For businesses across Europe, 25 May was a day of reckoning. This was the compliance deadline for the General Data Protection Regulation (GDPR), which applies to any company conducting business in the EU. It had been marked in the calendar since 2016, when businesses started down the road to implementation.
While the change will impact some companies more than others, all needed to take stock of their approach to data privacy. Even for consumers, the deadline was hard to miss – most of us received a flurry of GDPR-related emails, and have subsequently been asked for ‘cookie consent’ each time we visit a new website.
For context, the GDPR replaces the existing EU data privacy rules, which date back to a 1995 EU directive. This directive, which was interpreted differently by each member state, led to a patchwork of data protection laws across the EU. The GDPR will harmonise those laws, making life simpler for businesses.
It also brings data protection into the 21st century, reflecting the ways the world has changed in the last two decades.
“There have been massive changes since the passing of the EU data protection directive in terms of technological advances generally, and also more specifically in relation to the creation and use of personal data in a digital environment,” says Rebecca Cousin, partner at law firm Slaughter & May. “A key aim of the GDPR was therefore to attempt to update the laws and make them future proof.”
Matt Newman, general counsel and company secretary at Starling Bank, adds that GDPR is intended to protect consumers at a time when each of us generates reams of data.
“The idea is to give consumers greater rights over their data, to try and avoid some of the issues that might come into play,” he says. “There have been a few big ones in the press – the Facebook-Cambridge Analytica scandal is one that is held up as an obvious example of where things have gone wrong.”
Dealing with data
Within the financial sector specifically, GDPR represents a significant challenge. Since they are tasked with handling large quantities of personal information, financial institutions have needed to step up their manpower and invest in new IT products.
“The personal data they hold tends to be at the more interesting end of the spectrum,” says Cousin. “It is often linked in an immediate way to stores of financial value, and so is regarded as being of high value to hackers. Likewise, its loss, theft or inadvertent disclosure presents greater risks to individuals.”
Financial institutions also tend to hold so-called ‘special category data’ – i.e. sensitive information such as health data.
“Given the greater protection that this type of data is afforded, holding and using this data comes with greater compliance challenges,” says Cousin.
With this in mind, it would be fair to say that banks don’t have the easiest task on their hands. On one hand, they need to comply with Know Your Customer guidelines, requiring them to collect copious amounts of data in a bid to safeguard against money laundering. On the other hand, the GDPR will give their customers more access to that data. Factor in the rising use of data analytics, and the difficulties are plain to see.
“Banks have an enormous obligation to protect consumers but also to comply with a number of other provisions that are designed to protect people generally,” says Newman. “They’re in quite a tough position.”
On top of this, the data isn’t always simple to access. Especially for larger banking groups, it will have been amassed over a long period of time, and is held on various legacy IT systems. Since these siloes may not ‘talk’ to each other – a patchwork of systems and file types – it can be hard to know exactly what personal data is where.
“This presents a particular challenge in respect of the requirements to delete data when it is no longer necessary for the purpose, and indeed to erase data in certain circumstances if requested by the individual,” says Cousin. “Many legacy IT systems were simply not designed for data to be deleted and there is no quick or cheap fix to this.”
No need to reinvent the wheel
Despite these hurdles, financial institutions do have some points working in their favour.
“They have in general been in a better state of preparedness than businesses operating in other sectors because the Financial Conduct Authority has long taken a keen interest in data security,” says Cousin. “Data security is therefore already established as part of the culture of well-organised financial institutions, and that is incredibly helpful for GDPR compliance.”
She adds that a number of financial institutions already had a team of people working on risk and compliance and, in some cases, data protection. They may not have needed to recruit quite as many people to help with their GDPR programme.
On top of that, the job has been easier for some banks than for others. with the issue of mismatched legacy systems only applying to traditional banks. For challenger banks, many of which designed their systems from scratch just as the GDPR requirements were emerging, compliance will be much simpler.
Starling Bank, which received its banking license in 2016, is one example. As Newman explains, privacy by design and default, two key GDPR principles, are embedded into the bank’s systems. Privacy by default was not required previously.
“Privacy by design means we design things with privacy at their heart, while privacy by default means that if a customer doesn’t elect to do something positive, the default position is that their data will be protected,” he says. “This one issue alone, which we were able to solve from scratch, must have been massively expensive for other banks.”
He says that compliance has been a relatively straightforward process for Starling, since its principles were built around GDPR anyway.
“We weren’t reinventing the wheel, we were just updating things,” he says. “When we designed our systems we asked why are we using data and what are our interests here, so it’s been relatively easy. That’s the ethos of Starling Bank – build it right from day one.”
Costs and penalties
That said, there is no doubt the average bank will have taken a hit. According to Sia Partners, GDPR implementation costs for UK banks run to an average of £66 million, the highest spend of any sector. While the costs for non-bank financial services firms are much lower (£8 million on average), these firms face an unusually high implementation cost per employee (£719 per employee, compared to £553 for banks, or just £271 for the retail sector).
Certain costs are likely to persist into the long-term, too, given the ongoing need to demonstrate compliance.
“The GDPR moves the UK to a much more prescriptive regime than previously and the focus on accountability means that much more documentation is required,” says Cousin. “The administrative burden is therefore significantly greater as demonstrated by the need to keep a record of processing activities and a log of all data breaches, however minor.”
More broadly, financial institutions are subject to numerous regulatory frameworks, which bring additional challenges.
“Firstly, they need to ensure that changes that are introduced for one regulation do not cut across the requirements of another,” says Cousin. “There is also a need to harmonise processes to comply with various regulations which are changing and being introduced in different timeframes. This makes compliance across the board more complex for financial services than for many other sectors.”
However, while compliance is undoubtedly costly, non-compliance could be costlier still. Following the GDPR, financial institutions now face significantly higher fines for data breaches. According to an analysis by NCC Group, the Information Commissioner’s Office (ICO) imposed £880,500 worth of fines against British companies in 2016. Under GDPR, the fines would have been £69 million – a staggering 79 times higher.
“GDPR has made people wake up to the fact of accountability,” says Newman. “The previous fine that the ICO, could impose was £500,000, but now it’s €20 million or 4% of the organisation’s turnover – whichever is greater. Obviously this is a vast difference, which organisations are taking seriously.”
Looked at one way, the changes wrought by GDPR aren’t too dramatic – it is being described as an evolution, not a revolution. However, over the longer term it may force traditional banks to behave more like challenger banks, replacing their disparate IT systems with more joined-up digital offerings. On top of this, any projects involving personal data will require greater analysis upfront, avoiding unexpected costs and delays further down the line.
Moving beyond compliance, GDPR brings opportunities too. As Cousin explains, there are already a number of firms, including some in the financial sector, using GDPR compliance as a better way of selling their brand.
“GDPR can be an opportunity for developing increased levels of customer engagement and trust,” she says. “It is therefore worth bearing in mind that the GDPR for financial institutions does not only have to be about ever-increasing and stricter regulation.”
Starling Bank, for instance, is working to create a functionality within its app, which would allow customers to access their data at the push of a button.
“In terms of what we’re doing, we’re not just doing it because it’s the law and we want to comply – we think it’s a good thing and are asking what more we can do to make customers’ lives easier,” says Newman. “The question for the industry as a whole is how they keep ahead of technological advances from a data privacy side, while keeping the customer at the heart of it. The sector is really alive to this issue.”