GDPR was introduced last year to a flurry of newsletter reminders and concern over who would be hit with a fine of up to €20 million or 4% of global revenue (whichever was greater) for failing to comply. So what’s happened with the EU’s riskiest compliance legislation?
Eight Figure Fines
€56 million in fines, that’s the short answer. The long answer is a bit more involved, that figure was reached from 200,000 reported breaches most of which were by Google, who paid out €50 million to CNIL, the French data protection regulator. So it looks like financial institutions may be in the clear for now.
But while the Information Commissioner’s Office, the UK’s regulator for data protection, has yet to make any significant movements, CNIL has been quick to issue fines and hints that there’ll be plenty more to come after calling 2019 a transition year for GDPR violations.
There are plenty of commentaries online focused on what GDPR has achieved for the wider digital landscape. And with Google’s presence in the payments space, there is some slight cause for concern, but financial industries as a whole are surprisingly absent from any fines. An unusual state of affairs when so many newspapers relish reporting on them.
Even taking into account the exemptions, which you can find on our Knowledge Base page on GDPR, it’s unusual that no financial institutions have been caught up in the issue. Especially given the significant number of data breaches that have occurred across the industry.
Untested for Now
One reason is that GDPR is yet to be tested in court, Google is challenging GDPR right now and it’s anyone’s guess how that turns out. But regardless of the outcome, a few things are certain to remain steadfast.
It’s widely recognized that security needs supersede privacy. Article 6 of GDPR covers it quite thoroughly. The first major rule is to have a legal obligation to processing that data (if you’re doing AML and CFT checks then you do) and the second is to make sure that your data processor is transparent and airtight. That’s where Google tripped up, according to CNIL.
British Airways has also recently fallen foul of GDPR requirements. The airline is set to receive a £183M fine for a data breach, a fine that’s definitely caused upset for the aviation company but represents only 1.5% of BA’s turnover in 2017. A far cry from the 4% that the ICO could go after. 500,000 customers had their personal data stolen from the airline’s website and mobile app due to poor security, proving that having the right security procedures in place is vital. Procedures which are standardized globally through the International Organization for Standardization (ISO).
The need for data processors isn’t going anywhere, it was a key complaint by CNIL that Google’s data processing was not transparent enough, ironic given how clear the guidance is on it in the GDPR text. Luckily there’s an easy way to remain compliant for any and every company, pick a data processor with ISO 27001.
ISO 27001 is a string of characters that are probably quite familiar to you. If they’re not, don’t worry. It’s just the name of a security certification that is required for all data processors handling your data, just make sure your processor has it…..
The security certification is the global standard. It applies to all companies regardless of technology and vendor, it’s an information security management standard that everyone processing data needs to adhere to and pass annual tests on. ComplyAdvantage has complete ISO 27001 certification across all its data centers, the most recent audit with no minor non-conformances.
GDPR and AML Working Together
GDPR doesn’t need to stand in the way of your AML compliance, it doesn’t want to. Financial services companies, in all their forms, were never the intended target. The focus is on the Google’s of the world whose product relies on customer data. GDPR just tightened up the rules a little bit. It’s a double-check on how secure the pipes carrying your data are – making sure nothing is leaking out. The easiest way to do that is with a data processor that’s ISO 27001 compliant.
So it’s a little over one year on and GDPR has resulted in some huge fines. But it hasn’t come near the financial industry, yet. One factor that’s sure to help any financial services company is to make sure that their data is processed by a regtech company that knows what it’s doing.
The real test will come 4 years from now when financial companies start bumping up against the right to be forgotten and GDPR Article 17(3)(b) comes into effect. Right now companies have to retain customer due diligence and transaction records for 5 years after the relationship ends, even if the customer has requested to be forgotten. Managing that data purge will be an interesting challenge for the industry.
GDPR remains the riskiest regulation for businesses, mainly because getting it wrong is so expensive. But it just means that companies need to find the right data processor to partner with, someone who can manage their data without hassle and using the best technology in the industry.
Click here to get in touch with a data processor that will help
This blog was updated on 10/07/2019 to reflect British Airways GDPR fine.