GDPR has officially been on the books for a few months now. So what do the new regulations mean for the world of finance?
First, let’s back up for a minute. It’s worth underlining that the finance industry remains uniquely vulnerable to cyberattacks.
Why? Commercial banks and other financial firms handle rich data troves of lucrative private information. That factor alone makes companies in the industry a whopping 300 times more likely to be successfully attacked than businesses in other sectors, according to a recent study of the impact of cybersecurity incidents on financial institutions.
Those cyberattacks take a toll. Hacked financial institutions will often see steep drop-offs in consumer confidence, alongside (or leading to) losses in sales and revenue. And that’s really where the industry could feel a major sting from the GDPR.
That’s because the penalty for non-compliance with the GDPR, which obligates firms to protect the personal data of their customers, are some of the steepest baseline fines ever imposed by a regulator: up to four percent of an organization’s annual global turnover or 20 million euros.
As an aside: it’s not like the (pre-GDPR) cost of dealing with a data breach was something to sneeze at – the average data breach costing the financial industry some $336 per record. Mega data breaches, like this year’s Exactis data breach, can expose hundreds of millions of records.
What’s to be done then? First of all, if you haven’t already, start by acquainting yourself with the new regulations, with the aid of legal counsel. To cite just one example, the GDPR takes a pretty expansive understanding of personal data, defining the term as any information relating to an identified or identifiable natural person (or data subject).
And what’s an identifiable natural person? According to the GDPR, an identifiable natural person is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.Finally, given the combination of stricter oversight and steeper (potential) penalties, financial institutions really need to prepare for a potential data breach. Doing so if you’re a (financial) company subject to GDPR rules, however, requires more than a one-size-fits-all data breach plan.
Instead, you’ll need a robust GDPR-specific personal data breach response plan to minimize the threat of the risk and ensure compliance. Not sure how to get started? Download our handy, step-by-step guide to putting your GDPR personal data breach response plan together.
For more crisis planning content, follow @teamnoggin on Twitter