The GDPR is the most significant revision of privacy law since the introduction of the original EU 1995 data protection directive, and it goes live in May 2018.
Potentially, this is one of the biggest challenges faced by the financial services industry in recent times.
The wide-ranging legislation introduces additional liability risk, governance responsibilities and costs to everyone that processes personal data related to individuals in the EU. It’s structured around two key aims: to strengthen trust in the digital economy by placing individuals in control of their own data; and to create a harmonised regulatory framework for businesses through universal application of the regulation across all member states.
GDPR not only has a scope that extends beyond Europe, it’s loaded with requirements to make businesses more accountable for their data practices that can appear overwhelming. So what challenges will GDPR bring to the financial services industry?
GDPR will create tight constraints around customers’ rights over their personal data — that is anything that can be used to identify an individual, whether it relates to his or her private, professional or public life. This can range from location data and contact details through to biometric data and details of a person’s ethnicity.
This presents the financial services sector with new requirements to seek relevant mandates from customers to gather personal data. It’ll no longer be possible to operate under an automatic opt-in system, and organisations will have to be extremely specific about how they’ll use the data collected. They’ll also have to request additional permission to share data with third-parties.
In addition to the enhanced rights over their personal data, individuals will also have the right to be forgotten through the erasure of their data. From 25 May 2018, individuals can directly request the removal of their data from financial services records (although organisations will be able to retain data they need to ensure compliance with other regulations).
After GDPR comes into effect, financial services organisations will be under an obligation to report any data breach to the supervisory authority of personal data within 72 hours. The notification will have to include details about the nature and scope of the breach, plus contact information for the Data Protection Officer. The organisation will also have to notify the affected customer(s) without ‘undue delay’.
The financial consequences of a breach will be significant. GDPR brings the ability to impose fines up to a maximum of four per cent of the worldwide turnover of the business, or €20 million— whichever is the greatest. ‘Minor’ breaches will also carry penalties of up to two per cent of annual turnover or €10 million.
However, fines will ultimately bear less significance in comparison to the cumulative negative effects of brand damage, share price impact and customer churn. This phenomenon was demonstrated by the TalkTalk incident — one of the biggest data losses in British corporate history, impacting 150,000 customers and leading to a 20 per cent fall in share price, £60 million of lost revenue and churn of over 101,000 customers.
GDPR takes a ‘helicopter’ view regarding compliance and requires end-to-end accountability to make sure personal data remains secure. This will mean that financial services organisations will need to understand all data flows across their many systems — a significant challenge to global companies who have a complex structure and worldwide data processing capabilities.
Further uncertainty stems from the fact that no specific security compliance guidelines are included in GDPR, and yet it requires continuous protection of data.
No matter where it’s being used within an organisation, GDPR specifies that all data must be pseudonymised into artificial identifiers. Working on a ‘need to know’ basis, this requirement to mask identities (even in live data production environments), may mean financial organisations need to re-model their systems — which is a significant undertaking to complete before May next year.
GDPR is both a challenge and an opportunity for the financial services sector. The sheer amount to be accomplished before the May 2018 deadline is daunting. However, it also presents an ideal opportunity for organisations to introduce beneficial change. GDPR is a chance to redesign your security strategies in a way that develops and maintains your customers’ trust in your brand.
For the latest information on how we can support you in your GDPR preparations, have a read of our white paper.