By David Kemp, EMEA Specialist for Micro Focus Secure Content Management division
Recent evidence from financial institutions internationally suggests organisations have made a lack of significant progress in creating effective GDPR programmes, but have simultaneously become fatigued by the regulation.
Designed to enforce respect for personal data with draconian sanctions, which came into effect on 25th May 2018, it is surprising that more advanced execution of GDPR programmes is not in force.
The real business drivers
While one can appreciate that this is "yet another regulation", there are two major factors which should attract immediate attention. Firstly, compliance requires the search for, as well as the classification, protection and policy enforcement of personal data as a function of fundamental records management and data security. Secondly, in addition to risk management, there are active operational efficiency benefits to be gained and even new revenue to be generated from sound adherence.
So can financial institutions find innovative business drivers and value extraction from prudent regulatory compliance?
Two major European insurers have recently found that safeguarding personal data can be facilitated by meticulously identifying all silos of available data, and then cleansing these of usually over 30% of redundant, obsolete or trivial information. Therefore, GDPR acts as a catalyst for core data management and security – in turn, presenting new income opportunities from enhanced and defensible data exploitation.
Revenue increase through compliance
Consider a global bank headquartered in the UK with a primary driver of generating new products and revenue from legal exploitation of high net worth individual data. A fundamental risk to its success is the un-coordinated extraction of personal data – leading to a potential GDPR breach. Therefore, it is in the bank's best interest to pursue data management and encryption. The secret is that the improved metrics following GDPR data cleansing and personal data analytics actually continue to advance the business.
Another example is pharmaceuticals company, Astellas, which, in a heavily regulated industry, has a GDPR compliant mission. Its over-riding business objective is to ensure that when years of research are completed, a proposal for clinical acceptance – which safeguards the identity of the trial patients – will be authorised. So, in a way, GDPR is an accelerator of sound data life cycle management and security for top line return on capital.
The economics of improved customer attraction
Organisations should also regard the early adoption of the GDPR as a competitive advantage for attracting and retaining customers. For example, a Finnish media group has been able to ensure existing client loyalty and attract new readership by stamping "GDPR effective" on its website – achieving a critical goal across every industry. First and foremost, instilling trust that the data supplied will be respected – and in accordance with Purpose Limitation – deleted when the company is no longer permitted or justified to hold it.
Privacy processing as a new service and revenue source
Financial institutions may also gain advantages from the consequential effect of providing personal data processing as a service. Take a global Japanese electronics group, for example. The company is not just selling satellite navigation for private cars, but also creating a new revenue stream by offering to insource, cleanse and return the personal navigation data when a used car is sold.
Similarly, a key European airport has recognised that not only does it have its own major volumes of GDPR relevant personal data, but that it is the "spider in the middle of the web". In other words, a myriad of merchants on its premises have the same issue, as do all the airlines flying to its facilities. It therefore decided to create virtue out of necessity by facilitating its own compliance via careful data life cycle management and security measures. In doing so, the airport was then able to insource data from the merchants and airlines to create a new revenue stream for data integrity and customer data management.
Is advanced execution of GDPR programmes relevant to financial institutions? It should be as we move into the Brave New World of "open banking", where there is competitive advantage in improving efficiency, trust and data mining.
While the GDPR was primarily intended to safeguard identity, financial institutions can create opportunities from the necessity to comply. By using the new processes and technology required for compliance, financial services can not only increase front-end returns, but achieve ROI from the inevitable cleansing of data – achieving savings in back-up, storage and archiving.