Tuesday 9 February 2016

Bringing the rulebook into the 21st century: what is the General Data Protection Regulation and why is it important?

Regulatory bodies are often lambasted for their failure to keep pace with the rapid rate of technology change. The way that businesses are regulated to share, use and store customers’ personal data is an area that has long been under scrutiny.

The existing regulation of personal data management dates back to 1995, a time before the majority of financial services providers had digital relationships with their personal and business customers. Indeed, only one in ten adults used the internet.

Today, mobile and internet banking is being used for transactions worth nearly £1 billion a day in the UK alone, according to the BBA and EY. This step change in how personal data is used in the banking industry demonstrates the industry-wide drivers behind a new approach to data protection.

A new General Data Protection Regulation (GDPR) was approved by the European Parliament, European Commission and European Union in December 2015. It will be formally adopted in a matter of weeks, giving financial institutions 24 months to comply. As a Regulation and not a Directive it does not require any enabling legislation and must be adopted immediately by all 28 member state governments.

The GDPR will cause a seismic shift in the financial industry, forcing banks to completely rethink their existing processes to capture, manage and store customer data. 

The GDPR impacts the entire financial services spectrum, from retail banks onboarding new current account holders through to hedge funds acting on behalf of complex entities. 

This is the first in a series of blogs that will look at the details of the GDPR, and its ramifications for financial services providers.

What the new regulation covers

The Data Protection Directive, predecessor of the GDPR, is specifically designed to protect customers from the mishandling of their data, which could lead to data or privacy breaches. It governs how customer data is collected and managed by businesses, including financial services providers.

The first major change to modernise data protection laws under the GDPR is the regulation’s territorial scope. The new EU GDPR will apply to the management of all types of personal data belonging to any EU citizen, no matter the global location of the company processing the data.

There are three further reforms within the legislation that will force all institutions to significantly update their existing systems and processes:
  1. Informed consent
  2. Data portability
  3. The right to be forgotten
Consent: Any financial institution that collects, processes or shares an individual’s personal data must gain their 'freely given, specific, informed and explicit' consent. 

With most institutions currently using catch-all Terms & Conditions, current data management processes will be non-compliant under the GDPR. This approach is too generic to meet the new standard. Institutions must adapt systems to secure consent for each individual use of personal data. 

Data portability: Institutions that hold personal data must give individuals the right to request copies of their data in a useable, electronic format. With patchy and disjointed information stores, financial institutions will have to ensure robust data cataloguing and storage in order to retrieve information at will.

The right to be forgotten: Consumers can ask for full data erasure with any institution and it must be complied with.

All three of these reforms present banks with an onerous and cost-intensive exercise to comply. Without a secure, automated and audit-level communication channel with customers, the GDPR will become the major compliance burden of 2016 and 2017.

The result of non-compliance

Stringent financial penalties will be imposed upon all financial institutions that fail to comply. Fines have been stepped up considerably to 4% of annual global turnover of the preceding financial year or up to €20 million, whichever is greater. These increased sanctions should appropriately incentivise even the largest global institutions to get their data management programs in order.

With regulation covering all companies that process personal data, there will also be significant negative brand impact for any firm that fails to comply.

This new regulation will soon be law, leaving financial institutions, and all businesses handling personal data, with no choice but to review their systems and create an implementation plan. This will be a topic I cover in my next blog, the key steps to compliance with the GDPR.

Until then, if you’d like any more detail about the incoming EU General Data Protection Regulation, visit www.eugdpr.org

CEO and founder of Trunomi

No comments:

Post a Comment