GDPR: Best Practices for Financial Services Firms

The EU General Data Protection Regulations is the strongest protection of consumer privacy rights, enacted in 2018 with clear guardrails for how businesses should handle data that passes through the region. Post-Covid, however, global supply chains, disparate workforces and international corporate presences require data to be shared across borders in unprecedented volumes. 

Fines were not particularly large in the early years, but that changed in May 2023 when Meta, the parent of Facebook, was fined $1.3bn and given a 6-month window to stop data transfers from the EU to the US. Meta’s fine removed any lingering doubts that data protection, and proof of data protection, is a necessity rather than an optional policy, and one every business must adhere to.

The severity of the punishment makes a strong case for broader automated data classification tools across businesses, particularly in the surveillance function. These tools are able to categorize sensitive data as identified in the business environment based on the appropriate compliance regulations, level of sensitivity and other custom criteria, such as the company’s data retention policy. From here, data can be securely processed and used by authorized individuals within an organization, and eventually, disposed of in accordance with its retention policy.

Financial services firms looking to avoid large fines and better comply with GDPR can take first steps in auditing their digital communications and reviewing their data. 

dComms audit

Thorough auditing of dComms capture and recording practices is essential for compliance, risk management, and maintaining the integrity of PII. A typical audit begins with a clear definition of the objectives and scope, such as ensuring compliance with regulatory requirements like MiFID II or Dodd-Frank, and assessing data integrity.

Data mapping exercises follow where a comprehensive inventory of eComms and aComms channels used within the firm are mapped, which allows the team to follow communications data as it flows through the business and into storage. Financial services firms can then do the following: 

Data capture processes evaluation

An evaluation of the data capture processes will ensure that all the required channels are covered, continuously and unaltered. The firm’s ability to retrieve and search electronic communications records efficiently is also tested, along with search functionality, before the team assesses data encryption and security measures. This step ensures the proper measures are in place to protect sensitive information and PII during capture, transmission, and storage.

Recordkeeping and documentation practices are analyzed, including audit trails and change management logs, to ensure records are complete and held in a secure manner. Compliance monitoring and reporting takes place, along with testing and sampling to verify the accuracy and completeness of the eComms and aComms data. This allows any compliance issues to be flagged for potential shortfalls in regulatory standards. 

Firm’s ability to retrieve and search electronic communications record test 

The firm’s ability to retrieve and search electronic communications records efficiently is also tested, along with search functionality, before the team assesses data encryption and security measures. This step ensures the proper measures are in place to protect sensitive information and PII during capture, transmission, and storage.

When the audit results are fed back to management, compliance gaps, deficiencies, or areas for improvement are identified and addressed. Processes for ongoing monitoring and periodic audits are established to ensure sustained compliance and improvement in eComms capture and recording practices, and following a review by the legal and compliance functions, a final report and certification of compliance is issued.

The role of data masking

In order to meet the seemingly conflicted data protection accountability and financial regulatory obligation demands, data masking is often employed as part of surveillance. The most commonly used methods are pseudonymization and anonymization. 

Pseudonymization 

Pseudonymization replaces personal data with an artificial identifier that cannot be used to identify an individual by appearance. Links to the original personal data are maintained elsewhere and allows a theoretically safe reconnecting of an individual to a data record. 

Firms using this method with communications surveillance tools for any applicable reason will require the original content records to be correctly archived with pseudonyms intact, along with the mappings that can be used to reconstruct the identity of the masked persons. The strict standards inherent in MiFID II require the identification of parties in financial transactions for reasons we identified earlier. 

Anonymization

Anonymization, meanwhile, involves completely changing the data that may personally identify an individual such that the content can never be used to identify an individual again. It is a risky practice for financial services firms, as the content surrounding a transaction may need to be reported to a regulator. Where anonymization is useful is in secondary situations where Big Data and AI are applied solely to financial transactions for the purpose of business insights. 

dComms surveillance

A robust compliance framework is essential for organizations to uphold ethical guidelines and ensure employees maintain the highest standards of integrity and accountability. For financial institutions, an intelligent solution for monitoring digital communications is a vital component to meet GDPR regulations as well.

While GDPR centers mainly on the collection and processing of customer data, it also covers personal information obtained from employees. Privacy rules also vary across borders, which adds complications to broad data privacy frameworks which have to take into account variances in regulations. Financial regulators have not handed down prescriptive rules for dComms surveillance, instead giving guidance amid broader supervision obligations necessary to prevent misconduct. 

Effective dComms systems ingest enormous amounts of data from chats, emails, texts, social media from employees across the world. Regardless of the surveillance model used, lexico nor behavioral-based, random sampling, or a mix of the three, it is inevitable that PII will feature in the captured messages. 

Remember:

• Personal data can only be collected for certain specified purposes. 
• Only necessary and relevant information can be collected and retained. 
• Monitoring programs must have clearly defined scopes. 
• Information gleaned through surveillance cannot be used beyond the legitimate purposes previously disclosed to employees. 

GDPR can’t be ignored

Business, society and communications have all evolved considerably since GDPR entered force, changing the way enterprises use and handle data. What hasn’t changed is the need for strong information governance and compliance procedures. Firms that fail to implement proactive policies and procedures in their compliance programs are particularly vulnerable. Areas of data systems, information governance, and procedures for managing electronic evidence in surveillance will continue to be impacted as regulators set case precedents in the coming years.

Building a dComms surveillance solution that balances regulatory expectations with privacy requirements requires careful planning and analysis, and the help of expert partners who understand the role of AI in the current data privacy environment. Download the entire GDPR handbook here.