How the financial services sector can comply with EU GDPR

Data protection laws in Europe are more important than ever before, as we become increasingly sensitive about privacy, data protection breaches are daily headline news, and the regulatory regime is getting tougher. There is a significant increase in the amount of personal data held by organisations, including sensitive personal data about employment, home life and health, and the modern mobile world is becoming increasingly dangerous. Indeed, many breaches occur outside of the office environment with laptops lost or stolen, papers and devices left on trains and inadequate security training for modern ways of working.

Regulators are subsequently increasingly concerned about the way in which financial services organisations hold and manage data – particularly where the actions of a financial services organisation could expose customers to identity theft.

EU GDPR: radical changes

The overall aim of EU GDPR is to make privacy laws fit for the 21st century. There is a major emphasis on enforcement as the new regime has increased penalties for breaches, with fines of up to 4 percent of a corporation’s annual global turnover. In addition, it introduces mandatory data breach reporting requirements similar to those that exist in most US States, but with a requirement to report a breach usually within 72 hours.

To describe the new rules as an update or a refinement in the data protection regime is not accurate. This is not a finetuning of the law. A far more fundamental change has taken place. The new rules are much more detailed, demanding and onerous. GDPR is a recognition that there is a political impetus in having new and tougher laws. Many in Europe care much more about data – and especially data breaches – than they did 20 years ago.

Achieving the 72 hour reporting window

To have a realistic chance of reporting a breach in 72 hours (under the new rules) it would be necessary for a security vendor to advise of the breach within 24 hours. The primary responsibility to report a security breach will be on the data controller but most of the breaches we see are the responsibility of a vendor. Firms will need a contractual obligation to make sure that the vendor tells them in time so that they can deal with their reporting obligations. Even when you know of a breach you still have work to do to get it into the right format to make a report.

As a vulnerable sector, financial services will have to take special care to put in place adequate policies, procedures and training to ensure that breaches are reported within the 72-hour period. Bear in mind that as well as reporting a breach to data protection regulators they may also need to tell financial services regulators, other financial services companies (for example because of contractual requirements you have agreed to) and those affected.

The need for a DPO

Another important feature of the new rules is that organisations may need to have a data protection officer (DPO) to deal with data protection compliance issues.

In the past, some organisations have not applied enough rigour in their approach to data protection. A few people may have had some training within the company but it’s now likely that organisations will feel obliged to appoint a properly trained DPO. The appointment of a good DPO will be useful when dealing with data breach issues and ensuring that an organisation takes a proportionate view of its risk to keep its reputation safe. The DPO should be independent in the performance of their tasks and will report directly to the highest level of management.

We know that the new data protection regime will bring considerable responsibility and sanctions for companies that handle data, and financial services businesses will be more at risk than most. As such, there will be considerable challenges to comply with the new rules and it will take some time to implement the necessary policies and infrastructure. What is certain is that organisations must start now in order to be properly compliant when the new rules are in place.

By Richard Henderson, global security strategist at Absolute,

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.