What is the GDPR and who does it catch?
The General Data Protection Regulation (GDPR) is Europe's new framework for data protection. It replaces the 1995 Data Protection Directive which many member states’ national laws – including the UK’s – are based upon.
The EU argues that the regulation is designed to harmonise data privacy across Europe and give greater protection and rights to individuals, increasingly wary of companies’ treatment of their personal information. The rules catch all companies worldwide that collect or use personal data of EU citizens.
All these in-scope companies, which include law firms as well as banks, will need to work out what data they hold on their customers, where they hold it, if they have permission to do so, whether it is safely stored and how they can extract it in a portable form.
When will it apply?
After more than four years of discussion and negotiation, GDPR was adopted by both the European Parliament and the European Council in April 2016. The underpinning regulation and directive were published at the end of that month and will come into effect on May 25 2018. The two-year preparation period has given businesses and public bodies covered by the regulation time to, in theory, prepare for the changes. “But from sometime in 2015, the market knew 90% of what was in the GDPR,” according to Alex Brown, partner at Simmons & Simmons in London. “It was my sense that most banks kicked off that process in 2015, and were ahead of many other businesses.”
Is this a problem exclusive to consumer rather than capital markets banking?
No. It applies to every business that has access to an individual’s personal data – organisations that own that data (data controllers) or that process the data (data processors). And although capital markets activities often only relate to provision of capital to corporates rather than individuals, there will be some degree of personal data that is always captured. All banks should be concerned.
Why are banks worried?
A few reasons. Starting with the requirements themselves, customer data will need to be treated in an entirely new way, which will require a huge amount of backoffice work. A single customer’s data may be held on more than 100 systems, each of which can take weeks – or even months – to change. Making those changes across all fields will be quite an undertaking.
Marketing will also be affected. Although a simple task from a compliance perspective, the GDPR’s treatment of marketing messaging is expected to hit banks hard too. The rules require companies to offer only opt-in marketing materials, which require customers to consent to receiving communications. Studies show that most consumers are less likely to opt-in than opt-out.
But the headline grabber is the sanctions. The GDPR states smaller offences could result in fines of up to €10 million ($11.9 million) or two percent of a firm's global turnover (whichever is greater). Those with more serious consequences can face fines of up to €20 million or four percent of global turnover (whichever is greater). These are larger than the £500,000 ($645,610) penalty the Information Commissioner’s Office (ICO) can currently wield and, according to analysis, last year's fines would be 79 times higher under the new regulation. “Banks are worried about getting this wrong and being hit with larger fines than we have seen recently,” said Brown.
Are concerns are justified?
Not necessarily. Elizabeth Denham, the UK’s’ information commissioner and person overseeing the UK’s enforcement of the rule has tried to calm these fears. "We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways," she said on August 10. "But we've always preferred the carrot to the stick".
Denham says there is no intention to overhaul how her office hands out fines and regulates data protection across the UK. She adds that the ICO prefers to work with organisations to improve their practices and sometimes a stern letter can be enough for this to happen.
What should banks be doing now?
The regulation includes the right to be informed when companies are collecting and processing data and the rights of individuals to access it, erase it and object to its collection. All this means that banks should be frantically reviewing their data collection activities, if they haven’t done so already.
The GDPR also creates the need for a data protection officer. Most banks will have at least one of these already, but they will all need to appoint one within the EU even if they have no physical presence there. These officers will work with the national data protection authority in the location of the so-called main establishment of the EU-related entity. According to Andrea Wallack, chief executive officer of NightOwl Discovery, much will hinge on that definition of main establishment, and it’s likely to be hotly contested up until May 2018. Most banks should also have a central privacy team that sits across all the divisions, running a central programme that looks across all their business units.
Will banks be compliant by the May 2018 deadline?
Almost certainly not, according to Brown. “No big business is going to be fully compliant. It is impossible,” he says. For instance, compliance with data retention rules is particularly hard in relation to the amorphous nature of expunging data stored on email. One of the key GDPR requirements is the need for firms to hold personal data no longer than the period it is needed by the business.
Brown cites the example of salary information as a potential sticking point. Many companies may hold an employee’s salary information for six years in case it’s required in any future litigation. While it’s simple for the human resources to delete the spreadsheet after the given period, in most cases the document will have been emailed within the company. “That is one rule where almost every large organisation is going to struggle to comply. Email is a soupy problem,” says Brown.
Is there a silver lining?
There could be. Although simply complying with the rules will likely remain the priority until May 2018, there will be opportunities too. On a practical level, the result will be a much-needed harmonisation of data protection laws across member states, making it easier to share data across borders.
And some banks could benefit. Chris McMillan, a partner at Oliver Wyman consultancy thinks that the nimblest institutions will try to turn the new law to their advantage by becoming the main data hub for their customers, for instance by offering to check if they are getting the best deal from their mobile phone or electricity provider. “A bank could see you have a direct debit to a telco and ask you for permission to request the data from the telco to check you are getting the best deal,” he told The Financial Times in May. “That would be a compelling proposition for a customer, knowing their bank is trying to save them money.”
Cyber and regulation key obstacles to fintech innovation
Banks harbour doubts over new Privacy Shield
For more primers, click here