Banks must act now to ensure the privacy of customer data post-Brexit

By Rich Vibert, CEO and Co-Founder, Metomic

UK banks are not prepared to protect customer data once the Brexit transition period ends on 31st December. However, the blame does not lie entirely at their door. The regulatory landscape is in flux and key questions about privacy regulation remain unanswered. Including what will replace General Data Protection Regulation (GDPR) in the UK. This leaves financial institutions with a difficult challenge; the clock is ticking and they must prepare for the various regulatory scenarios that could define the post-Brexit landscape. While challenging, this work is vital to keeping customer data protected; especially given the financial sectors’ checkered history in this space.

The current state of play

Banks collect huge amounts of sensitive data. However, their ability to secure it leaves much to be desired. In fact, 62 percent of the data breached in 2019 came from the financial services sector, according to Bitglass. This is likely because one-third of financial services companies don’t have a clear privacy plan or the resources to tackle risks connected to customer data (Accenture). Even if Brexit wasn’t happening the sector would have their work cut out. However, with the UK’s exit from the EU looming the challenges are exacerbated and banks must prioritise creating a holistic, privacy-first culture that will build customer trust.

Data regulation post-Brexit

As things stand, financial institutions don’t know what the regulatory framework for privacy will look like once the UK leaves the EU. However, they can make some assumptions based on the most likely scenarios. For example, recent rhetoric indicates that it’s likely that the UK will integrate GDPR principles into its own law. This would be a boon for finance businesses who have invested two and a half years to become GDPR compliant; a process no one wants to repeat. However, negotiations between the EU and UK have been anything but smooth so this could change. This means that banks need to ringfence resources so they can act quickly if new, local measures are introduced.

Another challenge for financial businesses is how they approach storing and processing EU customer and employee data after Brexit. The UK government has taken steps to facilitate this; requesting that the European Commission approve it as an ‘adequate’ third country. If approved, this  will ensure that cross-border data transfers between the EU and UK can continue. However, an adequacy decision is yet to be made, and isn’t guaranteed by 31st December or beyond. If an agreement isn’t reached, companies could find themselves sending data to the EU and simply not receiving it back. This is untenable for financial services companies who are reliant on constant transfers of sensitive data. To put themselves in the best possible position, banks should follow Forrester’s recommendations; analysing how a lack of an adequacy decision will impact their data transfers and ensuring they are best prepared.

Rebuilding customer trust

Shoring up data protection ahead of Brexit will require banks to spend both time and effort. However, this investment will be well spent as it’s essential for rebuilding the customer trust that has been eroded by a perceived disregard for data privacy by businesses and the government alike. In fact, three-quarters of UK consumers report being concerned about sharing their personal data with companies, according to research from Esomar and Here Technologies. 89 percent also believe the current laws and regulations are not sufficient to ensure their personal data isn’t misused. In order for banks to survive and thrive over the challenging months to come, they must address these concerns and demonstrate to customers that their data protection measures are sound.

Putting privacy and security first

Starting on this journey is daunting for many organisations. Nonetheless, they should be reassured by the fact that a change in mindset is more important than large-scale financial investments. This means putting the privacy and security of customer data at the heart of their strategy and embracing technology that facilitates this. One solution is embedding data protection rules into IT infrastructure. This automates compliance so businesseses have control and visibility over what is happening to customer data at all times. This has the potential to save thousands of hours in auditing. Not to mention forming the basis of a strong data management process which will safe-guard customer data regardless of the regulatory outcome of Brexit.

Future proofing data protection for an unpredictable post-Brexit world

The future of UK data protection regulation once the UK leaves the EU is still uncertain. As such, the government and organisations alike must continue to collaborate closely with their European equivalents, creating a privacy framework that will facilitate the free, but secure flow of data. Meanwhile, financial institutions should focus on building a privacy-centric culture. One that prioritises having an effective data protection strategy in place and earning customer trust above all else. These will be the keys to preparing for, and successfully navigating, an unpredictable regulatory environment post-Brexit.