The European Union is introducing the new General Data Protection Act (GDPR) to safeguard its citizens by standardising data privacy laws and mechanisms across all industries. It also empowers EU citizens by making them aware of the kind of personal data held by institutions and their rights for data protection and privacy.
A consent-based system, GDPR carries the potentiality for huge breaches for non-compliance and violation. Individuals can request access to, or the removal of, their own personal data from companies and organisations. This is known as Data Portability. Financial institutions may keep some data to ensure compliance with other financial services regulations, but in all other circumstances where there is no valid justification, the individual’s right to be forgotten – if desired – applies. This is, of course, what has prompted the recent flurry of consent permission email requests we’ve all been getting in our inboxes lately!
So, GDPR has been firmly centre stage on board agendas across financial services institutions over the last year with the sector busy preparing – and now in a good place - for its implementation on Friday 25 May. Of course, the financial services sector is long accustomed to data management compliance for both prudential and conduct regulation (e.g. Senior Management Arrangements, Systems and Controls (SYSC), Know Your Customer (KYC) and Anti Money Laundering (AML)) both in the UK and EU.
Financial institutions handle and collate numerous types of customer data for client or customer onboarding, payments and trade transaction and ongoing relationship management and accounting. But, GDPR still represents a step change for financial services – particularly since there are multiple and complex touch points here – with its additional strengthened and enhanced data management protocols.
Historically, financial services companies and organisations have kept data for significant periods of time. Now data protocols have been streamlined to minimise and restrict the movement of data and improve accuracy. A letter containing customer specific information, e.g. a statement, going to the wrong address, could be considered a breach under GDPR. After the Talk Talk breach, banks received queries from their customers, because the compromised data included bank details.
Open Banking: the financial services sector is also facing a double whammy – as GDPR comes hot on the heels of January’s implementation of the Open Banking reforms and the revised Payments Services Directives (PSD2). This has created an expanded data interface and ecosystem, and new business relationships between customers and financial institutions in the shape of Third-Party Providers (TPPs). Now, authorised TPPS have access to customers data via financial institutions’ enabled open source APIs – all operating in a strengthened data security, authentication and consent framework under both PSD2 and GDPR.
Third parties: the increased trend towards outsourcing and third party contractual arrangement, particularly with Open Banking, means an expanded data exposure universe. As GDPR imposes end-to-end accountability to ensure client protection, this imposes obligations on both financial institutions and third party external vendors/outsourcing contracted parties. Financial institutions need to carefully manage their contracts with third parties as this represents a key risk to them.
GDPR Breach: Previously, firms were able to adopt their own protocols in the event of a data breach. Now, GDPR mandates that the Data Protection Office (DPO), an assigned individual who has overall responsibility to ensure compliance with all relevant data protection regulations, to notify any data breach (with details of the nature types and number of individuals impacted) to relevant supervisory authorities within 72 hours. The customer must be notified too, with remediation provided ‘without undue delays’.
This is sobering stuff! Liability in the event of any breach is significant. For serious violations, such as failing to gain consent to process data or a breach of privacy by design, companies may be fined up to €20 million, or 4 per cent of their global turnover (whichever is greater), while lesser violations, such as records not being in order or failure to notify the supervisory authorities, can still incur fines of 2 per cent of global turnover. Of course, there is also the additional, more intangible, knock-on cost from reputational damage and loss of future business.
Subject Access Requests (SARs): companies and organisations will also need to deal with SARs - from both customers and employees - quickly to avoid complaints going to the commissioner within 30 days (previously it was 40 days in the UK).
Data ethics: the introduction of GDPR follows closely on from several high-profile data breaches and incidents, including, most notably, social media site Facebook and Cambridge Analytica, plus Talk Talk. As well as unethical usage and negligence, GDPR comes against a backdrop and sharp rise in identity theft and wider cybercrime. So, consumers will migrate to trusted companies and organisations.
But, good data management also offers the potential for companies and organisation to achieve competitive differentiation, plus confers greater benefits and growth opportunities in the wider digital economy. Therefore, a careful balance needs to be struck in exploiting commercial advantage and ensuring compliance with the new GDPR and wider regulatory frameworks.