A regulatory framework for the digital era?

Despite GDPR now a reality, many UK businesses still have their head stuck in the sand rather than face the reality. Paul Holland, CEO of cyber security innovator Beyond Encryption, considers how GDPR will change the way we do business, and what financial advisers can do to make sure they’re compliant.

  • Since the invention of the computer our appetite for data has skyrocketed
  • GDPR set out the rules for privacy and sensitivity in the processing and control of data on behalf of our clients.
  • The potential penalties from the regulator for a breach could be catastrophic

Over the past thirty years technology has expanded exponentially, but regulation has struggled to keep up - enter The General Data Protection Act (GDPR), which sets out to bring data protection regulations into the digital era.

Since the invention of the computer our appetite for data has skyrocketed - ninety percent of the data in the world today has been created in the last two years alone.  However, our legislative framework has been ill-equipped to work out how we should be managing this tsunami of information.

And so, in 2016 the EU adopted GDPR, which after a two-year transition period came into force on Friday 25 May. It was established to set out the rules for privacy and sensitivity in the processing and control of data on behalf of our clients.

As a consumer, we can see the importance of making sure businesses are correctly using and storing our data – from protecting our private information to stopping unwanted communication, but from a commercial standpoint the practical application of these regulations will have far reaching consequences, particularly for financial advisers as our financial and medical information are exceptionally sacrosanct in terms of sensitivity.

Anything a company does that involves ‘personally identifiable data’ on a specific individual must be reviewed.  This can potentially extend as far as the IP address associated with an individual’s online activity and a numerical label assigned to each device connected to a computer network; the small print could become very important very quickly.

The potential penalties from the regulator for a breach could be catastrophic, for reputation, but also financially. There are two tiers of fines depending on business size and turnover, up to €10 million / 2% of annual global turnover or up to €20 million / 4% of annual global turnover – whichever is higher.

Now that 25 May has been and gone, it is important to consider the Data Protection Act (DPA) which was first introduced in 1998, and has seen its fair share of use. Indeed, many of the principles laid down in the DPA are mirrored in the GDPR but, under the DPA, many parties were able to continue with certain activities which, as of the end of this month, will be likely to attract ‘game changing’ fines. 

It is imperative that organisations, as especially those that provide financial advice, are clear about where their customer data lives.  In many cases it is hosted by a third-party service provider (data ‘at rest’) so an audit or asset register noting where this data is located and who has access to it will be imperative.

Obligations extend well beyond data ‘at rest’ though. When communicating with clients or contacts using email, employing encryption where sensitive data is concerned is critical. There have been numerous incidents reported where monies are redirected because emails have been intercepted by cyber criminals.

But the ICO has also confirmed that encryption alone is simply not enough. Sending sensitive information securely to the wrong person is as likely to create a data leakage claim as sending it in the clear by normal email. It’s vital therefore that any solution deals with encryption, identity AND the ability to decide where your data lives.

When we dispatch an email, it is subject to multiple hops’ as it traverses the internet before it reaches a recipient.  This is what techies refer to as ‘packet switching’. On its travels, and unless protected, it remains open to others to view the content in much the same was as sensitive information contained within a postcard in the traditional post system. In the latter instance, that postcard may travel through many sorting offices before it arrives at an address with no means of confirming that the intended recipient actually receives it.

Secure email may offer the only economical way of dealing with Subject Access Requests, as laid out in the GDPR legislation.

After all, if an individual is going to exercise their right to receive a copy of the data you hold on them, it will be paramount to ensure that no-one else subsequently has access to that information for fear of the idea that a GDPR infringement takes place whilst fulfilling such a request.

The financial and reputational damage that can follow a data breach is clearly evidenced through incidents such as Talk Talk, Experian and now Facebook to name but a few so neither inaction nor ignorance are an option if the financial advice industry is to steer clear of the wrath of GDPR in the future.