London, GB 10 °C

Thursday, March 28, 2024

Opinion > Paragon

What does GDPR mean for cyber security in the banking sector?

By Marc Michaels, director of strategy and insight at Paragon Customer Communications | 07:27 Wednesday 15th November 2017

With the imminent arrival of the EU General Data Protection Regulation (GDPR), banks now have less than a year to overhaul the way they handle, protect and store customer data and, most significantly, ensure they have permission to do so .

GDPR – which comes into force in May 2018 – represents arguably the most significant change in data regulations for some 20 years, and will require the banking sector to bolster its data protection and cyber-security processes to avoid costly financial penalties and potentially negative reputational impacts.

Although the regulations have been widely accepted as a step in the right direction, they have also brought a unique set of challenges for the banking sector.

While a great deal of focus has been on the operational side of the equation, data cleanliness and protection, what's not often considered is another critical aspect of this data security reform: ensuring you have the proper legal basis to communicate marketing messages to customers which could entail considerable re-permissioning to gain proper consent.

By taking the necessary steps to re-permission data by re-contacting existing customers, financial institutions have a unique opportunity to cleanse existing data and remove contacts who are not interested in their services and solutions, and concentrate on those who are.

Re-permissioning is possibly one of the most important marketing campaigns banks will ever run and needs to be properly planned, created and delivered as a co-ordinated activity to ensure it is done correctly.

Equally fundamental from a cyber-security standpoint, banks must have a plan and process in place to reach out immediately to affected customers in the event of any data breach. The risks of data breaches are extensive for the sector. A gross violation of GDPR – such as poor data security leading to public exposure of sensitive personal information – could result in weighty fines of up to 4% of a company's global turnover or £17m, whichever is higher.

Under GDPR, organisations have a duty to provide a breach notification to the relevant supervisory authority within 72 hours of becoming aware of any notifiable breach. Such a notification should describe the nature of the personal data breach, including the number of data subjects, the approximate number of personal data records concerned and the likely consequences of the personal data breach. Organisations must also describe the measures taken or proposed to be taken to mitigate any adverse effects, which may involve notifying all or parts of your customer base promptly. Such a solution should be pre-planned and tested.

 

leave a comment

Your email address will not be published.