Dan Kitwood/Getty Images
show image

Why GDPR has had a greater impact on financial services than any other sector

The EU’s General Data Protection Regulation (GDPR) has had a greater impact on the cyber security practices of the financial services industry than any other sector of the economy, according to new government research.

The Department for Digital, Culture, Media and Sport (DCMS) commissioned a survey last year of more than 1,200 business leaders as part of a package of work aimed at identifying new regulations that could bolster Britain’s cyber defences.

The results, published today (28 August), reveal that the FS sector appears to have been the most strongly influenced by GDPR. Every respondent working in finance and insurance said that all of the changes in their organisation’s cyber security in the last three years were at least to some extent a result of the regulation.

This compared to a cross-industry average of 82 per cent. The arts and entertainment (94 per cent), retail (90 per cent), education (89 per cent), health (89 per cent), and public administration and defence sectors (89 per cent) were the six other industries to have trended significantly above average when it came to the influence of GDPR.

Financial services organisations were also more likely to have made changes to their cyber security than any other sector. As part of a literature review, the research report noted a previous Deloitte study that showed finance businesses had found compliance easier than those in other industries. “It suggests that this was due to a history of complying with strict privacy and data protection rules set by financial regulators, which required a strategic approach and detailed procedures,” the report states.

Some areas of security are more equal than others

While the research reveals that GDPR has had a positive impact on governance, risk management, data security and systems security, it has boded less well for procurement and supply chain risk management.

“Organisations were also more likely to have made changes to data protection than other aspects of cyber security,” the report states. “This suggests that they could benefit from taking a resilience approach, emphasising the importance of improving the detect, respond and recover aspects of cyber security, as well as preventative aspects.”

The government is particularly interested in exploring the impact of GDPR on large businesses with complex supply chains, managed service providers, local authorities and providers of essential public services. In doing so, it hopes to identify the areas in which there is a shortage of existing guidance or regulation.

The call for evidence, DCMS said, “highlighted that there is also support for organisations to be required to take more responsibility and accountability for effective cyber risk management through the implementation of additional regulation, either to increase responsibility and accountability at the senior level or more generally to stimulate investment in effective cyber risk management”.

The report’s authors added: “We will be utilising forthcoming fiscal events including the Comprehensive Spending Review and opportunities such as the publication of a new digital strategy in the Autumn to shape a refreshed strategic approach to cyber resilience, one that reflects the new post-Covid reality.”