Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Finance > EU’S POTENTIAL GENERAL DATA PROTECTION REGULATION

EU’S POTENTIAL GENERAL DATA PROTECTION REGULATION

Published by Gbaf News

Posted on April 24, 2014

6 min read

Last updated: January 22, 2026

Illustration depicting the impact of the EU General Data Protection Regulation on finance - Global Banking & Finance Review — This image illustrates the potential implications of the EU's General Data Protection Regulation on the financial sector, highlighting challenges related to data breaches and compliance for banks and financial institutions.

John Culkin, Director of Information Management, Crown Records Management

The EU’s new General Data Protection Regulation moved a step closer recently when MEPs voted in favour; how will it affect the financial sector?

The honest answer is that we are still waiting to find out – it could be well into 2015 by the time the regulation is enshrined in law; and inevitably the fine details are likely to change once national regulators and governments become involved.

But the initial indications are it could have a big impact on the financial sector, even affecting customers and their data that reside outside of the EU. Interestingly, the “data” discussed is not only electronic but also includes paper records, which is another consideration. And the setting up of a new umbrella Data Protection Agency will be watched very closely.

What do you see as the biggest challenges it could provide?

John Culkin

John Culkin

The devil is in the detail and depends on what makes it into legislation and is applied around the EU. But a requirement for all data breaches to be reported is a particular challenge.

At the minute there are no common guidelines as to exactly what constitutes a data breach e.g. staff viewing certain data; and yet the financial punishments – and the potential reputational damage – for reporting mistakes are significant.

The rules at present are simply not clear and there are fundamental questions to be asked. Leaving sensitive customer data on an usb stick on the tube is obvious enough but is leaving a customer’s name and address on a photocopied sheet on a desk at lunchtime a breach? Where is the line going to be drawn?
Banks will also be interested to know how far up the chain responsibility lies. If a small subsidiary or a small company owned by a larger one incurs data breaches, where does the responsibility stop?
Sanctions discussed so far are based on annual enterprise turnover; and with the apparent anti-City feeling in the EU the climate may not be favourable to watering this down.

Who are meant to benefit from these new regulations?

It’s intended to be the consumers; but I’m not entirely convinced. The regulations could actually increase costs, which are inevitably passed onto to consumers. The speed of progress on the matter since 1995 is not encouraging effective planning and retroactive changes are always more expensive to implement.

In your experience how well prepared are banks at present?

The banks are probably technically more than capable if the rules are clear and concise; which of cause they may not be. It may not be clear what constitutes customer data for instance. For example is data from social networks customer data or public data? What about customer service or sales data – does it need anonymising? The bigger challenge, however, is the culture change required – one that says the customer is all powerful and effectively is the owner of their data.

The ‘Right to be Forgotten’ for a customer has been much discussed and seems to be at the heart of new regulations; does this provide another huge challenge for the financial sector?

I believe it does. The regulation is likely to only apply to websites or marketing data rather than customer service records; but once the principle of the ‘right to be forgotten’ is enshrined then there is no end to the way it can be implemented.

The cost implications for all sectors could be huge if customers have a right to call and demand information is destroyed; it could lead to whole departments being set up to deal with such requests.
You can draw comparisons to the Freedom of Information Act, drawn up with good intentions by the Government but which now costs local councils millions of pounds as they are required to service FOI requests.
Imagine the cost implications for major banks as millions of customers demand to know what information is stored and choose what is deleted. How far back will documents have to be searched? And what about cross references in documentation? Where many customers are mentioned should some be redacted or the whole document destroyed? Again, we are watching the developments very closely.

The laws are likely to include a requirement for all organisations to employ Data Protection Officers. In your experience are businesses is the financial sector prepared?

The first thing people are asking is – will it be a designation or an actual role? Can our CIO not take it on? Can it be out-sourced to a company like Crown Records Management? Clearly if it requires an entirely new role then training and qualification will become an issue and there are, once again, cost implications.

As it stands there are plans for fines of up to five per cent of worldwide turnover for those who breach the rules. How is that being received?

These are big figures and could drive down competition when the lower-cost providers decide the EU is not worth the risk if they have large business interests in the Americas or Asia. Also, it would be difficult to ascertain how serious a breach should warrant a globally-based fine, especially if it only affects a single set of customers in a subsidiary in one country for example.

Interestingly, businesses that are issued with a valid ‘European Data Protection Seal’ would face immunity from fines unless the breach was “intentional” or involved “negligent incompliance”. But who provides the seal and what must be done to receive one is not yet clear.

So what would you say the general feeling is in the financial sector about these proposed regulations as it stands?

I would say people have put their heads in the sand hoping it won’t happen or that if it does, it is significantly diluted; and the likelihood is that will be the case. But even so there is also significant public backing for the principles behind these regulations – so this may only be the start of changes and not the end of them. There has never been a greater need in this industry to be prepared for significant change in information management and to be prepared to take advice.