Ganesh Raman, Account Director at data science and marketing services company Profusion, explains how the General Data Protection Regulation affects banking and finance.
Trust and the finance industry have been tied together since the very first bank opened its doors. That trust will soon come under pressure thanks to the EU’s General Data Protection Regulation (GDPR) which governs how organisations must use, store and protect consumer data. A large chunk of the Regulation surrounds customer consent for their data use. It’s no longer good enough to simply pre-fill in a checkbox or assume customer consent, under GDPR, all organisations must explicitly gain consent for each and every use of personal data.
The consequences for organisations in breach of GDPR are dire, with fines of up to €20million or 4% of global revenue, whichever is greater. Plus, there’ll be the associated loss of consumer confidence in any case of breaching GDPR. For finance organisations, that loss of trust will be catastrophic. Nobody will allow their money to be looked after by an unreliable source and the potential brand damage and loss of revenue could make that €20million fine look like pocket change. With such large consequences, and following many high profile data leaks, any GDPR breach is also likely to hit the headlines, further damaging your reputation.
The type of data financial institutions hold on customer is also highly sensitive. Meaning that any leak or lapse in security is likely to be hit with the hardest penalties.
Despite Brexit, UK companies will still have to adhere to GDPR.Any organisation dealing with European citizens’ data will have to comply. It doesn’t matter where your company is based in the world, if you want to do business with Europe, GDPR is going to apply to you.
Apart from consent, the Regulation also details how customer data is to be stored and accessed. Data will have to be kept in a common electronic format, a format that is widely used in the industry by many different data management companies. This is because a customer will now have the right to approach a company and request that their data is transferred to another. This has potential ramifications for insurance in particular, as customers will be easily able to transfer details from one to another and shop around for the best deals.
Thanks to a spate of data hack and other privacy issues, the way data is stored has recently come to the public’s attention. In terms of your data architecture, the Regulation states that your storage systems must be built with privacy and security designed into its foundations.
Under GDPR, before storing any data, you will have to obtain express permission for it to be stored and detail exactly what the data will be used for and how long it will be kept. The way you explain this to your customers must be simple and easy for them to understand, and also age appropriate, as the Regulation also details that the consent of any minors and their parents/guardians must be obtained before you use their data.
Companies will have to tighten up their data governance and notification processes. In the event of a breach, companies will have to notify data protection authorities when the leak is likely to have a detrimental impact on the people involved. Likewise, individuals who are affected will have to be notified. This has to be done within 72 hours, otherwise you’ll face a fine.
Companies with good data governance and that know where their data has come from, where it is stored and what it is being used for, will find the route to becoming GDPR compliant far easier than those who don’t. Nevertheless, many companies will have gaps in their data governance and storage that will have to be plugged before the May 2018 deadline.
Likewise, those with data governance and management procedures that meet GDPR standards will still have to do some legwork in educating their customers and employees. Don’t misjudge the time this will potentially take. Many people don’t engage with the first few messages companies send to them, so you’ll have to create an entire marketing and internal comms strategy around GDPR. It’s worth using a mix of different channels and mediums to get your message across. TV advertising, OOH media and online advertising would be a good way to get blanket coverage of all your customers, educating them on the incoming Regulation and what it means for them. Targeted email marketing and prompts in-branch (where appropriate) will be a good way to zero in on the customers you need to obtain consent from.
In terms of internal comms, all staff will have to have an idea of what constitutes personal data, and they should also be able to identify a data breach and know the correct procedures. For businesses with global offices, getting everyone up to speed is no small undertaking, so start planning this now. There are also some external organisations that offer specialist GDPR training for employees.
Ultimately, GDPR will represent a step change for any organisation that handles consumer data. It brings about a change in the relationship organisations have with the public, whereas ownership of data has previously been a grey area, the Regulation stipulates that consumers are now owners of their data, and you are custodians of it. The Regulation brings in great responsibility on organisations to treat personal data correctly, with large penalties for those who fail to meet GDPR standards. Many companies are going to have to make significant changes across the entire organisation, from HR and training, to marketing and IT. The time these changes will take should not be underestimated. In other words, to hit that May 2018 deadline, many of you are already running late.