By Stuart Lacey, CEO and founder of Trunomi
In 24 months the General Data Protection Regulation (GDPR) will come into force and fundamentally change the way that companies capture, manage and store information.
The new EU GDPR will apply to the management of all types of personal data belonging to any EU citizen, no matter the global location of the company processing the data. Financial institutions face the daunting prospect of having just two years to completely overhaul legacy systems and practices in order to comply.
The way that businesses are regulated to share, use and store customers’ personal data is an area that has long been under the microscope by regulators and consumers alike.
The existing regulation of personal data management dates back to 1995, a time before the majority of financial services providers had digital relationships with their personal and business customers. It harks back to a time when only one in 10 adults used the Internet.
Today, mobile and internet banking is being used for transactions worth nearly £1 billion a day in the UK alone, according to the BBA and EY. This step change in how personal data is used in the banking industry demonstrates the industry-wide drivers behind a new approach to data protection.
A new General Data Protection Regulation (GDPR) was approved by the European Parliament, European Commission and European Union in December 2015. Now that it has been formally adopted, financial institutions have just 24 months to comply.
As a Regulation and not a Directive it does not require any enabling legislation and must be adopted in May 2018 by all 28 member state governments.
What impact will the GDPR have?
There are three significant reforms within the legislation that will force all institutions to overhaul their existing systems and processes:
- Informed consent
- Data portability
- The right to be forgotten
When the GDPR comes into full force, every financial institution that collects, processes or shares an individual’s personal data will need to gain their ‘freely given, specific, informed and unambiguous’ consent, shown either by a statement or a clear affirmative action. Financial institutions must be able to demonstrate that consent was given.
In order to achieve informed and unambiguous consent for every specific use, financial institutions face a significant increase in customer communications. This must not only be managed from the perspective of the customer but also in terms of information storage and retrieval.
Put simply, a ‘one size fits all approach’ to capture consent is no longer sufficient. Banks will have to completely redraft the standard terms and conditions that are the bedrock of customer engagement.
The shrewdest institutions are already investigating innovative, digital means to manage this communications flow. However, it is not as simple as creating a process through which to ask for consent. Institutions must also consider the need to capture gained consent in an auditable workflow. Undertaking this task with anything other than an automated, secure, digital communication link with the customer would be a huge administration and compliance burden.
Financial institutions have been given given lengthy notice of the changes, but this is for good reason. Regulators recognise that existing, often manual, paper-based, systems are a long way from compliance with the GDPR. Banks need to completely overhaul their procedures and practices, which suddenly makes 2018 seem a lot sooner.
Looking beyond consent
Other key elements of the GDPR are the Right to be Forgotten and Data Portability. Both call for a digital approach that enables a more responsive and transparent information exchange, in line with the demands of the GDPR.
The essence of the Right to be Forgotten and Data Portability is providing customers with greater control over their personal data and digital identity.
For the Right to be Forgotten, the regulation stipulates that consent is only freely-given if the data subject (the consumer or entity) has genuine and free choice and, crucially, they are able to refuse or withdraw consent.
If consent is withdrawn, individuals can request and require the erasure of their personal data without undue delay.
Trunomi believes financial institutions must employ a ‘customer-driven’ approach to information sharing. This involves empowering the customer to both share and rescind data on a case by case basis. To this end, firms are exploring digital rights management services that create a digital ‘vault’ for customers to store their personal data.
Digital Rights Management also enables simplified and streamlined Data Portability, alongside the Right to be Forgotten. Under the GDPR, Data Portability will ensure that customers have the ability to request copies of their personal data in a useable format. They will then be able to transmit this data, electronically, to another processing system.
The consequences of non-complicance
With large multinational institutions front of mind during drafting, the GDPR will impose an eye-watering financial penalty of 4 percent of annual global turnover or €20 million, whichever is greater.
Potentially more damaging, however, is the reputational damage that non-compliance could cause. Customers and businesses alike have come to expect their data to be handled responsibly, and may vote with their feet if data is mishandled or misused. Earlier this year, UK telecoms firm, TalkTalk experienced a breach which led to more than 100,000 customers switching providers, costing the business £40m.
In the face of the comprehensive changes heralded by the GDPR, financial institutions are increasingly turning to regtech startups. Regtech businesses offer solutions that integrate with the banks’ existing technology, making it as simple as possible for them to ‘plug in’ compliance expertise and technology.
As financial institutions find themselves under growing legal scrutiny, exposing them to even greater reputation vulnerability, organisations would be foolish not to make every effort to reduce their corporate risk. This is particularly pertinent in relation to global data protection challenges.
In less than two years’ time, institutions will have to conform with this landmark data regulation. Before then, there is a mountain to climb. From a review of existing processes, to RFP, integration and deployment, those institutions that fail to start their GDPR journey soon may find themselves in a challenging position come May 2018.