As detailed in its 2017 investigative report, Verizon has found that 24% of all data breaches affected financial organisations, the worst figure among several sectors including healthcare, public sector, retail and accommodation. Even worse, data breaches have been on the rise since 2016 in financial services. Banking organisations might think they have the basics covered, but this is not the case. With the entry into force of the General Data Protection Regulation (GDPR), which gives a new value to personal data, the stakes are higher: banks need to take control of their data in order to prove their compliance with data-protection principles by putting natural persons first - be they clients or employees.
From a GDPR perspective, a data breach does not need to be noticed for a bank to be sanctioned: simply failing to be prepared for breaches is reason enough for severe penalties. This preparation should cover a range of technical and organisational controls, to be chosen depending on how the bank quantifies risks to the data subjects. For example, such controls may cover: having a register of personal data processing activities; having a data protection officer where required; issuing privacy notices to clients and staff; allowing data subjects to exercise their rights; and robust information security practices and staff awareness of data protection. In the banking sector, different types of client interactions determine different types of GDPR risks. Private and retail banking, as well as wealth management services, essentially deal with natural persons more than corporate, asset management and investment banking services. This means that the former may deal with more sensitive data pertaining to individuals - and must interact with them in less structured ways than the latter, which is more concerned with moral or legal entities. Of course, there are risks to individuals in both cases, and it is essential that financial organisations understand that documenting decisions made regarding GDPR risks is just as important as implementing actions to mitigate these risks. Why? Because data-protection authorities want to see that banks are in control of their data and systems. For this reason, the GDPR is just the starting point for better and more advanced data management and data-centric services that customers will trust more than ever before.
Some enhanced/new requirements
The GDPR contain news regulatory requirements and heightened requirements. Some key requirements are outlined below.
Partner, Regulatory Advisory Services, PwC Luxembourg
Tel: +352 49 48 48 4173