactive approach to data protection.
So how can financial services firms ensure they are GDPR compliant?
Keep up to date with privacy laws
First things first. Businesses must stay up to date with privacy laws and understand what action – if any – they need to take to comply – particularly post-Brexit. Clear guidance is provided by the ICO website.
Customer communication has changed
Since the introduction of GDPR in 2018, financial services companies have had to rethink their strategies for communicating with customers. For example, customer e-marketing activities, such as newsletters, now require assessment post-GDPR and businesses must seek permission from customers to store their personal data and contact them with offers and promotions.
Protect your digital data
It’s important to remember that data protection refers to both digital information, as well as paper records. For digital data, financial services firms can take simple measures to ensure they are compliant with GDPR, including setting secure usernames, passwords and PINs for all devices, installing anti-virus software and a firewall on hard drives, avoiding posting confidential files on social media platforms, and avoiding opening files or links from an unknown sender.
Don’t forget paper records
Not everything you collect, store, or handle is digital. When financial forecasts or year-end results are printed for a meeting, when reports or agendas are circulated for a meeting, they are at risk of getting into the wrong hands if they are not handled and disposed of properly and securely. Best practice should include the provision of locked confidential information consoles that are easily accessible, and company-wide policies that encourage a clean desk at night.
Business leaders should also be arranging for the secure destruction of documents after use or after prescribed periods of mandated storage, keeping only digital copies of essential files in an encrypted format.
Educate staff on data protection policy
In an industry that relies on privacy and confidentiality, the reality is that many information breaches happen not because of inferior firewalls or passwords, but because of employee error, negligence, or poor judgement. You may be doing everything you can but one employee, casually dropping a draft financial report into the recycling, can undo everything.
Finance services companies must have a strict policy on how to identify, handle and securely dispose of confidential information, that is communicated clearly to all employees and updated whenever necessary to avoid a potential breach.