GDPR: WHAT GLOBAL FINANCIAL SERVICES ORGANIZATIONS NEED TO KNOW

W H I T E P A P E R

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 2

INTRODUCTIONData protection laws in Europe are more important than

ever—individuals are increasingly sensitive about privacy,

data protection breaches are daily headline news, and the

regulatory landscape is toughening up.

Along with changes in data protection laws, the world of

financial services regulation is also changing. Regulators

are more intensely scrutinizing the way financial services

organizations hold and manage data—particularly when

the actions of the organization could expose customers to

identity theft. As a result, financial services organizations

are facing a challenging environment for the foreseeable

future.

The past few years have brought significant developments

in data protection, including increased exercising of rights

and more aggressive enforcement by national regulators.

The biggest change to the data protection landscape is

now taking place with the introduction of newly revised

rules. Many significant changes will come with the EU’s

General Data Protection Regulation (GDPR) process,

and data protection should be high on your compliance

checklist.

A NEW DATA PROTECTION LANDSCAPE FOR THE EU The new rules make European Union (EU) privacy laws

fit for the 21st century. There is a major emphasis on

enforcement, with increased fines of up to €20 million or

4% of an organization’s annual global revenue (whichever

is greater). In addition, it introduces data breach reporting

requirements similar to those that exist in most US states,

REGULATORS ARE INCREASINGLY

CONCERNED ABOUT THE WAY IN WHICH

F INANCIAL SERVICES ORGANIZATIONS

HOLD AND MANAGE DATA.

REGULATORS ARE INCREASINGLY CONCERNED ABOUT THE WAY THE FINANCIAL

SERVICES SECTOR HANDLES DATA. FIND OUT HOW YOUR ORGANIZATION CAN BEST

COMPLY WITH THE GENERAL DATA PROTECTION REGULATION (GDPR).

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 3

often with a deadline of 72 hours from detection of the

breach.

EU data protection rules prior to the GDPR were a reflection

of their time. They came into force in 1995, when the

internet was still in its infancy and only about 1% of people

were online. Much has changed, and now we collectively

create, send and store huge amounts of data, which can

create serious data security breaches that impact all

sectors through reputation loss and regulatory actions.

The financial services sector has been affected in its own

way. For example, the effects of the financial crisis of 2008

caused the EU to issue some 40 new pieces of financial

legislation over a six-year period. As a result, the European

Data Protection Supervisor (EDPS), an independent EU

supervisory authority whose responsibilities include

advising on legislation and policies that affect privacy,

issued new guidelines responding to concerns about the

onslaught of financial legislation.

OVERVIEW OF THE REGULATIONThe new rules should be considered a reform rather than

a refinement of current data protection rules. The GDPR is

a recognition of a political impetus to have tougher laws,

as many people care more about data and breaches than

they did 20 years ago. The political fallout of the Snowden

and WikiLeaks revelations cannot be underestimated. That

tide of opinion has influenced the courts—for example,

the Google “right to be forgotten” case in 2014 and the

Schrems “Safe Harbor” case in 2016—and it will influence

the law on a much wider scale in the future.

GDPR SECURITY BREACHESIf a data breach is likely to result in a risk to the rights

and freedoms of data subjects, the GDPR requires data

processors (such as vendors) to notify a data controller

(such as financial services organizations) of the breach

without undue delay. The data controller is in turn required

to report such a data breach to a data protection regulator

within 72 hours of becoming aware of the breach. Any

delay beyond 72 hours must have a reasoned justification.

In addition, data controllers must notify data subjects

without undue delay after becoming aware of a breach, if

that breach is likely to result in a high risk to their rights and

freedoms. The primary responsibility to report a security

breach to data protection regulators and data subjects

will be on the data controller, but many breaches occur

within vendors’ operations. As a result, vendors must

be contractually obligated to notify financial services

organizations in a timely manner, to allow them to deal

with their reporting obligations.

Data security breaches within the financial services

sector have been widely reported in the press in recent

years. In the UK, the Information Commissioner’s Office

(ICO) compiles statistics on security breaches, which

are likely to be underestimated as there is no general

data breach reporting requirement. The ICO’s figures put

financial services as fourth of 10 on the top-offenders list.

As a vulnerable sector, financial services will have to take

special care to put in place adequate policies, procedures

and training to ensure that breaches are reported within

the 72-hour period. In addition to reporting a breach to

data protection regulators and those individuals and/or

companies affected, organizations may need to notify

financial services regulators and other financial services

companies.

IF DATA PROTECTION IS NOT ALREADY HIGH ON

YOUR COMPLIANCE CHECKLIST , IT SHOULD BE.

A SINGLE SET OF RULES Two of the complaints about pre-GDPR data protection

rules were inconsistent enforcement and discretionary

implementation that changed between EU member

states. As a result, global organizations had to comply

with different rules and laws in each EU member state

where they did business. A key aim of the new rules is

to streamline and unify the enforcement process across

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 4

Europe. While the GDPR allows member states some

leeway in creating some additional rules and determining

how to deal with existing data protection laws, the main

set of laws and compliance structure is cohesive and

unified.

The single set of rules is expected to save organizations

money and time. The ICO estimated that the new rules will

result in business savings of around €2.3 billion per year.

They have been reluctant, however, to provide any details

on cost savings.

ONE-STOP SHOPA very important aspect of the GDPR is that an organization

should have to deal with only one data protection

regulator, officially referred to under the new rules as a

(national) “supervisory authority.” However, the reality is

more complex.

• If organizations carry out data processing activities

that affect multiple EU member states, the

supervisory authority in the EU member state where

the organization is based will take the role of “lead

supervisory authority.” This means that other member

states’ regulators may also be involved.

• A national supervisory authority will have apparent sole

competence to regulate when either a data protection

complaint is made to that supervisory authority or there

is a possible infringement of the regulation, where the

issue either relates only to the organization located

in the member state of the supervisory authority or

substantially affects data subjects located only in that

member state.

Those in financial services operating in different EU

countries should pay attention to other member states’

regulations as their pronouncements can be quite specific.

• Banks should accept the data in identity papers as

authentic and not require photocopies for further

verification.

• Banks should not process data on the criminal

background of prospective customers in order to

conclude loan agreements.

• After a negative credit score, customers must

specifically consent to the processing of their data.

Finally, it is worth noting that under the new rules, there is no

longer a requirement for a data controller to register with a

data protection regulator for basic data handling. However,

when data processing activities would result in a high risk

in the absence of measures taken by the organization as

data controller to mitigate the risk, organizations will be

required to engage with a data protection regulator and

perform a “data protection impact assessment.” Under

the 1995 directive, organizations can voluntarily carry out

a privacy impact assessment process in order to identify,

understand and address any privacy issues that might

arise when developing new products and services, or

doing any other new activities that involve the processing

of personal data. Under the GDPR, this process has been

redefined and will be mandatory in certain circumstances.

It will work as follows:

• First, organizations will have to conduct a data

protection impact assessment before proceeding with

“risky” personal data processing activities in order to

consider the likelihood and severity of the risks—more

specifically, these are activities which present “high

risks for the rights and freedoms of individuals.”

• Second, if the organization in question cannot find

ways to mitigate those risks, then the organization

must consult with a data protection regulator to try to

find remedies to deal with these risks.

REGULATORS ARE REALIZ ING THE DANGERS IN

THE MODERN MOBILE WORLD.

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 5

UNDERSTANDING THE NEW PENALTIES There are three material differences in the new data

world. First, there has been a significant increase in the

amount of personal data held by organizations, including

sensitive personal data about employment, home life

and health. Second, there have been many serious data

security breaches; hardly a week goes by without a report

of another major breach. Third, regulators are realizing the

dangers in the modern mobile world.

Many breaches occur outside the office environment with

lost or stolen laptops, papers or devices left on trains

or other public spaces and inadequate security training

for modern ways of working, including telecommuting.

Regulators are also becoming increasingly concerned

about lax cybersecurity, as cyberattacks are now a fact of

life, and regulators expect organizations to put up proper

defenses or face the consequences.

Under the new rules, data protection regulators have

the power to impose higher fines for infringement. Three

ranges of fines will be applied, in relation to three different

categories of infringements, with the largest ones

skyrocketing up to €20 million or 4% of total worldwide

annual revenue (whichever is greater).

For example, one organization received a fine of £250,000

from a UK regulator in 2013 for failing to prevent a

cyberattack. Based on its 2014 revenue, that company

could be fined up to £198 million under the new rules.

Because the fee for data protection registrations is

abolished under the GDPR, fines will be the main source of

income for data protection regulators.

WHERE DOES IT APPLY? The new law applies not only to organizations located

within the 28 member states of the EU, but also to

businesses geographically situated outside the EU in

cases where:

• A business processes the personal data of EU residents

and offers them goods and services, irrespective of

whether payment is required; or

• Where the processing by a business relates to the

monitoring of the behavior of EU residents insofar as

their behavior takes place within the EU.

For example, a US online payments processor—with all its

offices in the US—that handles the data of EU residents

can be investigated, fined and even prosecuted by an

EU regulator. This applies not only to EU residents, but

also to any natural person who is a data subject within a

European Union member state.

Determining whether an organization based outside the

EU is affected may prove challenging. Under the new rules,

the fact that a company’s website or its email address is

accessible in the EU will not be enough. However, other

factors—such as the use of a language or a currency

generally used in one or more EU member states—may be

enough to indicate that an organization is offering goods

or services to people in the EU and therefore bring it within

scope. Additionally, an organization located outside the

EU must have a representative in the EU if it falls within

the new rules, even if the business does not have an EU

presence already. The changes here are far-reaching,

and EU regulators may find it a challenge to enforce this

aspect of the rules in practice.

THE ICO ESTIMATED THAT THE NEW RULES WILL

RESULT IN BUSINESS SAVINGS OF AROUND €2.3

BILL ION PER YEAR.

NEW RIGHTSThe GDPR introduces a number of new rights, including

the right to portability (transmitting personal data from

one data controller to another freely) and the right not

to be subject to profiling (i.e., using data to evaluate

personal aspects about an individual such as analyzing or

predicting their economic situation, health or performance

at work).

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 6

There is also a statutory right to be forgotten, which is the

right to have personal data erased “without undue delay”

based on certain grounds—for example, where data is

no longer necessary for the purposes for which it was

collected or otherwise processed.

Any organization that fails to remove personal data “without

undue delay” following a request to do so faces penalties

of up to €20 million or 4% of its global revenue (whichever

is greater). Again, financial services businesses might

have particular issues, especially where their obligations

to hold onto data for regulatory purposes conflict with an

individual’s right to request its deletion.

Companies will need more stringent data deletion policies

and to be far more organized when handling data deletion

requests. We have seen an increase in people exercising

their data protection rights in the past year or so, and

ignoring a data deletion request could be a very costly

mistake. Part of the solution for large organizations will

include the ability to manage data across its device estate

to ensure rapid response and, if necessary, deletion.

Under the new rules, subject access requests will have

to be answered within one month of receipt of the

request, with the potential to extend two further months.

For example, under a pension scheme, the trustees are

considered to be data controllers. The trustees should

put in place a clear procedure and guidelines to deal with

subject access requests. Under a subject access request,

individuals have a right to access information about only

themselves, meaning that any information given to an

individual should be redacted to remove information about

third parties. Responding to a subject access request

can often be challenging, and the shorter deadline will

force trustees to adapt their procedures and guidelines

accordingly.

THE IMPLICATIONS OF BYOD AND WORKING REMOTELY As well as the law changing, modern working practices

create their own issues. BYOD (bring your own device) and

working remotely increase the risks for an organization;

even if an employee works from home or from his or her

own device, the company will still be responsible for

securing personal data.

For the majority of organizations, working practices have

changed for good, and the idea of a mobile or remote

workforce is commonplace. It is essential that policies

and training be implemented that require employees

to work in a more secure way. This could include the

provision of better technology (such as secure internet

tunnels) and better steps to protect mobile devices. More

and more companies are moving to mobile devices and

working remotely. One organization revealed that all their

employees work from laptops and that if all of them were

present at the workplace at the same time, there would

be seating for only 40% of them. If an employee’s tablet

containing the details of 100,000 customers goes missing,

there could be heavy sanctions if the organization is unable

to remotely disable and/or wipe the device. Remote data

and device security software can also prevent an errant

employee from stealing or losing valuable company data.

CHANGING ORGANIZATIONAL RESPONSIBIL IT IESThe new rules say:

“With regard to the state of the art and the costs

of implementation and taking into account

the nature, scope, context and purposes of

the processing as well as the risk of varying

likelihood and severity for the rights and

freedoms of individuals, the controller and the

processor shall implement appropriate technical

and organizational measures, to ensure a level of

security appropriate to the risk.”

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 7

So, what does this actually mean? In simple terms, the new

rules oblige an organization to have security measures

proportional to the risks. After a data breach, it will be hard

to escape scrutiny—how will an organization be able to

credibly say that it took appropriate security measures

after a breach proves those measures to be insufficient?

A detailed analysis will need to be done on the risks faced,

with particular sets of data and the technology available to

reduce those risks. On a practical level, every organization

will have to do this on a regular basis; risks change, with

new forms of attack cropping up almost every day. At the

same time, new technological solutions may reduce some

of these risks.

FOR MOST ORGANIZATIONS, CYBERATTACKS

ARE NOW A FACT, AND REGULATORS EXPECT

ORGANIZATIONS TO PUT PROPER DEFENSES IN

PLACE OR FACE THE CONSEQUENCES.

REPORTING DATA BREACHES A personal data breach means “a breach of security leading

to the accidental or unlawful destruction, loss, alteration,

unauthorized disclosure of, or access to, personal data

transmitted, stored or otherwise processed.” In this new

GDPR paradigm, data breaches become increasingly

important, because a data breach compromises the

data subject’s freedoms and rights—rights to privacy and

personal anonymity without expressed consent to anyone

in possession of personal data. To be sure, any data breach

is, by its very nature, in conflict with the stated purpose of

the rights guaranteed to EU residents and is contrary to

the spirit and letter of the GDPR.

The new rules also contain two specific data breach

regulatory requirements.

First, breaches will have to be reported against set criteria

to a data protection regulator without delay and “where

feasible” no later than 72 hours after a data controller

has become aware of the breach, unless “the personal

data breach is unlikely to result in a risk for the rights and

freedoms of individuals.”

This puts huge pressure on companies. If employees lose

their smartphones containing customer details during a

week’s vacation, then they are unlikely to tell the company

until they return to the office (if at all). This means that

there will be cases where a data breach occurred but

went unreported within the mandated 72-hour period,

making privacy class actions more likely. A failure to report

a breach in time will increase the likelihood of a successful

civil action by the victims.

Reporting a breach will most likely mean that the

organization will have infringed upon its security obligation

by failing to have “a level of security appropriate to the risk.”

This obligation puts the onus squarely on the organization;

a company cannot simply pass the responsibility to its

employees or vendors for data loss. For example, if a

device is lost, stolen or hacked, the company, not the end

user, will be held accountable for any data that’s at risk.

Second, the breach must be communicated without

delay to the person whose data has been breached, if the

breach is likely to result in a high risk to their rights and

freedoms. Exceptions to this communication obligation

also apply, for example, where the data affected by the

breach has been encrypted.

This means that if an employee loses a laptop that has

100,000 customer records stored on it, the company

is obliged to inform every customer that their data has

been compromised. The legal consequences could be

considerable, and the brand damage, litigation and media

reporting of an incident would all be significant. However,

if a company has technology in place to prevent this data

from being accessed by an unauthorized user, then the

company could avert the disaster.

In terms of data security, organizations now face

significant challenges:

• Tough reporting requirements;

• Greater responsibility to keep data secure; and

• Heavier fines.

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 8

Technology that prevents a data breach from occurring

could be all that stands between a company and the

wrong end of the law.

Best practices for the logistics involved in reporting a breach

should be started as soon as possible. Under the GDPR,

you may have to inform data protection regulators as well

as concerned individuals. Financial services businesses

are likely to have additional reporting obligations after a

breach—even if personal data was not compromised. You

might have to report in multiple languages on different

forms prescribed by each regulator. Legal advice will

be very important, especially in the first 24 hours after

the breach. You will also need good legal agreements in

place to ensure that vendors cooperate and that they

have enough financial incentive to help you. The logistics

around handling a data breach are complicated, and the

more you do now to make sure you have the information

you need to report a breach, the better.

DATA PROTECTION OFFICER APPOINTMENTS Another important feature of the new rules is that

organizations may need to have a data protection officer

(DPO) to deal with data protection compliance issues. This

is required “where the core activities of the data controller

or the processor consist of processing operations which,

by virtue of their nature, scope and/or purposes, require

regular and systematic monitoring of people’s data

on a large scale.” It is also required when there is “core

activity processing on a large scale of special categories

of personal data,” namely those revealing racial or ethnic

origin; political opinions; religious or philosophical beliefs;

trade union membership; and the processing of genetic

and biometric data in order to uniquely identify a person or

data concerning health or sex life and sexual orientation.

These special categories of data can be processed only

under certain strict conditions, such as when consent has

been given.

The DPO must be independent in the performance of tasks

and report directly to the highest level of management.

NEW OPPORTUNITIESThe new EU rules may also bring opportunities for some

parts of the financial services sector, such as insurance.

The new rules are stricter, which should mean that the

cyber insurance market will find opportunities for growth

as financial institutions seek risk mitigation.

Additionally, some insurers have avoided cyber insurance

as they felt that sufficient metrics were not available

for them to price their premiums. The greater reporting

obligations of the GDPR should allow for more data to

help with this. While the US cyber insurance market has

grown significantly over the years, the EU market has not

grown so fast. These new laws may kick-start the London

insurance market, in particular, and the introduction of

new cyber insurance products.

WHILE BYOD MAY LEAD TO GREATER PRODUCTIV ITY ,

WE ALSO KNOW THAT IT CAN LEAD TO SERIOUS

DATA BREACHES.

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 9

NEXT STEPSWe know that the new data protection regime brings

considerable responsibility and sanctions for companies

that handle data. Financial services businesses have

more risk than most; the responsibilities are so great that

it is important to get the correct advice and to act now. So,

what should you do? Best practices that can be followed

in order to prepare your organization include:

1

Thoroughly review vendor contracts—

vendors’ help will be needed, especially in

reporting security breaches very quickly.

Organizations should make sure they have

the contractual rights to insist on this, and

they should make sure they can hold their

vendors to account.

2Prepare to update everything and ensure

new detailed documentation and records are

ready for regulatory inspection—factor this

into overhead costs.

3Review key practical aspects, from data

retention, destruction, etc. to all means of

collecting data used by the organization.

4Ensure that new aspects such as explicit

consent, the right to be forgotten and

the right not to be subject to profiling are

included in policies and procedures.

5Put in place a data breach notification

procedure, including detection and response

capabilities; also consider purchasing

special insurance.

6 If applicable, appoint a DPO.

7 Put in place a data protection impact

assessment policy/procedure.

8 Create compliance statements for annual

business reports.

9 Train staff on all of the above.

10 Set up and undertake regular compliance

audits in order to identify and rectify issues.

There are considerable challenges in complying with

the new rules. It will take some time to implement the

necessary policies and infrastructure, and there will

inevitably be some uncertainties. What is certain is that

organizations must act now to ensure their compliance.

Evaluate your GDPR data risk today with a free assessment

highlighting potential areas of exposure.

DISCLAIMER:The information in this white paper is provided for informational

purposes only. The materials are general in nature; they are not

offered as advice on a particular matter and should not be relied on

as such. Use of this white paper does not constitute a legal contract

or consulting relationship between Absolute and any person or

entity. Although every reasonable effort is made to present current

and accurate information, Absolute makes no guarantees of any kind.

Absolute reserves the right to change the content of this white paper

at any time without prior notice. Absolute is not responsible for any

third-party material that can be accessed through this white paper.

The materials contained in this white paper are the copyrighted

property of Absolute unless a separate copyright notice is placed

on the material.

ABSOLUTE FOR GDPR COMPLIANCEGDPR compliance starts with visibility across

every endpoint to ensure data protection for any

personally identifiable information (PII). Learn how

to improve your GDPR compliance with endpoint

visibility and control.

ABSOLUTE FOR GDPR COMPLIANCE:IMPROVE YOUR GDPR COMPLIANCE WITH ENDPOINT VISIBILITY AND CONTROL

S O L U T I O N S H E E T

DOWNLOAD THE SOLUTION SHEET

W H I T E P A P E R | G D P R : W H A T G L O B A L F I N A N C I A L S E R V I C E S O R G A N I Z A T I O N S N E E D T O K N O W | 1 0

© 2018 Absolute. All rights reserved. Absolute and Persistence are registered trademarks of Absolute. Self-healing Endpoint Security is a trademark of Absolute. All other trademarks are property of their respective owners. ABT-GDPR-What-Financial-Orgs-Everywhere-Need-to-Know-WP-E-053118

ABOUT ABSOLUTEAbsolute provides visibility and resilience for every endpoint with self-healing endpoint security and always-

connected IT asset management to protect devices, data, applications and users — on and off the network. Bridging

the gap between security and IT operations, only Absolute gives enterprises visibility they can act on to protect every

endpoint, remediate vulnerabilities, and ensure compliance in the face of insider and external threats. Absolute’s

patented Persistence technology is already embedded in the firmware of PC and mobile devices and trusted by

over 15,000 customers worldwide.

EMAIL :sales@absolute.com

SALES:absolute.com/request-info

PHONE:North America: 1-877-660-2289 EMEA: +44-118-902-2000

WEBSITE:absolute.com