Established in 1988, Target Professional Services is a UK-based company providing Data Cleansing and Verification solutions to the financial sector. Target verifies that common data is accurate, complete and up-to-date. Where records are found to be out-of-date, Target are able to accurately trace and verify the data to ensure records held are always compliant with GDPR and other regulations within the Finance sector and in particular, The Pensions Regulator record keeping guidance. Here Lisa talks to Finance Monthly about the company’s services, the upcoming GDPR and its impact on the business, and her role in growing Target into a leading data verification and trace company.
With the EU General Data Protection Regulation (GDPR) scheduled to come into effect in May 2018 – what would you say will be the impact that GDPR will have on businesses?
The new regulations will require greater data accuracy and accountability. The potential to fine and the size of fines that can be imposed are significant, so GDPR should not be overlooked and needs both focus and a budget within any organisation.
What have Target Professional Services done to ensure that the company will demonstrate compliance with the directive in its entirety?
First of all, Target have reviewed and updated all of our internal processes where GDPR will require change. In addition, we are checking our suppliers to ensure that they will be compliant for the new regulations, so we are clear that we are using consented data. We know that some datasets will require individuals consent to continue to be used, so we are looking to ensure that consent is obtained or that type of data is not used.
In what ways can the company’s services assist others with becoming fully-compliant?
We are sharing our experience and understanding with our existing clients so they are clear about GDPR. We are constantly finding different levels of understanding throughout our client base and we work with them to improve their knowledge.
Could you tell us a bit about your career path?
Leaving school at 16 with 10 GCSE and unable to afford to go to University, I started work with Halifax Building Society and by 18, I had been promoted to Department Manager. However, I took the decision to leave the Halifax, as my aspirations were not in banking. At that time my father had invented a high-pressure valve cap for vehicles. He needed a BS5750 certification, so I studied the requirements and wrote his manuals for him. I also worked as a part-time book keeper for my mother, who ran a small independent debt collection agency, while I studied Accountancy, Law, Economics and credit control at night school. After successfully building a computerised accounts system for my mother, I identified a need in the market to transfer manual accounts to a computerised system and went on to support other businesses to successfully migrate their accounts data. With the merger of several rental companies in 1997, the debt collection business expanded, as did my role. Along with designing and implementing the CRM database to support the expansion, I took over the management of the Customer Service and Field Operations, before finally buying the business in 2001.
You’ve managed to build Target from a small debt collection business to a leading data verification and trace company – what were the challenges that you were faced with and how did you overcome them?
The debt market was very competitive and I had one very large client when I took over the business. I knew that I had to change the dynamics and the markets the company operated in. We entered the Pensions Market bringing innovation and competitive pricing at a time of regulation change. Target has focused on Customer Service, Data Quality and flexibility to ensure that our business does not become stagnant and stale. We bring innovation to solve the problems legislation brings to the industry and to ensure that our clients are always ahead of any changes.
What would you say are the company’s top three priorities towards its clients? How has this evolved over the years?
Our philosophy in working with our clients remains the same today as it’s always been. We look to develop long standing working relationships with all of our clients and understand what they require from us. Every client is different so we also look to be flexible in order to suit each client’s needs. Target has always been industry innovators and this is still a driver for us today, as tracing and data availability changes and develops.
Looking into the rest of 2017 and beyond, what does the future hold for you and Target?
We see opportunity to apply what we do to many different industries, especially with GDPR soon upon us. We predominantly work in the financial services sector and then mostly, in the pensions sector, but tracing and data screening is of value elsewhere. We are exploring such opportunities and offering solutions in new markets. Contact us if you think we can help you. Through a partnership approach we may be able to offer you a service that gives value to what you do.
Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
The deadline for the enforcement of the General Data Protection Regulations (GDPR) provisions in May 2018 has finally reached the agenda of most companies. It coincides with an increasing fever pitch in the press and on social networks regarding cyber attacks, hackers from the east, Smart TVs watching us, et al. Privacy is news. Businesses that get caught out on privacy matters are subject to huge focus in social networking circles.
The recent focus on GDPR as “something new” is a surprise though. The regulations are an extension of the UK 1998 Data Protection Act and the EU GDPR regulations were technically in force from May 2016. It is an unfortunate fact that this new regulation is turning the spotlight on how lax some companies may have been since 1998 and as a result the scale of the current programme to address GDPR provisions suddenly appears very significant.
Privacy and Security
Privacy is an individual thing. It is increasingly apparent that as individuals we need to be more aware and protect our digital existence. Firms have to accept that the “privacy train has left the station” and people are demanding more control over personal data.
Central to the issue are two core principles: the respect for privacy; and the provision of adequate security. Importantly, underlying this is the notion of custodianship. It is this custodianship that should be considered as a key corporate responsibility and one that defines the seriousness with which firms have responded. In the event of a breach of privacy, this is where the regulators will look first.
Appreciating how you are impacted as an individual is relevant. It is hard not to conclude that the provisions of current privacy laws are not keeping up with the pervasiveness of today’s technology. It is a salutary exercise to count up the number of devices connected to the internet in your home – most are capable of enabling access and extracting information. The latest concerns expressed by Tim Berners-Lee that we have lost control of our personal data is timely. Whether we like it or not, privacy matters.
Why GDPR is different
Successfully addressing the requirements of GDPR requires a number of important challenges to be overcome.
All these points will test a firm’s approach to risk and risk appetite for data protection related activity. At the end of the day, data protection is just another operational risk.
Stewardship: The CFO is no stranger to stewardship. The addition of custodianship should fit quite easily but requires absolute confidence that all preparations for GDPR are sufficient.
Lines of Defence: Executives within the “second line of defence” will have a key role in ensuring an independent perspective is maintained. Executives in the “first line of defence” will be confronted with many of the decisions and implications of GDPR driven changes and what is a proportionate response. The CFO and CEO may be drawn into debates about both areas.
Managing GDPR incidents: In the event of breach, it will often be the CFO and CEO in the spotlight, with tensions rising as the matter may become an exercise in crisis management. Anecdotal evidence suggests that the “finger pointing” starts very quickly. At which point, it will be too late as one of the first tests will be to evidence that reasonable steps had been taken to prevent the incident happening.
It starts with taking the view of the customer
In assessing any privacy issue, the key question is “What would you have expected the firm to have done?” Fuelled by privacy stories, customers will learn quickly of their rights and will have expectations of what response they will get when approaching your business to exercise these rights. They will also assume that should something happen it is controlled and they are informed. Firms need to beware of the power of the customer to disrupt; especially with the viral nature of social media. The inclusion of the customer view from the outset will mean that this dialogue, should it arise, will better reflect the intended approach of the firm. Custodianship is a serious responsibility.
Pragmatic steps to ensure appropriate oversight and control
Senior executives should own the GDPR programme and maintain a keen eye to ensure it does not drift into a purely second line compliance project..
Progress assessment: The hardest question to answer in absolute terms is “when will we be compliant with GDPR?” A number of dimensions can be constructed around some simple principles: the less sensitive data you lose, the more manageable the response; the more that you understand what personal data you have, the better you can secure it; the more information you can provide about a breach, the more likely you will receive an empathetic hearing from customers and regulators. Measures should be designed to help people understand “how far” you have secured a reasonable position. It will focus minds.
Risk based approach: It will be essential that a risk based approach to GDPR related decisions is taken. Decisions on data minimisation and retention periods, for example, will expose tensions between the need to comply and the commercial and practical implications of deleting customer data.
Governance and Accountability: The GDPR regulations assume an ongoing commitment by the firm to embrace privacy and security responsibilities. There is no big bang and therefore, arguably, no obvious finishing line. The voice of all stakeholders across the GDPR programme need to be represented through to the Board.
Measuring operational impacts: There will be operational implications should customers past and present exercise their new rights under GDPR. For example, early indications suggested that there would be a 25 – 40% increase in the numbers of Subject Access Right requests. To this number needs to be added an estimate for the new provisions (including the right to be forgotten, portability etc.). Will current response processes be up to it?
Pragmatism is the watchword: Implementing regulatory change is not straightforward. A pragmatic and practical approach is essential to overcome many of the issues that will be raised. The risk of projects becoming detached from the realities of running a business are high: the message of effective custodianship will help. The firm must demonstrate and justify the pragmatic judgements taken on the journey towards their compliant position. Permitting every possible aspect to be debated at length will likely result in compliance paralysis. Therefore, the importance of proportion and measured decision making cannot be overstated.
Be prepared
Personal data is an asset and companies are the custodians. The expectation we have about the behaviour of how other organisations handle our own personal data should influence our own roles within our organisations. The way we work with colleagues to achieve a level of assurance and mutual confidence is key. There are effective ways to think about and implement regulatory change, which need to ensure that the response to the various challenges of GDPR as outlined above are appropriate, measured and reasonable. In the event of having to react to any privacy incident, having a clearly agreed position on the custodianship responsibilities will be a good place to start a defence.
With GDPR just around the corner (May 2018), the new EU rules are probably something you want to start thinking about, and companies could risk serious vulnerability in the face of data protection. But do the rules require you to hire a data protection officer? Richard Henderson, global security strategist at Absolute, provides Finance Monthly with the expert tips you’ve been looking for.
In just over a year the EU’s General Data Protection Regulation (GDPR) comes into effect, with part of it stipulating that some organisations will need a data protection officer (DPO). Impacted companies that haven’t already assessed their data protection technology, policies and processes against the regulation’s mandates, need to take action now to address any shortcomings.
The regulation may have been four years in the making, and amended throughout the process, but what has been clear from the start is that it intends to define an era where lax data management is not tolerated. The letter and spirit of the regulation reflects an expectation that data protection should be a priority, not an afterthought. Individuals’ rights around their data will be strongly upheld and companies found wanting will face tough punishment.
In this, the financial services sector has some experience. Despite being responsible for a relatively small percentage of the total security breaches reported to the Information Commissioner’s Office (ICO) in 2015-16, it attracted a third of the financial penalties the ICO pursued. With fines for data protection non-compliance set to rise significantly under GDPR (up to four per cent of annual global turnover), the industry cannot afford not to take note and to prepare.
The overall aim of GDPR is to make EU privacy laws fit for the 21st century. While there is a major emphasis on enforcement it also introduces mandatory data breach reporting requirements, in some cases within a challenging timeframe of 72 hours.
The role of the data protection officer
The requirement to appoint a data protection officer (DPO) is summarised as being in the case of “public authorities,” “organizations that engage in large scale systematic monitoring” and “organizations that engage in large scale processing of sensitive personal data”.
Organisations meeting these requirements will need to make someone responsible for data protection. It will be extremely important to have the right person for the job so legal advice should be considered when hiring.
The DPO must have expertise on data protection law and practices, is expected to keep their knowledge up to date and to report directly to the highest level of management. In short, this is not a responsibility to be taken lightly or to be tagged onto an existing role where the necessary level of expertise, knowledge and responsibility does not already exist. It is a professional role, expected to be accorded a sufficient level of seniority, with standing in the firm and the resources to maintain and build on knowledge.
DPOs will need to be supported by a thorough assessment and (where necessary) overhaul of policies, processes and procedures to ensure GDPR-readiness. A big part of their job will be ensuring the right technology is in place to prevent data breaches, while maintaining and reporting on security.
Enough is not good enough
The cyber-attack threat landscape continually changes, forcing businesses to evolve their security strategies and policies to keep up. The risk of non-compliance with GDPR is simply too high, not just in terms of potential financial impact but also corporate reputational damage from compromised data. A DPO will be central to safeguarding the organisation’s reputation, maintaining the right technology and ultimately, preventing a large-scale data breach.
GDPR recognises that situations have changed immeasurably since its preceding 1995 Data Protection Directive when the internet was still in its relative infancy. Today, larger volumes of data are not only created and stored but also widely transferred and held on mobile devices.
GDPR had to bring data protection enforcement up to date for the modern day. By setting the fines level for infringements at the level it has, it is sending out a clear message that ‘enough’ is not good enough. Companies need to make data protection part of the fabric of their organisation or pay the price for not doing so.
The price could be hefty indeed for UK business. If cybersecurity breaches stay at the level reported in 2015, fines could rise from £1.4 billion to £122 billion, according to the Payment Card Industry Security Standards Council.
Companies with limited IT knowledge and expertise may feel that punishments meted out after the event should be balanced by guidance and instruction on breach prevention, so that they can prevent falling foul of the regulation. While it is rightly incumbent on companies to adequately secure data, the options available to them to do this are matched only in their number and variety by the methods hackers have for getting in.
EU GDPR is incontrovertibly punitive but companies looking at it in full must see the opportunity the regulation gives to them to avoid incurring penalties.
Taking stock
By interpreting what the measures require companies to do, they can take action to keep data safe and thereby avoid non-compliance. This includes putting in place processes to provide data to subjects if they ask for it and to remove records if requested when it’s no longer necessary to hold them. It includes potentially putting in place the data protection officer and - perhaps above all - mandates ‘privacy by design’, meaning that data protection has to be built in to systems when they are designed rather than afterwards as an add-on.
This last measure is – if any were needed – the clearest indication of the regulator’s intention to instil into all companies a culture of data protection, one that drives systems and processes rather than the other way round.
A designated DPO dedicates a level of time and expertise that is required now for robust data protection. After all, 72 hours to report a breach is a short space of time and staying on top of policies and processes around data retrieval, access and removal is a big job. Organisations need the capabilities in place to manage data across their entire device estate. A single point of contact with specified responsibilities stands to help the company at the same time as helping the regulator.
Above all else, a dedicated data protection role will help companies prevent data issues, safeguard their reputation and avoid potential non-compliance.
For one particular part of the financial services sector, GDPR presents a specific opportunity. Strict new rules should mean the cyber insurance market will grow. With breaches set to be more widely reported under the new regulations, more data will be available to insurers to set premiums so we are likely to see an increase in the number and range of cyber insurance offerings.
Companies concerned by the length and breadth of the EU GDPR should step back and consider that, in simple terms it obliges organisations to put in place security measures appropriate to the risks. If a data breach occurs it will be hard for that organisation to argue that it had done this. Therefore, the goal will be then what it is now – to have in place the resource, policies, processes and technology to prevent breaches.
Companies should reassess how they detect suspicious activity on their network and consider options for persistent connectivity and encryption for systems, devices and data. The threat of higher fines certainly focuses attention on data protection but in reality, it must always be a top priority for the financial services sector.
No one wants to have their good company name smeared in the headlines because of a breach or incident that could have been avoided. It’s up to all of us in the security space to ensure that we are doing everything we can to keep the data entrusted to our protection safe from harm. We owe it to ourselves, our shareholders, and the public who trust us to steward their most sensitive of data.
With the implementation of GDPR on our doorstep, companies risk serious vulnerability in the face of data protection. This week Finance Monthly has heard from Rafi Azim-Khan and Steven Farmer of Pillsbury Law, who gave us a rundown on how you need to prepare for the regulatory changes.
From the debate about the UK’s ‘Snooper’s Charter’, to a number of high-profile cyber-attacks and the wrangling, both legal and political, over the abolition of the EU-US data sharing treaty, Safe Harbour, data privacy has remained firmly in the media spotlight in recent months.
Following the most significant overhaul of the EU data protection regulations in recent years set to come into effect with the introduction of the EU General Data Protection Regulation (GDPR) in May 2018, this trend looks set to continue.
The GDPR rips up the existing legal framework and provides for the imposition of heavy fines. Equally seismic is the fact that the new rules have an extra-territorial reach, catching companies who traditionally did not need to prioritise data protection laws.
Significantly, however, few businesses are reported to have actually looked at what they need to do to ensure compliance under the GDPR. As the time until enforcement dwindles, it is essential that firms act, as the UK data protection regulator has said herself. So what do companies actually need to be aware of?
The letter of the law
The GDPR replaces the current EU Data Protection Directive 95/46/EC. As a Regulation, and unlike the old law, the new laws will be directly applicable in all EU member states.
Specific changes introduced include the following:
Of course, with the UK set to leave the European Union, there is much ongoing discussion about what the post-Brexit regulatory regime may look like. It is generally accepted, however, that after the UK leaves the EU, UK laws will nevertheless track the GDPR (e.g. via some form of implementing legislation or a new UK law which effectively mirrors the GDPR). In other words, even if you are purely a UK company, or you are outside the UK and targeting UK consumers only, you should not ignore these changes on the basis Brexit is some sort of get out of jail free card.
Who needs to comply?
All organisations operating in the EU will be caught by the new rules. Importantly, organisations outside the EU, like US-based companies that target consumers in the EU, monitor EU citizens or offer goods or services to EU consumers (even if for free), will also have to comply.
The GDPR also applies to “controllers” and “processors”. What this means, in summary, is that those currently subject to EU data protection laws will almost certainly be subject to the GDPR and processors (traditionally not subject) will also have significantly more legal liability under the GDPR than was the case under the prior Directive.
What can businesses do to prepare?
To ensure compliance, companies need to ensure that they have robust policies, procedures and processes in place. With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance. In terms of key first steps, companies might consider prioritising the following as a minimum:
As May 2018 draws inexorably closer, companies need to start thinking about compliance before it is too late to avoid being made an example of. As the old adage goes: those who fail to prepare, prepare to fail.
In the light of the highly anticipated new General Data Protection Regulation, which will come into force on 25 May 2018, this month Finance Monthly reached to Alan Calder – the founder and Chief Executive of the single-source provider of products and services in the IT governance, risk management and compliance sector – IT Governance. Alan is an acknowledged international cybersecurity guru and a leading author on information security and IT governance issues and over the next couple of pages he discusses all things data protection and GDPR.
What are the common issues that businesses face, with regards to data protection? How can these be avoided? What should be the main data protection considerations for businesses?
In 2016, a large number of high-profile organisations suffered a data breach or were targeted by cyber-attacks. In executing cyber-attacks, criminals rely on exploiting weakness: well-known methods such as phishing scams and spear phishing exploit human gullibility, weak and unchanged default passwords, unpatched, vulnerable and outdated software, all allow attackers and malicious code into your systems.
Every organisation should tighten up in the three main areas that attackers target: their people, their processes and their technology. Clients can protect themselves with anti-malware, or by switching on a firewall but that's only one part of the cyber security.
Criminals also take advantage of internal staff and employees unaware of the current cyber threats to get access to the organisation’s most valuable assets.
To prevent “around 80% of cyber threats” and implement a basic level of cyber security, we encourage organisations to achieve certification to the UK Government-backed Cyber Essentials scheme. The scheme allows organisations to identify vulnerabilities in their system and implement security controls. We recommend using Cyber Essentials to stop low-level attacks, and adopting it in addition to ISO 27001, the international best practice for information security. An ISO 27001-compliant information security management system (ISMS) encompasses people, processes and technology.
Organisations can put antivirus software and firewalls in place to protect themselves from malware, but employees still represent the weakest link in information security. ISO 27001 not only addresses the ‘people’ area of cyber security but also monitoring, maintenance and continual improvement of information security. Certification to the Standard demonstrates to staff, customers and stakeholders that an organisation has taken all the necessary measures to protect their information.
What rules govern companies that have access to more sensitive information (health records and criminal records for example)? How is this information protected by the Data Protection Act?
Organisations collecting and handling the personal data of European residents will be required to comply with the General Data Protection Regulation (GDPR). In addition to this, digital service providers and organisations providing essential services in critical sectors such as healthcare, energy, banking, transport and distribution will be required to comply with the Network and Information Systems (NIS) Directive.
While the GDPR imposes a 72-hour breach notification deadline for reporting personal data breaches, the Directive mandates that organisations notify supervisory authorities every time there’s a significant impact on the delivery of the organisation’s service. The Directive requires essential services and digital service providers to implement “appropriate and proportionate” security systems.
What consequences face companies if they do not adequately protect their clients’ information?
Under the GDPR, which is set to come into force in May 2018, non-compliant organisations can face fines of up to €20 million or 4% annual worldwide revenue – whichever is higher. As most failures to comply will be revealed by data breaches, these administrative fines – which are discretionary, levied on a case-by-case basis and must be “effective, proportionate and dissuasive” – will be in addition to the costs of remediating the breach and mitigating the loss to affected data subjects.
What consists of adequate protection of data? What methods can companies put in place to ensure that their clients’ information is protected to a high standard?
To implement adequate data protection measures that help organisations ensure their clients’ data and information is protected to a high standard, we encourage organisations to first comply with the GDPR. Conducting a data flow audit and data protection impact assessments are essential steps towards GDPR compliance as they help organisations identify where data is stored and reduce privacy risks by identifying efficient and effective processes for handling data.
However, as Internet-based activities become integral to everyday operations, so do cyber threats. Technology alone (e.g. software and antivirus) is not enough for businesses to protect their data. By implementing an ISO 27001-compliant ISMS, organisations can prevent threats resulting from human error, faulty processes and flawed technology with an overall strategic and operational approach to information security. Accredited certification to ISO 27001 proves to clients, stakeholders and third parties that the company is following international information security best practice.
What is the purpose of a data protection audit? What type of company benefits from a data protection audit?
Every organisation worldwide can benefit from a data protection audit. It helps identify potential data protection issues and allows organisations to address key risk areas. A data protection audit is the first step organisations need to take to comply with the GDPR. The main benefits of the audit are visibility over data flow, insight into the development of effective strategies to protect personally identifiable information (PII), improving data lifecycle management, identifying efficiencies related to processes, systems and protocol, and reducing privacy-related risk.
More importantly, an audit improves customer satisfaction by reducing the possibility of data breach that could lead to the client submitting a complaint or even potential lawsuits.
What are the particular legal issues that UK businesses face in relation to new technologies? How do you assist clients with developing appropriate IT policies?
IT Governance helps organisations save the time and cost of developing appropriate policies and procedures for standards such as: ISO 27001, PCI DSS, and ISO 9001 through various documentation toolkits. Each toolkit contains pre-written model policies and procedure templates which account for all the key issues in compliance with all aspects of the standards. The toolkits are developed by our in-house information security experts to fit our clients’ compliance requirements and are designed to help organisations accelerate their compliance projects by ensuring that all control areas are covered and carefully addressed.
Additionally, our risk assessment software vsRisk, helps organisations carry out ISO 27001-compliant risk assessment by providing a simplified and automated risk assessment process that fits for the needs of large and small companies.
Do you see the need for any legislative change regarding data protection in the UK?
The primary change in data protection legislation of which organisations should be aware is the GDPR superseding the Data Protection Act (DPA). The GDPR aims to harmonise data protection laws currently in place across the European Union’s member states. Organisations have less than two –years to transition, during which they need to update policies and procedures, potentially appoint a DPO.
What has been your flagship piece of work and how did you apply particular thought leadership to this scenario?
We were the first organization in the EU to launch an integrated portfolio of GDPR guidance white papers, webinars, books, documentation toolkits, practitioner and DPO training, transition and compliance consultancy and online staff awareness training. Our management and privacy team identified all the major transition and compliance issues thrown up by the GDPR and, at a point when most UK businesses were wondering whether or not GDPR would apply post-Brexit, we established that it would not only apply but is likely to become integral to UK law for many years after Brexit. Since then, both the government and the ICO have confirmed the position we took and our GDPR portfolio has become the fastest-growing area of our business.
Career Highlights: