Why robust data governance is vital now GDPR is three

The 25th May marked the third anniversary of GDPR – and in many ways, it’s hard to believe it’s been three years. Precisely 661 fines since the regulation’s arrival have been issued, and many data protection ‘unknown unknowns’ remain for UK financial services organisations. It is common for data protection officers and cyber security specialists in the space to adopt cutting-edge solutions and brace for the worst, but without a clear picture of what data they have or where it is, the effectiveness of their defences is negated. Former US Secretary of State for Defence, Donald Rumsfeld, coined the phrase:

“There are also unknown unknowns – there are things we do not know we don’t know.”

For data protection specialists in the financial services space, this highlights the critical need to gain control through effective data governance. The impact of the Covid-19 pandemic has highlighted this – with employees working remotely data is more distributed than ever before. So truly understanding the data within your organisation is as important as the defences you have in place to protect it, which together combine to form the kind of multi-layered security approach that is necessary to face today’s threat landscape. In light of Brexit, financial services organisations in the UK will also need to be extremely diligent about quality tagging when moving data to the cloud, as well as attributing business context to it. Doing this is vital for organisations to adequately answer regulatory queries, especially with agreements on data transfer conditions in a post-Brexit state of flux.

With data sets doubling in size every 12 to 18 months, data protection officers in the financial services space face a daunting challenge, but one that is not impossible to overcome. To make rapid progress on enhancing data protection and governance, organisations must be aware of the current state of cross-border data flows, while ensuring that they have the right technologies and processes in place.

The current state of data flows

Upon the UK’s exit from the EU, the decision was made to closely mirror the rules set out by GDPR in 2018, bolstered by a robust follow-up arrangement as part of the Withdrawal Agreement. Despite this continuity, concrete agreements on data transfer conditions were not set out on a long-term basis, opening up the potential for divergence on data standards. During negotiations, the UK proposed that the parties should be fully committed to the free flow of data, while the EU insisted on the primacy of data protection, including rules governing and limiting cross-border transfers.

At the time of writing this article, lawyers warn that thousands of British firms may be in breach of GDPR, and must appoint EU-based data protection representatives. Shoosmiths, the law firm involved, points out that non-UK businesses processing the data of UK-based individuals will in turn need to appoint a UK data protection representative.

Post-Brexit complications such as this recent example are increasing the pressure on organisations to ensure that effective data governance is in place, making information easily and readily available. For many organisations, data is siloed without privacy standards in place, presenting serious challenges for financial services organisations that operate closely with parties based in the EU. As organisations have accelerated digital transformations in order to respond to Covid-19, many have increased their data risk and disarray by moving data between countless hybrid cloud and on-premises environments without proper thought for tools that can operate across all clouds and environments to maintain a strong data governance stance.

Taking a multi-layered approach

From a technology standpoint, it is important to not only adopt solutions that are dedicated to cybersecurity. It is also essential to bring technologies like AI on board to handle data management tasks, enabling organisations to conduct and automate data audits that are crucial to governance. Metadata-driven discovery tools serve as a prime example, which make it easier to handle large, fragmented data sets spread across the globe. With data precisely and efficiently audited, organisations can begin to gain control over their ‘unknown unknowns,’ but managing this data is another important element.

To significantly enhance data management, organisations can benefit by deploying data governance solutions combined with AI and automation capabilities. Once this is in place, financial services organisations will have built an effective, intelligent data governance foundation that will improve compliance and data protection simultaneously.

A robust data governance stance has the effect of enhancing cybersecurity solutions and capabilities, providing data protection officers with essential visibility. When data is unified and hygienic, security specialists can take steps towards building confidence that end-to-end security is in place across all data locations, minimising grey areas where unknowns can proliferate.

The true cost of inaction

Failure to actively address data protection unknowns means that data will never truly be protected. Specific business context, procedures and policies must be proactively applied to data, rather than just adopting cybersecurity solutions. While organisations may not be able to guarantee all breaches will be prevented, data protection officers cannot afford to just lean on security solutions and hope for the best.

It is also important that financial services organisations consider the subtext of ongoing post-Brexit discussions, with concrete, long-term agreements on data flow conditions yet to be decided. This heightens the need for effective, streamlined governance that enables organisations to locate and present contextual data in an efficient way.

Above all, by taking a multi-layered approach to security that combines data governance and cybersecurity processes, one will reinforce the other. The key to achieving and managing this approach in a sustainable way is through the use of a unified, cloud-first solution. This is particularly relevant for UK financial services organisations operating in the post-Brexit phase, as it will enable customers to also accelerate compliance and build a secure, more efficient ecosystem.

GDPR is just the beginning of a longer journey. Gradually, countries around the world are increasingly launching similar regulatory standards to protect data, and organisations are beginning to call for a single framework. Improving data governance and building a powerful multi-layered approach to security are the next steps financial services organisations must take.