![Why on-premise access management still matters in a cloud-focused world](https://securenvoy.com/wp-content/uploads/2024/06/nebulous-nexus-abstract-cloud-technology-scifi-design-scaled.jpg)
![Financial services compliance](https://securenvoy.com/wp-content/uploads/2023/12/Compliance-blog.jpg)
Overcoming key financial services compliance challenges with data governance and data discovery tools
- Cybersecurity is the highest risk for financial institutions, according to a Bank of England survey in 2022
- 54% of UK finance and insurance companies identified breaches or attacks in the last 12 months (Cyber Security Breaches Survey 2022).
- Six in ten (57%) of senior executives in the UK financial services sector say their organisation is at risk of a data breach because data is so poorly managed.
- In its 2020/21 Annual Report the ICO reported that human error was the leading cause of data breaches in the financial sector, accounting for 45% of all incidents of data breaches.
Data Governance in Financial Services – Meeting GDPR ROPA and FCA requirements
We are not able to cover all of the regulations that a financial institution might meet in this short article, but there are two key financial services compliance rules that most, if not all, financial services companies need to adhere to: GDPR ROPA and Financial Conduct Authority (FCA) Systems and Controls (SYSC) rules:- GDPR ROPA – What is a ROPA?
ROPA stands for “Record of Processing Activities” and a good place to start in understanding what ROPA entails is with the ICO’s own definition :“It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is and what you do with it makes it much easier for you to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure).”
ROPA Requirements:
Under GDPR, organisations are required to maintain a ROPA document to demonstrate their compliance with data protection regulations. The ROPA document should include:
- The name and contact details of the organisation, as well as its representative and data protection officer (if applicable)
- The purposes of data processing, including the legal basis for each processing activity
- The types of personal data that are processed, including categories of data subjects
- Details of any third parties who receive personal data, including the reasons for sharing the data and any safeguards in place to protect it
- Information about data retention periods and how personal data is securely disposed of when no longer required
- A description of the technical and organisational measures in place to protect personal data from unauthorised access or accidental loss or destruction.
The ROPA document needs to be regularly reviewed and updated to reflect any changes to an organisation’s data processing activities. It is an important tool for demonstrating accountability and transparency under GDPR.
- What is FCA SYSC? The Financial Conduct Authority (FCA) Systems and Controls (SYSC) rules require companies to have robust data management policies in place to effectively manage and protect data, including:
- Data Governance framework to manage data.
- Data Classification – based on sensitivity and criticality and appropriate controls for each category of data.
- Data Protection measures to protect data from unauthorised access, disclosure or alteration.
- Data Retention and Disposal policies based on legal, regulatory and business needs.
- Data Privacy, complying with the relevant data protection regulations, such as GDPR, by implementing appropriate data privacy policies and procedures. This includes obtaining consent for the collection and processing of personal data and ensuring that individuals have the right to access, correct and delete their personal data.
Key data management challenges financial services companies face
To ensure the GDPR ROPA and FCA SYSC guidelines are met, financial services companies need to contend with some key challenges:Data silos – Financial institutions hold massive amounts of sensitive data, and need to track data which is held everywhere:- Data is held across different business systems and applications.
- Data needs to be tracked in employee documents, emails and collaboration software.
- Data is stored on-premise and in the cloud.
- Data is also shared with third parties.
- Validate data – create validation rules and validate your data on input
- Process data – cleanse data by searching for old data and duplicates
- Maintain data – check data on an ongoing basis against your validation rules
- Protect data – implement security controls such as user authentication
- Employee training – develop a culture of data integrity with data entry and compliance training to ensure consistency
How an international bank sped up compliance and reduced costs with automated data discovery
An international bank had large amounts of sensitive personal information that it needed to protect to comply with FCA, PRA and GDPR. The bank had a growing number of business applications they needed to monitor and were struggling to find a solution for managing sensitive data in Atlassian (Confluence, Jira, Bitbucket) collaboration softwareThe bank selected SecurEnvoy Data Discovery to scan over 2 terabytes of data, an amount that is continually increasing, and report on all the sensitive data that is being stored in their on-premise and cloud solutions. SecurEnvoy Data Discovery reports on type of sensitive data being stored, where it is held and alerts to any data that is out of line with compliance regulations.The result was a 93.3% per year cost saving using automated data discovery versus manual data scanning. In addition, the cost of running the team was reduced and staff were put on to other digital security tasks. The team were able to quickly respond to audits and the solution improved data compliance and ensured that employees were continuously made aware of transactions involving sensitive data.Read the full case study >Benefits of using SecurEnvoy Data Discovery to discover sensitive data to ensure financial services compliance by meeting ROPA and FCA requirements
SecurEnvoy Data Discovery, the tool used by the international bank, provides both data discovery and classification functionality and removes the need for manual processes. It enables you to discover the data you have so that risk can be evaluated. Rules can be created to discover and report on sensitive data to meet the needs of regulatory compliance.Some key advantages include:- Automated data discovery:
- Accelerates the process of discovering and analysing the sensitive data you have (minutes rather than hours) and speeds up the audit process for regulatory compliance.
- Provides automated search for Personally Identifiable Information (PII), Payment Card Information (PCI) and health records to comply with HIPAA, GDPR, PCI, etc.
- Bespoke rule sets and complex queries using Compound Search can also be handled by the tool.
- Speeding up DSARs, ensuring that they are fulfilled in time to meet GDPR requirements. Find out more in the “7 Steps to speed up the DSAR process” article >
- Real-time data alerts ensure that your company is adhering to data compliance regulations and help end-users to remediate any issues with sensitive data that are discovered. End-users can remediate themselves without relying on help from the data security team.
- Reporting tools enable you to evaluate the organisation’s risk profile showing instances of sensitive data detection and resolution. Management reports are available in pdf and user-friendly dashboards via an intuitive management console.
- Flexible deployment both in the cloud and on-premise. SecurEnvoy Data Discovery covers data on a wide range of endpoints, servers and applications.
Published: 5 December 2023
Category: Industry News, Industry Research
Data Discovery
Platform
(DD)
Data discovery across your digital estate.
Essential data discovery for any organisation.
Learn more about SecurEnvoy DD![Cyber Security Blog](/wp-content/uploads/2021/11/blog-advert-01.png)
Hear more from
our security
experts