Financial Services and Data Protection Part 1:

Key Considerations

Data protection is important for any business, regardless of the sector they are in and the financial services sector face some unique hurdles and threats in this field. In the UK, the Financial Conduct Authority (FCA) strictly regulate the financial services industry, with a number of rules in place for what data they should be holding.  Additionally, the amounts of money and financial information that financial service organisations deal with makes them a popular target for cyber criminals. Therefore, their cyber security measures must be strong enough to deter these criminals. With data protection regulations such as the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA 2018), requiring you to notify the authorities and those affected if you suffer a breach, it ensures that your breaches become public. It is also illegal to attempt to hide a data breach. With all of this in mind, all financial service organisations should consider the following to avoid the chances of suffering a breach, or not complying with the law.

  1. What laws and regulations apply to you and your sector?  In addition to general data protection laws such as the GDPR and DPA, you will also need to comply with other regulations that cover the regulation and use of data, including MiFID II, PCI DSS and various FCA rules. We recommend creating a legal register, which records the laws that apply and what you are doing to comply with them, as this will help to track and show compliance if you are ever audited.
  1. How do you manage your suppliers? Last year there was a 78% increase in supply chain attacks. Supply chain attacks are where your supplier’s systems are exploited to launch a cyber-attack against you. This makes it more important than ever to perform due diligence on suppliers and have legally binding agreements in place to ensure that they are protected and are safely handling the personal data that they have access to.

  1. What training is needed? As most data breaches are down to user error, training can be an enormous factor in preventing data breaches. In addition to training your own staff, training your customers can also reap a number of benefits, such as reducing the number of fraud and identity theft incidents.
  1. What security measures do you have in place? Data protection laws require you to implement appropriate organisational and technological measures to protect the personal data that you hold. As financial service organisations are popular targets for cyber criminals, it is especially important to have robust measures in place that are regularly updated and reviewed. We highly recommend having regular vulnerability scans, or penetration tests run against all internet-facing systems to find any flaws before the cyber criminals do.
  1. How data flows and is shared both internally and externally.  Financial service organisations will often send and receive information from many other organisations and entities, such as credit agencies, banks, auditors, assessors, government bodies and regulatory agencies. With so much data moving around, it is critically important that the data flows are documented and controlled. To do this we would recommend you conduct a comprehensive data mapping exercise.


….To be continued in Part 2

If you want to speak to one of our experts about any of the content in this article, you can book a free 30 minute no commitment consultation here.