Gary Arnold, Solutions Strategy Director
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, following its finalisation earlier this year, bringing with it sweeping changes to the data practices of Britain’s financial services institutions.
In a two part series, data-driven marketing experts, Occam, will look at what exactly the financial services sector need to know about the impact of GDPR and the action that is required. Part 2 will then look in more detail at the benefits of GDPR: How changing the way financial brands manage customer data can benefit their customer communications?
The GDPR knowledge gap
The GDPR has been a controversial piece of legislation. Not for nothing has it become the most lobbied regulation in the history of the European Parliament1, with some 4,000 amendments.
Yet, as Trend Micro discovered in research reported by Compliancy Services2, 20% of IT decision-makers in the UK are still unaware of the new regulation. 29% aren’t sure whether the GDPR will affect them (it will), and 18% don’t know that there will be fines for non-compliance.
In summary, the GDPR enshrines the following rights in law3:
- A “right to be forgotten”: The right to have information deleted, provided there are no legitimate grounds for retaining it.
- Easier access to personal data: A right to clear, understandable information on how your data is processed.
- A right to data portability: Making it easier for individuals to transmit personal data between service providers.
- The right to know when your data has been hacked: Companies and organisations must notify the national supervisory authority about data breaches which put individuals at risk.
- Data protection by design and by default: Data protection safeguards must be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm.
What action does the financial sector need to take?
In practice, the GDPR will mean the following for financial institutions:
Consent for processing a customer’s personal data must be freely given, and be specific, informed and unambiguous. For sensitive data of the sort held by banks and financial institutions, consent must be “explicit”.
Before a customer can open an account, be credit checked or receive a piece of direct mail, they must first provide you with demonstrable, informed consent.
Take action: Consider how your business collects, handles and stores its customer data, and shares that data with third parties.
- Compare the consents you currently request with the requirements of the regulation.
- Begin a process of data cleansing, deleting information you don’t need, and building new consent management policies to protect the data you need to retain.
Global scope: The GDPR extends to any organisation outside of the EU processing data relating to EU citizens. Whilst provision exists for bilateral treaties with third country authorities, the regulation could make life more difficult for financial businesses working in emerging markets.
Take action: Financial institutions already need to show a legitimate basis for transferring personal data internationally. But with the GDPR raising the potential sanction for non-compliance to 4% of global turnover, it’s more vital than ever to review the information you share, and the consents that govern that sharing.
Security: “By design and by default” means data protection must be at the heart of any new system design, and a user’s default settings must always maximise security.
For banks in a constant cycle of system reinvention to address other compliance issues, the “by design” element adds another element of complication to in-house IT.
Take action: Make GDPR compliance an early and mandatory stage of IT system design.
Data breaches & the right to know: Data breaches likely to present a “high risk” to individual rights and freedoms must be reported within 72 hours to the Data Protection Authority. Affected individuals should be sent notification of breaches “without undue delay”.
Take action: Establish data breach policies, including establishing extent, risk, and notification procedures. Test the new polices to ensure day-one compliance.
Data portability and the right to be forgotten:
Take action: Procedures will need to be able to respond to requests from day one. Put in place processes for transmitting or deleting data, and ensure that provision exists for:
- Determining whether there are legitimate grounds for retaining information.
- Informing applicants of such decisions.
The GDPR is here! There is no escaping its impending changes, which are fast approaching and the effects will be felt across all industries and sectors. While these steps are a starting point for brands looking to fall in line with new regulations, this is by no means purely a regulatory enforcement. As the impact of these changes will drastically alter the ways financial services brands communication with consumers for years to come – and certainly for the better.
In the second of this series, we will investigate how these changes to the GDPR will actually benefit data-driven consumer communications and look at how financial services brands can build trust with consumers and ensure data is used and managed in a strategic and ethical way.