Last updated: 08 August 2016
In May 2018, the General Data Protection Regulation (GDPR) will come into effect, strengthening and unifying data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU.
Financial services organizations and other businesses will be required to obtain consent before processing citizens’ personal data, disclose data breaches, and could face significant penalties of up to €100 million, or 4% of annual worldwide turnover, whichever is greater for non-compliance.
Brexit has complicated this process, especially for financial services companies and other international companies in the UK.
At least today, the UK is a principal global financial center, the financial center of the EU, as well as a gateway to Europe for many non-EU financial services organizations, although some of this may change with Brexit.
Here are some things you should consider regarding Brexit’s impact on financial services data protection:
Securing the UK/EU Data Flow
High on the list of issues brought to the fore by Brexit is “passporting” that enables businesses such as banks to operate across the EU, provided they have a base in the UK.
Now, this is up for question, meaning that financial institutions established in the UK may not be able to provide services to customers in the EU from the UK, or vice versa from the EU to the UK.
Despite the uncertainty, it is clear that companies that want to continue to do business in the EU will have to abide by the EU legislation, or at least mirror it as closely as possible.
International consistency around data protection laws and rights is crucial as the EU has strict laws on transferring citizens’ information outside of the EU bloc, from GDPR to the EU-US Privacy Shield.
Countries outside the EU that want data to freely flow across borders must convince Brussels that it abides with its privacy requirements.
The Role of Encryption
As expressly stated in the GDPR, free but secure data flow can be enabled through pseudonymization and encryption.
As per the GDPR, pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.
In other words, by encrypting your data and managing those keys, you can ensure that even if the data is breached, the attacker will not be able to access the unencrypted data.
To address the GDPR compliance requirements in order to continue to enable “passporting” for example, financial services and other regulated organizations should employ encryption and key management solutions across their on-premises and cloud-enabled infrastructure environments.
These solutions include securing their data as it moves across their networks, within the EU, and beyond to the UK or the rest of the world and back again with high speed network encryption.
Security and efficiency are essential to all industries, and certainly financial services is no exception, demanding high assurance, high speed, low latency and scalability.
But Brexit and GDPR will certainly mean that financial services organizations need to be hyper-aware of how data is being used and better about using methods like encryption to ensure they haven’t left sensitive information exposed.
To find out more about how to protect your financial data in motion, read our new white paper, Securing Financial Services Data in Transit.