Eu’s Potential General Data Protection Regulation

John Culkin, Director of Information Management, Crown Records Management

The EU’s new General Data Protection Regulation moved a step closer recently when MEPs voted in favour; how will it affect the financial sector?

The honest answer is that we are still waiting to find out – it could be well into 2015 by the time the regulation is enshrined in law; and inevitably the fine details are likely to change once national regulators and governments become involved.

But the initial indications are it could have a big impact on the financial sector, even affecting customers and their data that reside outside of the EU. Interestingly, the “data” discussed is not only electronic but also includes paper records, which is another consideration. And the setting up of a new umbrella Data Protection Agency will be watched very closely.

What do you see as the biggest challenges it could provide?

John Culkin

The devil is in the detail and depends on what makes it into legislation and is applied around the EU. But a requirement for all data breaches to be reported is a particular challenge.

At the minute there are no common guidelines as to exactly what constitutes a data breach e.g. staff viewing certain data; and yet the financial punishments – and the potential reputational damage – for reporting mistakes are significant.

The rules at present are simply not clear and there are fundamental questions to be asked. Leaving sensitive customer data on an usb stick on the tube is obvious enough but is leaving a customer’s name and address on a photocopied sheet on a desk at lunchtime a breach? Where is the line going to be drawn?
Banks will also be interested to know how far up the chain responsibility lies. If a small subsidiary or a small company owned by a larger one incurs data breaches, where does the responsibility stop?
Sanctions discussed so far are based on annual enterprise turnover; and with the apparent anti-City feeling in the EU the climate may not be favourable to watering this down.

Who are meant to benefit from these new regulations?

It’s intended to be the consumers; but I’m not entirely convinced. The regulations could actually increase costs, which are inevitably passed onto to consumers. The speed of progress on the matter since 1995 is not encouraging effective planning and retroactive changes are always more expensive to implement.

In your experience how well prepared are banks at present?

The banks are probably technically more than capable if the rules are clear and concise; which of cause they may not be.  It may not be clear what constitutes customer data for instance. For example is data from social networks customer data or public data? What about customer service or sales data – does it need anonymising?  The bigger challenge, however, is the culture change required – one that says the customer is all powerful and effectively is the owner of their data.

The ‘Right to be Forgotten’ for a customer has been much discussed and seems to be at the heart of new regulations; does this provide another huge challenge for the financial sector?

I believe it does. The regulation is likely to only apply to websites or marketing data rather than customer service records; but once the principle of the ‘right to be forgotten’ is enshrined then there is no end to the way it can be implemented.

The cost implications for all sectors could be huge if customers have a right to call and demand information is destroyed; it could lead to whole departments being set up to deal with such requests.
You can draw comparisons to the Freedom of Information Act, drawn up with good intentions by the Government but which now costs local councils millions of pounds as they are required to service FOI requests.
Imagine the cost implications for major banks as millions of customers demand to know what information is stored and choose what is deleted. How far back will documents have to be searched? And what about cross references in documentation?  Where many customers are mentioned should some be redacted or the whole document destroyed? Again, we are watching the developments very closely.

The laws are likely to include a requirement for all organisations to employ Data Protection Officers. In your experience are businesses is the financial sector prepared?

The first thing people are asking is – will it be a designation or an actual role? Can our CIO not take it on?  Can it be out-sourced to a company like Crown Records Management? Clearly if it requires an entirely new role then training and qualification will become an issue and there are, once again, cost implications.

As it stands there are plans for fines of up to five per cent of worldwide turnover for those who breach the rules. How is that being received?

These are big figures and could drive down competition when the lower-cost providers decide the EU is not worth the risk if they have large business interests in the Americas or Asia. Also, it would be difficult to ascertain how serious a breach should warrant a globally-based fine, especially if it only affects a single set of customers in a subsidiary in one country for example.

Interestingly, businesses that are issued with a valid ‘European Data Protection Seal’ would face immunity from fines unless the breach was “intentional” or involved “negligent incompliance”. But who provides the seal and what must be done to receive one is not yet clear.

So what would you say the general feeling is in the financial sector about these proposed regulations as it stands?

I would say people have put their heads in the sand hoping it won’t happen or that if it does, it is significantly diluted; and the likelihood is that will be the case. But even so there is also significant public backing for the principles behind these regulations – so this may only be the start of changes and not the end of them. There has never been a greater need in this industry to be prepared for significant change in information management and to be prepared to take advice.