Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

One year of GDPR: the impact so far and what more needs to be done

By David Kemp, business strategist, Security Risk and Governance, Micro Focus 

On 25th May 2019, the world noted, rather than celebrated, the first anniversary of the General Data Protection Regulation (GDPR).The one-year mark is an opportune moment to reflect on whether the regulation has been effective in its ambitions and goals so far and look at how financial institutions have coped with compliance over the last year.

The laudable intentions of the regulation are largely recognised as an overall drive to provide a consistent and defining standard of data privacy, through defending against intrusion, cyber-attack and deliberate or negligent misuse of data. However, despite its positive purpose, legislators and regulators failed to foresee the enormity of the task of compliance,not only within the financial sector, but across all industries.

GDPR principles and enforcement

If we unwrapa number of key GDPR principles such as the “right to be forgotten” and “purpose limitation”, all require major investment in policy, process and technology. The regulation effectively demands that organisations have complete visibility over all data held, in any format and in any location.This involves near real time reporting and requires the ability to respond to a Subject Access Request and data breach within 72 hours. In fact, these standards mirror many national laws,including the 2018 California Consumer Privacy Act. And interestingly, the rules around immediacy and availability of data actually reflect the Dodd-Frank Act 2010 standards of derivative trade audit and verification.

From an enforcement perspective, the sanctions imposed in Europe over the last year have been generally small and infrequent – with the exception of the French regulator, the CNIL, fining Google €50m in January 2019. That said, while regulators are known to be short of “over watch” capability, even in 2019 one can expect them to find “trophy” non-compliant entities to provide an example to others. Additionally, with the UK’s Information Commissioner recently achieving jail terms for delinquent managers under the Computer Misuse Act 1990, the risk of non-compliance is now a matter of deprivation of liberty, not just fines.

Compliance: the picture so far

In practical terms, the banking industry has largely taken the regulation to heart, providing guidance on active and demonstrable consent to retail customers. Moreover, anecdotal evidence has suggested that the “privacy by design” concept is being respected when it comes to building compliance features into new products and services. To use a tangible example, a global UK-headquartered bank CDO is seeking to improve its wealth management products and services by deep analysis of Personal Data, but it has made sure that anonymisation is in place.

However,unfortunately it is currently the case that surprisingly large institutions, especially insurers, are still at an early stage of data discovery. This also includes identifying precisely where, and in what form and volume Personal Data lies across their legacy data landscape. As the stakes of non-compliance rise, it is highly prudent for financial institutions to have carried out data discovery and undertaken a gap analysis on their policy and technology – and at least have an in-flight road map for remediation.In other words, GDPR compliance should not be taken as simply another “Y2K”damp squib situation.

Looking beyond sanctions: the benefits of effective compliance

Unexpectedly, there have been some positive up-sides to GDPR compliance for the finance industry– not limited to defending against fines and reputational damage.

  • Using GDPR compliance as a catalyst for improved operational efficiency

Deletion of unwarranted Personal Data retention has caused two major UK insurers to pro-actively down-size the “dark data” they hold, representing on average in excess of 30% of all information held by corporates. As a result, the insurers have reduced back-up and data storage costs. Therefore, they have increased ROI, as well as effectively cleansed data in anticipation of moving to the cloud and digitisation.

  • Using GDPR as a bench-mark for improved due diligence arising in M&A

This can be applied both from the point of view of a subsidiary sale, as well as the data discovery necessary on a subsidiary purchase.

  • Contextual linkage of data in all formats

By ensuring compliance, organisations are able to link to data in all its forms, whether it be structured or unstructured. As a result, they have the ability to not only facilitate replies to a Subject Access Request, but also achieve greater opportunities from compliant data mining and value extraction – ultimately leading to enhanced revenues. Ironically, the long-heralded “Customer 360” view of retail client data is now a necessity, not just a“nice-to-have”.

  • Applying GDPR standards to other perennial internal security corporate issues

Cleansing data for internal issues regarding security provides organisations with greater visibility, clarity and prospect of advance warning – made possible by using Identity Access Management and encryption technology.

Over the last year the implementation of the GDPR has been a Pandora’s Box of yet more financial institution compliance requirement. But somewhat paradoxically, for the canny it has represented a real opportunity for business advancement.