GDPR Compliance in Financial Institutions: One Year On | GBAF

GDPR Compliance in Financial Institutions: One Year On | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Top Stories > One year of GDPR: the impact so far and what more needs to be done

One year of GDPR: the impact so far and what more needs to be done

Published by Gbaf News

Posted on June 8, 2019

5 min read

Last updated: January 21, 2026

Data privacy compliance reflection for GDPR's first anniversary - Global Banking & Finance Review — An insightful reflection on the impact of GDPR one year after its implementation, focusing on compliance challenges faced by financial institutions. This image symbolizes the ongoing journey towards data protection and privacy standards.

By David Kemp, business strategist, Security Risk and Governance, Micro Focus

On 25th May 2019, the world noted, rather than celebrated, the first anniversary of the General Data Protection Regulation (GDPR).The one-year mark is an opportune moment to reflect on whether the regulation has been effective in its ambitions and goals so far and look at how financial institutions have coped with compliance over the last year.

The laudable intentions of the regulation are largely recognised as an overall drive to provide a consistent and defining standard of data privacy, through defending against intrusion, cyber-attack and deliberate or negligent misuse of data. However, despite its positive purpose, legislators and regulators failed to foresee the enormity of the task of compliance,not only within the financial sector, but across all industries.

GDPR principles and enforcement

If we unwrapa number of key GDPR principles such as the “right to be forgotten” and “purpose limitation”, all require major investment in policy, process and technology. The regulation effectively demands that organisations have complete visibility over all data held, in any format and in any location.This involves near real time reporting and requires the ability to respond to a Subject Access Request and data breach within 72 hours. In fact, these standards mirror many national laws,including the 2018 California Consumer Privacy Act. And interestingly, the rules around immediacy and availability of data actually reflect the Dodd-Frank Act 2010 standards of derivative trade audit and verification.

From an enforcement perspective, the sanctions imposed in Europe over the last year have been generally small and infrequent – with the exception of the French regulator, the CNIL, fining Google €50m in January 2019. That said, while regulators are known to be short of “over watch” capability, even in 2019 one can expect them to find “trophy” non-compliant entities to provide an example to others. Additionally, with the UK’s Information Commissioner recently achieving jail terms for delinquent managers under the Computer Misuse Act 1990, the risk of non-compliance is now a matter of deprivation of liberty, not just fines.

Compliance: the picture so far

In practical terms, the banking industry has largely taken the regulation to heart, providing guidance on active and demonstrable consent to retail customers. Moreover, anecdotal evidence has suggested that the “privacy by design” concept is being respected when it comes to building compliance features into new products and services. To use a tangible example, a global UK-headquartered bank CDO is seeking to improve its wealth management products and services by deep analysis of Personal Data, but it has made sure that anonymisation is in place.

However,unfortunately it is currently the case that surprisingly large institutions, especially insurers, are still at an early stage of data discovery. This also includes identifying precisely where, and in what form and volume Personal Data lies across their legacy data landscape. As the stakes of non-compliance rise, it is highly prudent for financial institutions to have carried out data discovery and undertaken a gap analysis on their policy and technology – and at least have an in-flight road map for remediation.In other words, GDPR compliance should not be taken as simply another “Y2K”damp squib situation.

Looking beyond sanctions: the benefits of effective compliance

Unexpectedly, there have been some positive up-sides to GDPR compliance for the finance industry– not limited to defending against fines and reputational damage.

Using GDPR compliance as a catalyst for improved operational efficiency

Deletion of unwarranted Personal Data retention has caused two major UK insurers to pro-actively down-size the “dark data” they hold, representing on average in excess of 30% of all information held by corporates. As a result, the insurers have reduced back-up and data storage costs. Therefore, they have increased ROI, as well as effectively cleansed data in anticipation of moving to the cloud and digitisation.

Using GDPR as a bench-mark for improved due diligence arising in M&A

This can be applied both from the point of view of a subsidiary sale, as well as the data discovery necessary on a subsidiary purchase.

Contextual linkage of data in all formats

By ensuring compliance, organisations are able to link to data in all its forms, whether it be structured or unstructured. As a result, they have the ability to not only facilitate replies to a Subject Access Request, but also achieve greater opportunities from compliant data mining and value extraction – ultimately leading to enhanced revenues. Ironically, the long-heralded “Customer 360” view of retail client data is now a necessity, not just a“nice-to-have”.

Applying GDPR standards to other perennial internal security corporate issues

Cleansing data for internal issues regarding security provides organisations with greater visibility, clarity and prospect of advance warning – made possible by using Identity Access Management and encryption technology.

Over the last year the implementation of the GDPR has been a Pandora’s Box of yet more financial institution compliance requirement. But somewhat paradoxically, for the canny it has represented a real opportunity for business advancement.