Will Your Lending Program be GDPR Compliant by May?
General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. That’s just three short months away, and most companies say they aren’t ready. According to survey results published by Ovum, two-thirds of global companies believe they’ll need to change their business strategy to conform to new security guidelines. And half the businesses governed by GDPR believe they’ll be fined for non-compliance. The penalties are harsh. The fine for a serious data breach could be as high as 4% of annual global turnover, or €20 million, whichever is greater.
GDPR is one of the reasons Gartner, Inc. predicts corporate spending on information security will rise to $93 billion in 2018.
Governments and consumers don’t blame hackers when there’s a security breach. They blame lenders for not providing adequate protections. It’s tough to argue with their logic when we consider the volume of data we gather, as well as the highly sensitive nature of this information. And, unfortunately, the ripple effect caused by Equifax has brought a bit of a gray cloud over much of the financial services industry.
What exactly is GDPR? And how will it affect your lending operation?
GDPR is a body of regulations designed to protect the privacy of European Union (EU) citizens. It defines “personal data”, so lenders understand what type of information must be protected. And it regulates how the information will be collected, stored and transmitted within the EU – as well as – transmitted and stored outside of the EU. In our global economy these new rules will impact every lender based in an EU country (the “data controller”) as well as any company with whom the lender shares their customers’ personal information (the “data processor”). This group of “data processors” includes a wide variety of vendors like technology developers, data processors and credit scoring agencies located in Europe, the United States, Asia, Russia and South America. The “data controller” is accountable and financially liable for any non-compliance on the part of a “data processor”.
One of the challenges for lenders is the fact that sometimes GDPR provides a general guideline without specific implementation detail. For example, the regulation requires companies to provide a “reasonable” level of protection, but they don’t clearly define the term “reasonable”.
GDPR Compliant Lending Platforms
Many small to mid-size lenders outsource their regulatory compliance and cyber safety programs. Or they leverage LaaS platforms with built-in compliance and cybersecurity features. One of the benefits of these platforms is that they’re upgraded in the cloud on a regular basis, which ensures they stay current with constantly changing banking rules.
Good cybersecurity developers are paranoid by nature. At TurnKey Lender we place a special value on this personality quirk. It’s just one weapon in our arsenal against cybercrime, and it’s one of the reasons our platform is a category leader in GDPR compliance.
Our developers use a strategic approach that includes two overarching components.
First, prevent hackers from gaining access to the system. And second, encrypt and obfuscate data to safeguard information in case of a breach.
Prevent Hackers from Accessing System
- Our information security and management system (ISMS) strictly adheres to ISO 27001:2013 Policies & Procedures during development, testing and customer data processing.
- Platform architecture conforms to guidelines published by the National Institute of Standards and Technology (NIST) in their Guide to Secure Web Services; as well as the guidelines published by the Open Web Application Security Project (OWASP).
- NIST and OWASP guidelines establish security standards for identification, authentication, authorization, integrity, non-repudiation, confidentiality and privacy.
We maintain these standards with technical mechanisms like:
- resistance techniques that stop attacks due to SQL-injection and XSS
- HTTPS as the more secure protocol compared to HTTP
- TLS 1.3 as the more secure protocol compared to SSL 2.0 and 3.0
- XMLSec (XML encryption and XML signature) for signing, verifying, encrypting and decrypting XML documents
- XACML for heightened authorization management and access control
- WS-Security Policy for web service applications protections
- encrypted connection strings and security sensitive data source parameters
- user authentication mechanisms include Active Directory, form-based, risk-based and proxy authentication methods
- user session time-outs
- digital signatures for customer data.
- Platform architecture is designed to house each client’s data set in a separate, secure database.
- Client account administrator retains sole permission to access their database, thereby controlling internal rights access and preventing insider threats.
Safeguard Data in Case of a Breach
- Implement data protection API (DPAPI) to encrypt sensitive personal information stored in the database. These proven cryptographic routines operate at the system level.
- Hash and salt passwords prior to storage. In this way hackers won’t be able to extract any usable password information.
- Use .NET SecureString to process encrypted data. Information remains encrypted, even if a memory dump is captured during transmission.
GDPR Check-up – 50% of Companies Out-of-Compliance
A single data breach can bankrupt a small to mid-size lender. That’s why it was always “just good business” to protect customers’ personal data. And now the potential for GDPR penalties further increases the importance of a safe, secure lending system.
TurnKey Lender reduces GDPR compliance risk. The cloud-based platform includes cybersecurity and data privacy protections that already conform to GDPR guidelines. It’s fast and easy to deploy, which makes it a fast and effective GDPR solution.
Reach out to take advantage of a complimentary GDPR Check-up.