A looming data-privacy regulation holds significant implications for financial-services firms that store data in the cloud.
General Data Protection Regulation, a European Union ruleset that goes into effect in May 2018, is meant to protect EU citizens from privacy and data breaches by reshaping the way organizations that hold customer data ensure privacy. As most financial-services companies are underway in what is seen as an inevitable migration to the cloud, there needs to be a sync.
“GDPR cuts across industries, but because financial services has so much sensitive data on people’s finances, it has particular applicability there,” said Patrick Lastennet, director of financial services at Interxion, a provider of European colocation data-centre services.
“Most banks and other financial services companies are taking GDPR very seriously,” Lastennet said. “GDPR is one of the top regulatory mandates that they are working toward as part of their cloud migration strategy.”
Breaches are a threat to any organization with data stores -- Equifax, Verizon and even the U.S. Securities and Exchange Commission have recently reported compromising incidents. Regulators can’t prevent hackers from getting in, but they can make it more difficult for them by holding companies to a higher standard of data protection and responsibility to customers.
GDPR is the new iteration of a directive first established in 1995. Some key tenets of data privacy remain the same, but much is updated to reflect the vastly increased prevalence of, and reliance on, data now versus then.
Specifically, changes include a clarified jurisdiction of GDPR to cover all companies processing the personal data of EU residents, regardless of the company’s location; stiffer penalties for non-compliance with GDPR; and clear and strengthened conditions for consent. Subjects will have expanded rights, spanning data-breach notification, access, erasure, and portability, as well as ‘privacy by design’, a clause that mandates data protection be built into systems from the start, rather than bolted on later.
As a data storer, practitioners and experts generally say cloud is more secure than a traditional, on-premises IT environment, so cloud reduces the risk of the data breaches that are in GDPR’s crosshairs. But meeting the specifications of the ruleset gets tricky, because liability reaches beyond just the entities that collect and use data.
Cloud providers “will have direct compliance risk and obligation,” Accenture said in a 2017 report. “Accountability for data protection cascades down through the data supply chain. Web-based companies will have to clearly define responsibilities and liabilities among solution partners.”
Companies will need to know the attributes of their data and demonstrate consumer consent as baseline GDPR capabilities. They also need to ensure portability and erasure when stipulated -- as an indication of work that needs to be done, Accenture said 84% of cloud providers do not immediately delete customer data upon contract termination.
“Web-based companies will have to clearly define responsibilities and liabilities among solution partners,” Accenture said. “With 9 in 10 organizations reporting they are concerned about their ability to comply with GDPR, the liability risk is high.”
Financial-services companies -- at least the larger ones -- have GDPR on their radar, but there’s a lot to do over the next eight months.
“GDPR is a very complicated exercise for all – not only for financials, actually for all companies who have customer data,” Allianz SE Chief Financial Officer Dieter Wemmer said on an Aug. 4 earnings call. “We have built up a large project to be able to be compliant with everything, and I think we will be.”
Wemmer said the idea of leveraging data collated from GDPR as a business opportunity is worthy of follow-up, but “at the moment it’s much more the fight” to meet compliance deadlines.
The presence of third-party providers add complexity to GDPR compliance, but bigger-picture, cloud is seen as an expeditor for companies that need to comply with regulation.
“Regulators are becoming cloud friendly,” Accenture said in a report highlighting cloud adoption as a key trend for investment banks in 2017. “External, public cloud will bring an increased need to balance the demands for speed, agility and autonomy with security requirements, resulting in a renewed focus on encryption and obfuscation.”