GDPR comes into force next may and represents stringent new rules on data protection, but how will they affect banks and financial institutions, and what should they do to ensure they are ready?
Twenty-two years is a long time when it comes to technology. In 1995, for example, most of us wrote cheques to pay for goods and services, relied on our monthly paper bank statement to check our balance and, if we were lucky enough to have one, would have to plug our computer into our telephone line to get dial-up internet.
Today, the world has moved on, mostly for the better. The widespread uptake of technology means each of us can now transfer cash instantly, check our bank balance in real time and log on to the internet at the touch of a few keys. As a result, we have become consumers and producers of huge amounts of data as we go about our daily lives that needs to be protected to ensure our safety. Yet all that data is still governed by the European Union Data Protection Directive, which has been in place for 22 years.
On 25th May 2018 , a new directive comes into force. The General Data Protection Regulation (GDPR) puts new onus on to banks, financial institutions and other bodies that hold customer data. It requires them to be more aware of what personal data they hold, how it is processed, who they are sharing it with and that they have consent of the data subject to carry out this processing. Penalties for getting it wrong are severe – the largest possible fine for a breach of the new regulations is four per cent of global turnover or €20m (whichever is highest).
With data protection now a high-stakes game, banks and financial institutions must plan carefully to ensure they are GDPR compliant. They must comply, for example, with a higher threshold for consent. Banks will no longer be able to rely on a customer failing to untick a box in order to keep his or her data on file. Organisations will have to demonstrate that they are accountable for the data they hold and should be able to give customers their personal data in portable form, so they can take it with them to a rival institution.
The impact on banks and financial institutions could be huge, whether it involves deleting vast swathes of ‘uncompliant’ data that allows them to market to former and current customers, or the cost of overhauling the supply chain to ensure that everyone in it uses data correctly.
For organisations preparing for GDPR, the first step is to look at the personal data they already have, undertaking an assessment of where and how data is collected and stored. Banks, financial institutions and others need to understand why they hold data, because they will not be able to rely on customer consent so readily.
The next step is to analyse supply chains, assess current technology and systems – in conjunction with technology providers – and look for appropriate partnerships. Some banks may also need to appoint a data protection officer, who should be independent of the data controller and report directly to the highest level of management.
But as well as another layer of regulation, GDPR should be seen as an opportunity. Getting to grips with all the valuable customer data will allow them to reconnect with some – and also to take advantage of greater portability to gain new customers through comparison sites.
After 22 years, it’s time the rules were updated. Managed well, the changes will leave banks with enhanced security and technology, stronger supply chains and more positive relationships with customers. That sounds like progress not only for banks, but for all of us, too.
Â
Guest blog by Peter Ryan, Product Manager, Open Banking Compliance, Temenos.
