Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Gdpr Set to Transform Financial Services (and 20% of IT Decision-Makers Have Never Heard of It)

Published by Gbaf News

Posted on June 17, 2016

5 min read

Last updated: January 22, 2026

Add as preferred source on Google

NewVoiceMedia enhances customer service at Grand Pacific Resorts with ContactWorld technology - Global Banking & Finance Review — The image highlights NewVoiceMedia's ContactWorld solution, showcasing its impact on Grand Pacific Resorts' customer service efficiency and agent productivity in the hospitality sector.

Gary Arnold, Solutions Strategy Director

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, following its finalisation earlier this year, bringing with it sweeping changes to the data practices of Britain’s financial services institutions.

In a two part series, data-driven marketing experts, Occam, will look at what exactly the financial services sector need to know about the impact of GDPR and the action that is required. Part 2 will then look in more detail at the benefits of GDPR: How changing the way financial brands manage customer data can benefit their customer communications?

The GDPR knowledge gap

The GDPR has been a controversial piece of legislation. Not for nothing has it become the most lobbied regulation in the history of the European Parliament¹, with some 4,000 amendments.

Yet, as Trend Micro discovered in research reported by Compliancy Services², 20% of IT decision-makers in the UK are still unaware of the new regulation. 29% aren’t sure whether the GDPR will affect them (it will), and 18% don’t know that there will be fines for non-compliance.

The regulation

In summary, the GDPR enshrines the following rights in law³:

A “right to be forgotten”: The right to have information deleted, provided there are no legitimate grounds for retaining it.
Easier access to personal data: A right to clear, understandable information on how your data is processed.
A right to data portability: Making it easier for individuals to transmit personal data between service providers.
The right to know when your data has been hacked: Companies and organisations must notify the national supervisory authority about data breaches which put individuals at risk.
Data protection by design and by default: Data protection safeguards must be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm.

What action does the financial sector need to take?

In practice, the GDPR will mean the following for financial institutions:

Consent for processing a customer’s personal data must be freely given, and be specific, informed and unambiguous. For sensitive data of the sort held by banks and financial institutions, consent must be “explicit”.

Before a customer can open an account, be credit checked or receive a piece of direct mail, they must first provide you with demonstrable, informed consent.

Take action: Consider how your business collects, handles and stores its customer data, and shares that data with third parties.

Compare the consents you currently request with the requirements of the regulation.
Begin a process of data cleansing, deleting information you don’t need, and building new consent management policies to protect the data you need to retain.

Global scope: The GDPR extends to any organisation outside of the EU processing data relating to EU citizens. Whilst provision exists for bilateral treaties with third country authorities, the regulation could make life more difficult for financial businesses working in emerging markets.

Take action: Financial institutions already need to show a legitimate basis for transferring personal data internationally. But with the GDPR raising the potential sanction for non-compliance to 4% of global turnover, it’s more vital than ever to review the information you share, and the consents that govern that sharing.

Security: “By design and by default” means data protection must be at the heart of any new system design, and a user’s default settings must always maximise security.

For banks in a constant cycle of system reinvention to address other compliance issues, the “by design” element adds another element of complication to in-house IT.

Take action: Make GDPR compliance an early and mandatory stage of IT system design.

Data breaches & the right to know: Data breaches likely to present a “high risk” to individual rights and freedoms must be reported within 72 hours to the Data Protection Authority. Affected individuals should be sent notification of breaches “without undue delay”.

Take action: Establish data breach policies, including establishing extent, risk, and notification procedures. Test the new polices to ensure day-one compliance.

Data portability and the right to be forgotten:

Take action: Procedures will need to be able to respond to requests from day one. Put in place processes for transmitting or deleting data, and ensure that provision exists for:

Determining whether there are legitimate grounds for retaining information.
Informing applicants of such decisions.

The GDPR is here! There is no escaping its impending changes, which are fast approaching and the effects will be felt across all industries and sectors. While these steps are a starting point for brands looking to fall in line with new regulations, this is by no means purely a regulatory enforcement. As the impact of these changes will drastically alter the ways financial services brands communication with consumers for years to come – and certainly for the better.

In the second of this series, we will investigate how these changes to the GDPR will actually benefit data-driven consumer communications and look at how financial services brands can build trust with consumers and ensure data is used and managed in a strategic and ethical way.