Countdown to GDPR: it’s time for action

Right now if there is one thing looming large on the radar of senior banking executives, it’s GDPR. The General Data Protection Regulation comes into force a year from now. It will usher in a new data management regime for any organisation collecting, storing or processing personal data.

The UK may be leaving the EU but this is one legal instrument that’s not up for negotiation: government has made clear that the GDPR in all its detail is here to stay.

What is changing?

For banks and financial groups the introduction of GDPR represents a major challenge, specifically in relation to the way they hold customer information. It will require comprehensive change across IT estates.

At its core GDPR is about giving control to the customer, so:

• Individual rights of customers will expand. They will be able to access information on bank decisions affecting them, enforce the ‘right to be forgotten’, insist on rectification of incomplete or inaccurate data and initiate data portability.
• GDPR will require banks to have a single view of the customer. Difficult to do when many banks hold information across multiple silos.
• GDPR extends the notion of personal data to any information that contributes to individual identification. It confirms as personal data online identifiers such as IP addresses, affords greater protection to genetic and biometric data, and it incentivises the ‘pseudonymization’ of data.

Sanctions that cannot be ignored

As they face up to their obligations in this new legal landscape banks will be forced to acquire new functions and capabilities. So there is likely to be a significant shift both in corporate mindsets and day-to-day working practices. There has to be. The penalty structure under GDPR (up to 4% of annual global turnover or EUR20 million) is severe.

At board level the sanctions underpinning the regulation have not gone unnoticed. How much would a company need to invest internally to avoid a fine of 4% of turnover for example? There is no clear view on how serious non-compliance would have to be to attract a sanction at the upper level. As a result of this uncertainty we may well see substantial restructuring manoeuvres by global corporates attempting to mitigate the risk of damaging penalties.

Three first steps for dealing with GDPR

• GDPR does not relate to every piece of data held in respect of an individual. Find out what type of data is subject to regulation and what is not.
• Appoint a senior level data protection officer to take ownership of GDPR obligations.
• If still struggling talk to an expert.

Larger organisations have certainly started to appoint senior executives to data protection and privacy ownership roles. But smaller companies don’t seem to have got to grips with what they need to do to comply with GDPR. That’s a concern. Understanding the regulations is the key starting point – helping to calculate where best to deploy valuable technical resources.

Undoubtedly GDPR will disrupt the banking industry. We’ve even heard it suggested that one way of dealing with the enormous changes would be to simply delete all customer data and start over! But keep in mind that GDPR is not altogether new territory. It builds on existing rules and dovetails with the whole area of data security. From CGI’s own work we have seen how many financial services groups already treat data security and GDPR as a top priority.

What challenges are you facing around GDPR? We would like to get your comments and continue the discussion.