orangeblock
Menu

The top 5 things financial services need to know about GDPR

18 April 2018 | Risk Management | General | Nick Saunders, Mimecast Africa

Nick Saunders, cyber resilience expert, Mimecast Africa and Middle East.

Financial services providers work with large amounts of personal and often confidential information every day. As a result, companies in this sector have had their hands full trying to prepare for the looming Protection of Personal Information Act (POPIA). But there is another piece of compliance legislation that will come into effect much sooner –the EU General Data Protection Regulation (GDPR) – and for many, this isn’t even on the radar. Gartner’s report, GDPR Clarity: 19 Frequently Asked Questions Answered, predicts that by 25 May 2018, when the legal framework goes live, less than 50% of all organisations impacted by it will be fully compliant.

This prediction doesn’t seem to be too far from the truth, especially locally. Despite GDPR being a month away from full implementation, some businesses in the South African financial services sector still remain unprepared or completely unaware that they may need to comply with this European bill. What they don’t realise, is that it has enforcement powers far beyond EU boundaries – and gives EU citizens (including expatriates) more control over and protection of their personal data.

A 2017 study conducted by Mimecast and Vanson Bourne showed that as many as 89% of surveyed South African organisations had both personal and sensitive data contained in their email systems. Financial organisations most likely store the personal information of many European citizens, including account details, ID numbers, credit histories and more. They therefore need to review and retool their handling of this data to ensure it is adequately protected. Think of a foreign exchange company, that offers foreigners the ability to exchange their currency for Rands. An effective ransomware attack in such a context would be catastrophic, as they will almost certainly house the data of a number of European citizens who have previously used their services.

Recently, Mimecast Email Security Risk Assessment (ESRA) showed that the current email security systems of most organisations, are failing to detect and act on thousands of attacks. Since email hosts such a significant amount of data, having it exposed to cyber threats is extremely worrying. With so many email-borne threats slipping past existing systems it’s not surprising that techniques like ransomware are on the rise and data breaches are becoming common occurrences. With GDPR in effect, the exposure of personal information for any EU clients, means a hefty fine with the potential to cripple an organisation, if not destroy it.

Legislation has outlined penalties for GDPR non-compliance as upwards of €20 million, or 4% of the organisation’s yearly revenue, whichever is higher. Businesses who fall victim to cybercrime in the age of GDPR will not only have to deal with the fallout of a successfully executed attack, but severe financial punishments as well.

With this in mind, if your company operates in the financial services sector, here are five important things to keep in mind regarding GDPR compliance and keeping your email secure:

1. Breaches must be reported

Currently, if a data breach occurs, an organisation will do its best to cover it, and, depending on the severity, keep it within the confines of the IT department. However, when GDPR is enacted, all hacks that compromise personal data of EU citizens must be reported to the supervisory authority within three days.

2. Client consent is a must

Gone are the days of automatic opt-in. Moving forward, organisations need to make their clients aware of what personal data is being collected, for what purpose and what this information can potentially be used for. This includes their name, address, ID or passport number and more.

3. The right to data privacy

Under GDPR, individuals can request access to, and choose to remove, their personal data from an organisation. They essentially have the right to be forgotten when there is no valid justification for a company to store their sensitive information. Unfortunately, according to the Vanson Bourne study, only 25% of surveyed organisations believed they could retrieve personal or sensitive personal data immediately, with six being the average number of hours businesses would take to recover information.

4. Data needs to be encrypted

Under GDPR, client credentials need to be protected through sophisticated encryption, at both the transit and rest (archiving) stage. At the same time, client data should be easy to retrieve and treat as per the owner’s wishes.

5. Accountability from all parties

As IT and other services are sometimes outsourced, client data may pass to external vendors, where it too can be compromised if that particular supplier suffers a ransomware attack. These third parties need to take responsibility and ensure they protect the sensitive information they handle.

All this said, even if an organisation has the best intentions and does their utmost to protect their clients’ personal data, it only takes one unsuspecting employee clicking on a seemingly harmless email for a data breach to occur.

A comprehensive cyber resilience strategy for email is therefore essential as it is designed to provide comprehensive security controls before a potential attack, business continuity during, and automated recovery of data afterwards. Delivered over the cloud, these solutions can be easily and more affordably incorporated into any existing IT infrastructure.

With maintenance, updates, support and compliance built into services offered by providers like Mimecast, the mandates of GDPR are made that much more manageable for financial services providers already burdened with industry-specific regulations and high cybercriminal attention. Such solutions ensure that an organisation is closer to being compliant, and able to recover quickly should a breach occur, allowing the business to focus its time and attention on its own mission-critical tasks with peace of mind.

Finally, GDPR may not be relevant to South African businesses that don’t employ EU citizens or conduct business in the region, but it is still important for them to consider the requirements for maintaining data privacy as outlined by this regulation. POPIA will soon be enforced and other legislation may become more prevalent across all regions. As a South African business, it’s worth building for the future today, rather than waiting until it’s too late.

The top 5 things financial services need to know about GDPR
quick poll
Question

If you had to hazard a guess, when do you reckon the COFI Bill will be signed into law?

Answer
View the Results arrow
FAnews April 2026
THE LATEST EDITION FANEWS MAGAZINE
  • Geopolitical risk: the rising threat to global trade and insurance markets
  • The regulatory tightrope: achieving consumer protection without overregulation
  • Liability disclaimers and consumer protection: key lessons from recent case law
  • From promise to payout: the real test for employee benefits
  • Retirement planning: when the maths doesn’t math
Products & Services
Useful Links
Important Links
Jobs

© FAnews | Privacy Policy | Site Map | Website Design by Online Innovations