Information security frameworks for assisting GDPR compliance in banking industry


Purpose
Data can nowadays be seen as the main asset of organizations and data leaks have a considerable impact on the organization’s image, revenues and possible consequences to the affected clients. One of the most critical industries is the bank. Information security frameworks (ISF) have been created to assist organizations and other frameworks evolved to update these domain practices. Recently, the European Union decided to create the general data protection regulation (GDPR), applicable to all organizations dealing with personal data of citizens residing in the European Union. Although considered a general regulation, GDPR implementation needs to align with some industries’ laws and policies. Especially in the Bank industry. How these ISF can assist the implementation of GDPR is not clear.


Design/methodology/approach
The design science research process was followed and semi-structured interviews performed.


Findings
A list of practices to assist the bank industry in GDPR implementation is provided. How each practice map with assessed ISF and GDPR requirements is also presented.


Research limitations/implications
As GDPR is a relatively recent subject, it is hard to find experts in the area. It is more difficult if the authors intend to find experienced people in the GDPR and bank industry. That is one of the main reasons this study does not include more interviews.


Originality/value
This research provides a novel artefact to the body of knowledge. The proposed artefact lists which ISF practices banks should implement to comply with GDPR. By doing it the artefact provides a centralized view about which ISF frameworks (or part of them) could be implemented to help banks comply with GDPR.


3 service users may also benefit from the free movement of data if it results in growing businesses with improved and personalised services (Ayala-Rivera & Pasquale, 2018). Banking industry is one of the most regulated industries in the world, mainly because the giant reserves of rich data and its large scope for ambitious hackers, the DS expect their PD to be secure and protected by the most robust processes and technologies. It means that information security (IS) must be a priority throughout this industry to ensure that all transactional processes are efficient, reliable, secure and compliant (Sydekum & Networks, 2018). Based on this information and since organizations need to rearrange their own processes and technologies to be compliant with GDPR, especially a set of critical sectors, this research focuses on banking industry. Therefore, this research aims to investigate how can current ISF help banks comply with GDPR.

2.GDPR
The GDPR was designed to harmonize DP laws across Europe in order to give greater protection and capabilities to individuals for controlling their PD in the face of new technological developments. Plus, GDPR applies to all the organizations that handle PD about EU residents, regardless of their physical locations (Ayala-Rivera & Pasquale, 2018;Cardoso-Cachopo & Oliveira, 2003). GDPR comes with two new elements never seen before in DP. First, DP is mandatory, and fines are huge. Infringements are fined up to 20 million € or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The second part is called territorial scope. The regulation does not only apply to EU companies but to every company selling into the EU or marketing to EU citizens (Krempel & Beyerer, 2018), this means that applies to companies outside the EU, not just because they have a website accessible to a citizen in the EU, but because compliance is required when offering of goods or services to DS. This regulation has four major focus points: accountability, transparency, protection and reliability. GDPR brings an onus to collect PD for specific purpose only, to uphold the trust of the person who gives their PD, to maintain and protect the information and to erase it when no longer required. PD and the special category personal data (SCPD) should be protected and EU is safeguarding the economic value of digitally kept information of citizens through GDPR. In the wrong hands an amalgamation of multiple data points from the same individual potentially leads to identity frauds (Philip, 2019). Moreover, although some of the GDPR obligations were already specified in the Data Protection Directive 95/46/EC, these have mainly been perceived as "recommendations". Therefore, most organizations have only started recently to implement measures to comply with the GDPR (Ayala-Rivera & Pasquale, 2018). So, the major challenge related to a solid implementation of the GDPR is the organizations lack awareness and understanding of the forthcoming changes and requirements that the GDPR enforces through its new rules. These requirements have various practical implications for organisational design of systems, practices and processes, as well as personnel training (awareness) and assignment of new responsibilities in the organisations (accountability). In short, it brings out the need to review the current DPR practices, technological DP measures and IS measures, as well as possibly plan new ones to ensure compliance with the GDPR (Ayala-Rivera & Pasquale, 2018). Additionally frequency in communication between IS and privacy teams is considered crucial for effective overall enterprise cybersecurity (Heimes, 2016).

Related Work
This section aims to explore what the scientific community has been studying regarding the application of ISF in the GDPR domain or GDPR implementation. Table 1 presents seven relevant documents were found relating this research topics. From this universe, only two explore the implications during the implementation of GDPR and four explore the use of ISF.

ISO27001&COBIT Generic
Overall, the related articles mention the difficulties about implementing GDPR and the lack of awareness among companies. This happen because GDPR is a recent subject and concrete measures are not mentioned, appealing for implementing the requirements according to the level of risk that they have, for all the industries managing PD. Plus, four studies argue that ISF (ISO 27001 or COBIT) may help organizations achieving the level of compliance desired by GDPR, since the ISF is not new and offers more concrete guidelines for implementing IS measures, reducing the risk of data breaches. However, none of these studies provide insights on how these ISF can do it. As one can see in Table 1, there is no related work investigating how can ISF help in GDPR compliance. Moreover, the few existent researches focus on the preparation without using ISF and are generic to all industries.
To sum up, there is studies pointing ISF as useful to help companies comply with GDPR, but no studies provide practical insights on how that can be done. Neither to the banking industry. As one of the most regulated industries, Banking industry face several legal aspects to manage and protect their clients data (Betron, 2012;Irwin, 2018). With the appearance of GDPR Banks have now more compliance challenges to hold when using clients data and legal aspects to deal with in most phases of the personal data handling process (Gruschka, Mavroeidis, Vishi, & Jensen, 2019). The authors expect to collect some qualitative information about legal aspects/implications of GDPR adoption in banking industry along the research, but it is not the focus of the investigation. Instead, this research is broader in its nature and insights from several aspects are expected. Therefore, this research intends to contribute with novel insights on how ISF can assist banks in GDPR adoption and compliance.

Research Methodology
This research applies the design science research (DSR) in order to design, build and evaluate how can current ISF help banks comply with GDPR. Since this research purposes to expand the limits of human capacities and organizations, to create the artefacts invoking the Design Science Research Methodology (DSRM) is the right choice (Hevner, March, Park, & Ram, 2004) (Peffers, Tuunanen, Rothenberger, & Chatterjee, 2007). Figure 1 presents the DSR process applied in this research.

Figure 1 -DRS Process Model
The first two activities of this process have already been mentioned, in the respective chapters.
In the design and development activity, is where all the design of the proposed artefact is performed. The demonstration and evaluation phase are where the authors prove that the artefact can be used in practice and where its validity is assured. By conducting semi-structured interviews, a validation of the work developed is done, as well as the demonstration that it can be applied in the banking industry, by collecting the practices proposed in the research and already used by the interviewees. The interviewees are experienced professionals in the areas of DP or IS and all of them work in the banking industry. Finally, in the communication, the authors submit the main findings to respectful journals of the area.

Design
This research aims to investigate how can ISF assist GDPR compliance in the banking industry. To pursue our goal and design the artefact, the authors have performed a set of steps. Figure 2 synthesizes the Design of the proposed artefact. Four steps were performed sequentially. The final step was used to demonstrate and evaluate the proposed artefact.
R -Requirement (Requirements from the GDPR, i.e., the articles); C -Concept (Concepts extracted from the requirements); IS -Information Security Frameworks (ISF that exists in the market); P -Practices (Practices or controls from the ISF); I -Interview (Presential interviews to obtain qualitative data to the research)

6
The first part of the design consisted in reading all the GDPR regulation (11 chapters and 99 articles) and from each of them extracting concepts that are related to the security of data, DP and rights of DS. It must be noted that articles related to DPA obligations, such as for example investigations carried out to data breaches, penalties that could be applied to organizations, etc, were not considered.

Step 2 -Choice of IS Frameworks
Several ISF exist, that despite not mandatory some could be certified to attest the compliance of the organizations with IS requirements. These frameworks offer a solid base to start implementing IS in the organizations, offering structures and practices not present in GDPR.

Step 3 -Mapping Concepts with Framework Practices
After complete Step 1 and Step 2 it was time to map the concepts with each ISF. For each elicited concept, one or more practices from the frameworks were selected when met the requirement of the concept. For each concept, that GDPR do not give any specific instruction on how to implement it, the authors sought for practices in ISF that could provide more precise instructions in order to achieve the appropriate level of compliance.

Step 4 -Conducting Semi-structured Interviews
This step aimed to demonstrate and evaluate the applicability of the artefact with experts in the area, i.e. that have experience in the banking industry and in GDPR. Therefore, the qualitative method interview was chosen to elicit qualitative information on the subject. The goal of interviews is to collect data that cannot be obtained using quantitative methods, interviewing people that gives insight into the subject studied and their opinion (Hove & Anda, 2005). Several types of interviews exist like structured interviews, semi-structured interviews and nonstructured interviews (Seaman, 1999). This research used individual semi-structured interviews to obtain more information and validate the practices that are applied in the banking industry, the questions are open-ended, asking other information when necessary.

Development
The design of the artefact is described in the previous section. This section details each of the steps presented so the reader can better understand what and how the steps were performed.

Step 1 -Elicitation of the List of Concepts
The first part of the artefact consists in extracting from the GDPR articles/requirements all the concepts that are related to the security of data, DP and rights of DS. For instance, in Figure 3 one can see the following concepts: Lawfulness, Fairness and Transparency, Purpose Limitation, etc (EU Data Protection Regulation, 2016).

Figure 3 -Example of elicited concepts from article 5 Adapted from EU Data Protection Regulation (2016)
It should be noted that both the same concept can be elicited from more than one article and one article could have more than one concept. At the end of this step, 37 concepts were extracted from the 11 chapters (Table 2) and 99 articles that compose the GDPR. Some chapters were not considered since are not related to DPA obligations (for example, independent supervisory authorities or penalties that could be applied to the organizations and other subjects) and therefore are not directly related to the mandatory requirements of the organizations. Table 3 exemplifies a set of concepts collected from the article 5 ( Figure 2).

Step 3 -Mapping Concepts with Framework Practices
In this step, individually, for each of the identified concepts, was performed a research of the practices presented in every ISF, in order to check if the practice can fulfil the level of compliance. The goal is from each of the concept, that do not give any specific instruction to implement them, find practices that give more precise instructions and can be applied to the banking industry to achieve the level of compliance. In case the practice fulfils the requirement of the concept, then it would add to the list. Some practices were used more than one time because they can be used to comply with more than one concept, and as we will see in the next section, some may not be the indicated for the concept or may not be applied in the banking industry. Not all the concepts could be mapped with at least one practice from each framework, since there are some subjects that the frameworks do not cover at 100 percent, such as for example the concept "Lawfulness, fairness and transparency", in the Table 4, that is not covered by the ISO/IEC 27001:2013.

Demonstration and Evaluation
After the development of the artefact, the authors searched for experts in banking industry and GDPR available to be interviewed. To choose the experts, first the authors looked to their personal contact list and then in the LinkedIn professional network. Overall, 17 experts and 11 banks were invited to participate in the study. At the end, a total of seven experts from six banks accepted to be interviewed. The interviews were conducted in person on the headquarters of six Portuguese banks, with a total of seven interviewees, from different departments, responsibilities and years of experience. All the selected interviewees have both knowledge in GDPR, DP and IS. The requirements to participate in the study were: • The expert should have participated in at least one GDPR project; • The expert has professional experience in IS and/or DP.
The goal of the interviews is to demonstrate and evaluate the developed artefact. To conduct the interviews, a questionnaire was developed with the following structure. First, the header of the questionnaire is composed by generic questions (Table 5), to certify the experience of the interviewee in the banking industry and GDPR. Then, a set of questions about the interviewee's organization was presented. For each practice mapped to a concept, one question was formulated, to understand if the practice fulfils de concept, always in the banking industry. In each of these questions the interviewee could choose one of the following: Not Applicable (N/A), Partially Compliant (PC), Fully Compliant (FC). Then, the interviewees were asked if each of the elicited practices was being implemented at their organization (bank), with the following options: In Implementation (II), Implemented (I). Plus, the analysed frameworks were not revealed to the interviewees until the end of the interview to avoid bias answers. Table 6 lists an example of the first concept and mapped practices with the possible questions to be answered by the interviewees. In addition to these questions and when possible, additional information (qualitative) was gathered about the concepts and practices in the banking industry, as well as feedback about the implementation of the practices. At the end of the interview (   Table 7), each interviewee was asked: if the listed concepts and practices were enough to a bank to comply with GDPR; if the implementation effort would be smaller; and if the interview was useful to increase their knowledge.

Table 7 -Last notes
Last notes In your experience, with these practices do you think that a company can be compliant with GDPR?

☐Yes ☐No
If not, what do you think is missing?
With these practices, do you think that the effort of implementing GDPR can be less, comparatively to implement the GDPR without these guidelines?

Do you think this interview is useful? ☐Yes ☐No
In Table 8 it is possible to see an overview of interviewees, as well as their knowledge in GDPR and frameworks. Regarding the evaluation made by the interviewees about their knowledge of GDPR, it is normal to have dissonances between the experience (months) and the given evaluation, as it will depend on the feeling of each one and the degree of involvement of them in the projects, during this period of months. From the banks that participated in this study, half have more than 500 employees, as shown in Figure 4. Plus, all banks are present in Portugal and four of them have international presence.

Figure 4 -Number of employees
The interviewees said that all the banks follow/perform a framework or best practice. The most used framework among the interviewed banks is ISO 27001, with the justification that is the ISF of reference in Europe. The second most used framework is COBIT, related to IT governance and IS, this framework is widely used by IT auditors as a reference for the processes to be audited in the banking industry. Figure 5 shows the distribution of used frameworks in the banks. This list is not restricted only to ISF.

Figure 5 -Frameworks followed/performed in the banks
As can be seen, most of the banks are of a considerable size, with a strong international presence, which requires compliance with more laws than those required in Portugal. Plus, all the banks already follow at least one ISF. For instance, ISO 27001 is followed (partly) by all the interviewed banks. Moreover, there is a strong concern in this industry to compliance with this type of laws, in order to avoid reputational damage. All the interviewees agreed that all the presented concepts are correct, and no further concepts were proposed as missing. Interviewees also agreed that all concepts are required to be in place. However, interviewees argued that some exceptions exist for this industry since GDPR sometimes overlap other existing laws of the sector. At the end of each interview a set of questions were performed so interviewees could assess the content and usefulness of the proposal. As can be seen in Table 9, all the interviewees considered that they can be compliant with these practices. Regarding the effort required to implement GDPR, all interviewees said that the effort decrease, except for one interviewee, arguing that it will always depend on the approach of each bank, and if there is no ISF already to be followed, the effort would be the same. The usefulness of the proposal was validated by all the interviewees.

Analysis and discussion of results
Due to the existence of different answers to the same question, this section discusses and analyses our results.

Analysis of the results
In order to separate practices into three groups (Not Applicable, Partially Compliance and Fully Compliance), a formula was created to obtain a score per practice, with the following assumptions: • Score of each practice = (Sum of answers with N/A * 0) + (Sum of answer with PC * 1) + (Sum of answers with FC * 2) • N/A = 0 • PC = 1 • FC = 2 For example, in Figure 6, the practice "Identity lawful basis", have 12 on score, based on this calculation (0*0) + (2*1) + (5*2) = 12.

Figure 6 -Concept and Practices with score
To differentiate the practices that are fully compliant with the concept, partially compliant or not applicable, a range of values was created, as can be seen in Table 10 based on the score formula. After applying the previous formula in all practices, 13 out of 37 concepts have practices that are fully compliant. This means that 35% of the concepts have at least one practice that address the entire concept in the banking industry. Table 11 lists the concepts that have at least one practice that fulfil all the requirement, with the related practice(s). On the Table 12 there are the concepts that have practices with less or equal seven in their score. The information gathered during the interviews was enough to justify this low score, and most of it is due to the specifications of the industry. The next section presents the discussion and findings.

Discussion on Findings
For the "Security of Personal Data" and "Security of Processing" concept, the opinion is that none of the existing practices is 100% compliant. However, the presented set of practices are the required to be compliant in the banking industry.
Regarding the concept "Storage Limitation", six of the interviewees agreed that is very difficult to implement due to the existence of old systems and many dependencies between them. Plus, this inhibits the banks to delete the information after the retention period, the solution is rebuilding the systems/applications, which are currently developed in technologies already obsolete.
Regarding "data portability", all the interviewees agreed that despite having the fully compliant practice, it is urgent to create a form for data portability between banks, like what is already widely used in telecommunications companies. For instance, to transfer data to third parties, bank may be required to transfer PD to other countries and must comply with Foreign Account Tax Compliance Act (FATCA), which requires the sending of PD about the US citizens. All practices that refer to automated decisions have a low score, because in the banking industry there are no automated decisions, there is some process automation that is evolving fast (Santos, Pereira, & Vasconcelos, 2019), but the final decision is made by humans. For example, it is impossible to automatically decide if a mortgage loan can be decided based only in automated decision (at this moment).
Regarding the concept "Information to be provided where PD have not been obtained from the data subject", unlike other industries, when banks collect data, they can only obtain them from their regulator, for effects of money laundering and terrorist financing or other debtors blacklist.
In this case the DS cannot ask for rectification or erasure because there are other laws/regulations that overlap the GDPR. If this information is incorrect, the DS must prove the home institution, responsible for the incorrect data, and never directly to the bank. The practice "Review effectiveness of business process controls" is not necessary because it is very abstract and redundant, as there are more complete practices outlined for the concept. The practices of the concept "Communication of a personal data breach to the data subject" had a low score because they are not in the context of this concept. In reporting the incident to the DS it is not necessary to say what is being done to mitigate the problem, only to the regulator.

Response to information security incidents Define classification schemes for incidents and service requests
As can be seen in Table 13, the average practices score per concept points that most of them are in the partially compliance range. This is in line with interviewees comments, who said that in banking industry most practices complement each other to comply with the concept. The overall average of the concepts is 9.7, which is among the "partially compliance" range. There are 2 concepts that have a score below 8. As explained earlier most of the practices do not apply in banking industry, although the concepts are necessary. These results reinforce interviewee's comments regarding the practices, with the exception of those removed (Table 12), that complement each other thus obtaining a list of good practices from the main ISF that help in GDPR implementation.

Conclusion
This research aimed to explore how can current ISF help banks comply with GDPR. The main GDPR concepts (requirements) on this field were elicited and then mapped with the practices of the chosen ISF. Forwardly, semi-structured interviews were conducted with experts working in the banking industry. At the end, several conclusions can be withdrawn about the specificities of the banking industry, ISF and the GDPR implementation. According to our findings, one may argue that an ISF is a good starting point to implement GDPR and get more specific instructions, on how to implement controls to mitigate the IS and DP risk that the organizations are exposed.
In terms of particularities in the banking industry, the main findings are: • When PD have not been obtained from the DS, the DS cannot deny the consent; • There are not completely automated decisions; • Storage limitation is very difficult to implement, even though is mandatory and applicable in this industry; • There is no template for data portability between banks; • Other laws can overlap GDPR, like FATCA, money laundering and terrorist financing, etc; • With the use of ISF the banks can develop certifications of compliance, for example if they implement the entire controls of ISO 27001, because the GDPR expressly provides that adherence to approved certifications to demonstrate compliance. In general, the interviewees are satisfied with the proposal due to the ability to improve the GDPR implementation and reduce the level of effort. Plus, with these practices they can have a more solid view of what to do, to comply with GDPR. Plus, there is not a single ISF that has practices for all concepts. This is due to several factors such as: • Only ISO 27552 has been developed to comply with GDPR; • The NIST SP 800-53 is very technical and oriented to IS and DP; • ISO 27001 was last updated in 2013, when DP was not yet a hot topic; • COBIT is very focused on governance and management of IT, although it was updated in 2019 and added new controls to IS. However, the ISF used in this research complement each other. Considering this research goal one may argue that it is possible for an ISF assist in the implementation of GDPR, achieving the compliance and thereby decrease the level of effort required.
In conclusion, the research question, "How can current ISF help banks comply with GDPR" was answered positively, even if more than one ISF may be required. This research took contributions by exploring an area that was not proper explored, improving the body of knowledge on how can banks implement GDPR using ISF. Some limitations exist. This research grounds its demonstration and evaluation on the knowledge of the interviewees and their organization context. Moreover, the interviewees were performed with experts that work in Portugal. More interviews should be performed in the future. This would also be interesting with interviewees from other countries. Despite being a rigid industry, regional and cultural differences may influence the implementation of these domains (Pereira & da Silva, 2012). Plus, legal aspects and implications of GDPR adoption deserve to be further investigated in such a critical industry. Other techniques (Case Study, Delphi, survey, etc) can also be used to cross results and find new insights.