01. 26. 2018
Time is ticking away: Are you ready for GDPR?
New rules will affect banking products, customer onboarding and lending in general after GDPR comes into force. Here’s how.
Less than six months away, on 25 May 2018, the largest overhaul of data protection regulation in the EU will come into full force with the implementation of the General Data Protection Regulation (GDPR). Although many still believe that GDPR is just another flash in the pan, or the new Y2K, others point out that it really is a big deal. And rightly so. As law firm Fieldfisher has put it, “privacy won’t go away after May 2018; quite the opposite – it’s going to become more and more of a challenge”.
So let’s get down to the nitty-gritty of GDPR. For starters, what is it all about and who does it affect? Simply put, it will better safeguard personal data and privacy in the digital age: it will give more say to people about what companies can do with their information and harmonize privacy laws in EU countries. It will strictly regulate the way customers give and withdraw consent to their data being used and will apply to every single company handling EU citizens’ data. That’s right, even if they’re located in the US or Asia. Also, data processors will have just 72 hours to report any breaches and many firms will need to hire a data protection officer (DPO).
GDPR: Banking is most affected
Of all industries, banking is expected to be most severely affected. No surprise there, really: banks handle a huge amount of customer data, including some very sensitive and confidential information. They also offer a variety of products and have complex webs of legacy IT systems. Meaning that they will face the highest price tag on implementation too. Management consultancy Sia Partners estimates that financial institutions within the FTSE100 index will spend a whopping £66 million on average, or £553 per employee, on adopting GDPR.
Speaking of big numbers: non-compliance with GDPR may result in a hefty fine of up to €20 million or 4% of global turnover (whichever is higher). But banks have a lot more to lose than that. The true cost of an exposed data breach is losing face. About 30% of people would switch to another bank in a flash if their personally identifiable data was leaked, according to a survey by Beringa Partners. Banks can’t allow that to happen, especially now that one of their most important assets in competing with digital disruptors is their reputation, management consultant firm Zeb says.
With less than half a year to go until GDPR takes effect, most financial institutions should now be close to completing all the groundwork. As previously outlined by Zeb, the general tasks banks need to address are in three core areas: organization, processes and systems. These include setting up an operation model for data protection governance (complete with the role of the DPO, for example), putting processes in place for customer content management, removing data and providing data portability. Mapping personal data and reviewing IT systems for data storage are also key.
What can banks expect?
And that’s not all. GDPR provisions will also affect how banks develop new products, recruit new customers or extend credit. Here are some of the provisions that are most likely to give them a headache:
New products, risk profiling: GDPR requires banks to conduct a privacy impact assessment (PIA) every time a new product is considered for implementation. Process management firm EXL Service also stresses that data over-retention requires pseudonymization, a security technique that swaps sensitive, identifiable personal data for dummy data. When done right, pseudonymization can offer more data processing possibilities, including profiling, Deloitte says. Profiling may involve collecting data for customer insights or considering credit scores before granting credit.
Customer onboarding: GDPR expects companies to get explicit consent from customers for storing and using their data. This provision means a huge increase in documentation obligations for banks, Zeb says. Goodbye, pre-ticked boxes and hidden contractual statements, including everyone’s favourite, “by using this service you agree to all aspects of data processing”! But consent “does not equal checkbox bonanza”, according to Norwegian fintech Quesnay. It argues that GDPR differentiates between “unambiguous indications of wishes” (simple consent) and explicit consent, which is only needed for the processing of special data categories, such as biometry, information about religion or sexual orientation.
Consumer lending: Customers will have the right to ask banks not to take any automated decisions using their personal data as well as get financial institutions to reconsider such decisions. The provisions also make sure that customers can object to outcomes resulting exclusively from automated data processing, with no human intervention whatsoever. This affects, for example, automatic refusals of online credit applications or automated decisions about credit limits, based on spending habits and location, Brodies LLP says.
Customer offloading: GDPR provides people with the option to withdraw consent and remove all the information a company is storing about them. Meaning that banks need to implement technical and organizational measures to be able to respond to such requests and offboard personal data, says Laura Glynn, director for regulation at Fenergo. Client offboarding is defined as the proactive management and removal of redundant, obsolete or incorrect information held on clients, accounts and assets.
GDPR has upsides, too
But there’s another challenge banks will be facing, come 25 May: a potentially large volume of customer requests flooding in regarding the data banks store about them, according to Consultancy.uk. Under GDPR, individuals will have the right to find out whether or not their personal data is being processed, where and for what purpose. And about 72% of customers are likely to ask that, according to a Baringa Partners’ survey. If banks fail to prepare for this rush, they can face serious issues and even fines.
But let’s not forget that GDPR also has its upsides. It can better operations and build reputation, PwC says. Not to mention that it may also uncover hidden digitalization opportunities as well as help boost customer trust. And as an added bonus, well-structured databases could pave the way for a more customer-focused relationship management in bank front office operations.