Risk & Economy » Compliance » A looming prospect: is the financial services industry ready for GDPR?

The General Data Protection Regulation (GDPR) represents the biggest ever change to how personal data is collected and handled. It affects not just companies based in the EU, but any organisation that conducts business there. And after a two-year period of implementation, the 25 May deadline is very much upon us.

The fundaments of the bill are quite simple: to give individuals more control over how their personal data is gathered, stored and handled by businesses. Some countries, such as the UK, already have quite stringent policies. In fact, the GDPR replaces and extends the UK’s Data Protection Act 1998 and brings all 28 member states up to the same standard.

Citizens have long expressed their worry over data protection. According to a January report by the European Commission, “nine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent, and seven out of ten worry about the potential use that companies may make of the information disclosed”.

Citizens have long expressed their worry over data protection and GDPR addresses these concerns in four key ways.

GDPR addresses these concerns in four key ways. First, individuals will gain the right to be forgotten which means personal information can be deleted from any database provided there’s no legal reason for it to be retained. Second, organisations are obliged to explain how data is being stored and what it is being used for on request. The third is the issue of data portability, the right of the individual to transmit their personal data between service providers, whether a provider is willing or not. Finally, there is the individual’s right to know within 72 hours if their data has been hacked.

All of these measures combine to create a fundamental change in the relationship between companies and their customers. Data protection will now be baked into the contracts that govern their relationships and the latter will be able to seek redress if they don’t think the former is doing their job. The penalty for non-compliance is serious and failure can result in a fine equivalent to 4% of worldwide turnover or €20 million, whichever is higher.

A mixed bag for financial institutions

When it comes to adopting GDPR, financial services institutions are presented with both advantages and disadvantages. Having dealt with a slew of new regulations since the financial crisis, such as the numerous incarnations of Basel and MiFID II, most larger firms have the resources to react to new compliance requirements. For smaller firms with a narrower geographical focus, adoption shouldn’t be too big a headache.

That’s not the case for large multinationals, such as banks and insurance companies. Such institutions tend to have large amounts of highly sensitive employee and customer data, often sitting on multiple systems in different jurisdictions, making it difficult to track and trace.

For smaller firms with a narrower geographical focus, adoption shouldn’t be too big a headache. That’s not the case for large multinationals.

With a month to go, there are few positive signs. According to a recent survey of 250 financial services firms carried out by Cordium and Ambergate, respectively compliance and data protection firms, only 2% of firms have finished putting their GDPR policies and procedures in place and 59% said they were unprepared to report data breaches to the regulator within 72 hours.

“Lack of readiness is due to a failure by firms to understand their exposure to the regulation, as well as MiFID II’s earlier deadline, leaving GDPR to fall down the priority list,” says Michael Corcione, managing director, cybersecurity and data protection consulting services at Cordium. “With just a four-week window, firms should be practicing these procedures, not defining them.”

Lack of readiness is due to a failure by firms to understand their exposure to the regulation, as well as MiFID II’s earlier deadline, leaving GDPR to fall down the priority list…

It’s no longer an option to take a single tick in a box as a sign of blanket approval. Ultimately, firms have to work their way into a position where informed consent is the norm. For example, a customer may want to receive their bank statement through the post but not information on new financial products. If they view that information as spam, lodge a complaint with the organisation and the mail continues to arrive, the next step might be a complaint to the data authority.

Where to begin

According to David Marchese, an intellectual property, privacy and media & technology consultant at law firm Gordon Dadds, the starting point has to be an internal data audit. He believes the amount of data isn’t necessarily a factor in this process, but more importantly are the number of different systems it is stored on and how well-defined the underlying permissions are.

“If you don’t know what personal data you are storing and using, where it came from, on what basis it was obtained, what is it used for, how accurate it is, and so on, you will have a task in implementing the GDPR,” he told Financial Director. “You will need to know whether you will be able to correct or delete incorrect data, and record your processing activities.”

This forensic approach applies not just to your own systems but those of third parties, whether they be suppliers, software developers or whoever else. Contracts have to be renegotiated to ensure that these third parties will protect personal data with the required degree of rigour and respond quickly to requests from your firm or customers.

Speaking in April on a webinar hosted by cloud computing software provider Navatar, Dan Silver, a partner at law firm Clifford Chance, said: “A 72-hour timeframe is a really, really tight timeframe to have to make any notification [in case of a data breach]… The only way to really prepare for that is to make sure that you’ve done some practicing, to have a sense of who would have to be involved and what kinds of steps have to be taken to be able to make a notification within that kind of tight deadline.”

A spider’s web

Structuring these processes and mapping out the underlying workflow is a tricky process. David Fowler, head of privacy and digital compliance at Act-On Software, a software marketing company with many financial firms among its clients, has seen cases where organisations have taken care of the customer-facing angle of GDPR compliance but are still figuring out the rest.

For example, a number of financial institutions have set up portals through which customers can submit personal data requests. But once the request lands in an inbox, the actual functionality of retrieving and delivering the data is manual in nature. Employees “run around like a couple of lab rats” internally while the company gets the rest of its system in place, he says.

Employees “run around like a couple of lab rats” internally while the company gets the rest of its system in place.

Though far from ideal, this might not be the worst approach: starting with the customer and reverse engineering, the processes allow financial institutions to use GDPR compliance as a customer service tool. It also helps firms build a degree of goodwill with customers, which might be needed in May and June when if teething problems occur with the new system.

“Update your privacy policy and notices to openly communicate that you are on the ball,” Fowler says. “Get some language in there and tell your customers how they can get ahold of you. There’s nothing to say [in the regulations] that you have to respond in a set period of time, but you have to begin that dialogue.”

The need to modify internal systems in line with new regulations is always going to cost money, although how much is still unclear. Even though lots of guidance has been provided by the Information Commissioners Office, the degree of transformation required is completely dependent on a company’s individual circumstances.

Some are desperately in need of a systems overhaul but there are others with clean, well-guarded data held on a single, completely automated system. These firms might have to do nothing more than send out an email to customers asking them to opt into future communications, and set up an online form through which customers can make personal data requests.

Even if a company does have systems in place, there is no clear idea of what best practice entails and the ideas that do exist are liable to evolve once the GDPR goes live in May. Fowler believes that financial services firms would be wise to accentuate the positive.

“If you’re a financial services firm, you probably have some building blocks for GDPR in place today: infrastructure, contingency plans, and data breach plans in place,” Fowler adds. Having put into place some things preparing for GDPR, albeit based on an interpretation of the guidelines, is still a far better place to be in than having done nothing.