Implementation of the General Data Protection Regulation (GDPR) represents an opportunity for banks for review their data security protocols and tighten up processes to increase customer confidence.
On 25 May 2018, the new European Union privacy regulation GDPR will come into effect. The regulation replaces an older EU directive and was designed to harmonise data privacy laws across Europe, protect and empower all EU citizens with respect to their data privacy and to reshape the way organisations across the region control data privacy.
In a research paper, PwC notes that GDPR also applies to the processing of personal data of EU residents by banks not established in the EU, where the processing activities are related to the offering of banking services.
Data protection has long been a key requirement for banks – for example, the head of technology policy at the UK Information Commissioner’s Office points out that while GDPR is different from the Data Protection Act 1998, it is an evolution rather than a revolution. Banks that have been processing personal data will already have protocols to ensure that data is kept private and secure.
In order to ensure the compliance of our Matrix digital banking platform, we created a taskforce to analyse the impact of GDPR on the platform. This group proposed an initial solution, which was validated with a number of reference clients and generated a list of deliverables.
The key issues we had to address were as follows:
Right to portability - the right for a data subject to receive the personal data related to them (which they have previously provided) in a ‘commonly used and machine-readable format and the right to transmit that data to another controller.
Right to access - part of the expanded rights of data subjects outlined by the GDPR is the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose and to receive a copy of the personal data, free of charge, in an electronic format.
Right to erasure - this entitles data subjects to have the data controller erase personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data for reasons including the data no longer being relevant to original purposes for processing or the data subject withdrawing consent.
These were not the only challenges we faced in meeting the requirements of GDPR. Compliance is an ongoing process that requires the input of individuals across the organisation - anyone who processes data must be able to show how they comply with the regulations – and privacy has to be built into all new policies, working arrangements and IT updates.
In order to ensure readiness for GDPR, banks must ensure that staff with responsibility for handling data access requests receive appropriate training and that colleagues are aware of who should handle such requests. This training should be updated regularly (at least every two years) and all new staff should receive data protection/GDPR training as part of their induction, reinforced with written procedures to demonstrate that policies are in place.
An action plan should be established, with details of what data is stored so that in the event of a breach staff can quickly identify what has been compromised and how it should be reported. This plan will include details of the external parties that need to be informed and how data breaches are to be recorded.
The authors of the Oliver Wyman report Future Proofing Privacy: GDPR Compliance in a Networked Banking System describe GDPR as a legislative safety blanket designed to promote and enhance trust between individuals, small businesses and the institutions they deal with by giving back individuals and businesses control over their own data.
While some compliance efforts will come at a price, there is an opportunity for banks to generate savings by only storing the data they need to provide the services they offer, minimising their storage costs.
GDPR also has a role to play in the development of open banking, providing assurance to bank customers that they will be informed about what they are consenting to their data being used for and whether that data will be shared with other organisations.
The PwC report Customer Centric Banking: Aligning the GDPR and PSD2 states that GDPR provides banks with an unprecedented opportunity to transform their data governance and infrastructure. The authors of the report suggest that financial institutions that embrace opportunities for digital transformation will out-compete those that resist.
Learn more about how to create marketplace banking opportunities with new regulations.