The threat posed to the reputation and bottom line of banks by the European Data Protection Regulation is very real and financial institutions need to be ready now to mitigate its potential effects.
The Regulation, which updates the EU’s 1995 Directive, will have wide ranging implications for anyone holding customer’s personal data, but particularly for banking groups that tend to hold customer data in various different places and are typically seen as an easy, and popular, target for regulators.
And with it widely rumoured that the Regulation will seek to make examples out of offenders early on, its’s important that the preparation is watertight – centralising, securing and making customer’s personal data speedily available is no longer just an option – it’s a legislative requirement.
Inadequate preparation could have dire consequences. While strengthening the rules relating to the storage of customer data the Regulation also introduces more stringent penalties for violations. Fines ranging between €100 - €500 million or between two and five per cent of global revenue have been mooted and look set to pass into law in early 2016. The harmonisation of ‘naming and shaming’ laws will result in further reputational damage
So what will financial services institutions have to do to keep compliant?
If an organisation holds data pertaining to European-domiciled customers then they are bound by the Regulation, which will tie them to a set of rules which are aimed at harmonising data protection laws across the EU member states and placing the ownership of data back into the hands of the citizen, rather than the institution who controls it. Data controllers will be obliged to:
- Provide customers with a copy of every item of data relating to them within 72 hours of a request being made.
- Be able to delete all data relating to a customer.
- Meet “reasonable expectations of data privacy”, which suggests encryption or partial encryption.
- Continue to meet requirements around data retention while maintaining the same standards of security that relate to live data.
- Opt for systems that meet the ‘privacy by design’ requirement.
- Ensure that processes are written and adhered to that safeguard the organisation from allegations of improper data handling, or data processing that does not conform to the rules which mean that data may only be processed with the customer’s content, to fulfil a contract, for compliance purposes or if it can be demonstrated that it is in the public interest.
A document management solution, powered by Microsoft Sharepoint, from Equiniti, can help organisations meet the requirements of the EDPR. Not only is Sharepoint ideally placed as a solution which can unify the documents and data relating to your customers in a secure and centralised manner, allowing you to manage it compliantly, it is easily deployed and is run on assured Microsoft technology. In addition, Equiniti’s hosting solutions allow you to archive data in a cost efficient manner while ensuring that you remain complaint.
Equiniti is a specialist provider of document management services, processing 88 million documents in 2014, working with 55 million financial services brands across the UK and securely hosting 1PB of data across our two, highly accredited, datacentres.