What Does GDPR Mean for Banks?

Legislation is catching up with technological advances in the European Union, with consequences for banks that fail to protect client and employee data.

The General Data Protection Regulation (GDPR), published in the Official Journal of the European Union in April, takes effect on
May 25, 2018. It is intended to harmonize and modernize a 21-year-old data privacy protection directive, "to better protect the right to privacy, which is a fundamental right in the EU, while laying the necessary conditions for the EU economy to make the most of big data," a European Commission spokesperson tells Inside Reference Data.

The regulation imposes transparency and accountability on data controllers (which could be banks, for example) and processors (those processing data for these banks), whether these are people or organizations; it strengthens individuals' rights; and it introduces an "extra-territoriality" component, applying not only to organizations within the EU, but also to those who do business with, employ or monitor EU residents. Larger organizations have to appoint a data protection officer.

A company that infringes could be fined up to 4% of global turnover;
for banks, the reputational risk of being known as a firm that fails to protect client or customer data is harder to quantify but perhaps of even greater concern.

The commission says the GDPR is key to the development of the Digital Single Market, its plan to digitally integrate its 28 member states. The regulation is enforced by a "one-stop shop mechanism," which means companies will only have to deal with one single supervisory authority in their respective countries-an improvement on the current situation, where various agencies might investigate one infringement. The harmonization of a single market will save companies billions of euros by cutting red tape and will level the playing field, the spokesperson says.

Capital markets firms might not see how GDPR impacts them, says Anna Mazzone, London-based managing director at Trunomi. However, Trunomi estimates 800,000 businesses in financial services and insurance are impacted by GDPR.

"People in the capital markets arena think this regulation may not apply to them. They will say, "We deal only with legal entities, we don't do business with individuals." Well, they do!

"When you do know-your-customer on a legal entity, you have to collect the personal data of the officers or directors of the company, which means you are going to be collecting, at a minimum, their passport information. So you are going to be subject to GDPR and you have to have consent to access that information," says Mazzone.

Consent

Controllers and processors now have to get explicit, unambiguous consent from ‘data subjects.' This consent cannot be gotten once and then be presumed applicable for general use: banks have to get consent for each specific type of product or transaction. They will also have to authenticate whatever government identity document is submitted to them, which in a digital banking environment may be new to the firm, Mazzone says.

Additionally, individuals have the right to access their data whenever they want it, says J.P. Buckley, a director at law firm DLA Piper. "Financial services firms have very, very complex database systems. One customer record might come from a number of different systems," he says. "So it's very difficult at the moment for those organizations to comply with direct access requests, for example. If somebody submits a request for a copy of all their personal data, the firm now has 40 days to provide that. But because the database structure is so complicated, we increasingly see that it takes quite a bit longer to access it because there are so many different databases, so many different points of contact."

The potentially huge fines and the appointment of a data protection officer will elevate the importance of data protection to the board level, says Buckley. Additionally, the regulation could impact relationships between banks and their service providers.

Controllers are required to notify clients or employees within 72 hours if there is a breach of their data privacy, such as a hack. "Data processors are going to be regulated as well by this law, for the first time," says Buckley. "Previously, they have only had obligations under contracts that they have entered into. [Now], there will be a data breach notification obligation between these suppliers and the data controller, too."

Additionally, "organizations are going to have to more effectively document internally what they are doing with data, what permissions and contracts they have and what types of data are allowed to be processed and by whom," he says. "And they will have to manage all of these relationships much more than they have."

However, despite these challenges, the commission says the GDPR brings clear benefits for the financial services sector.

"First, it will simplify rules for cross-border trade. Financial services will have easier access to markets of other EU countries, as the administrative and
legal costs for data processing in cross-country services will be lower. Easier access to foreign markets and lower
costs for legal compliance will also diversify the EU market and help foster innovation in this business sector," the EC spokesperson says.

Buckley agrees the GDPR will bring harmonization, but notes that concessions have been made in about 50 or 60 areas to accommodate existing laws in some member states. "So, yes, it will increase harmonization a lot. Is it going to do so as effectively as we had hoped? Probably not."

Benefits

Compatibility aside, however, there are benefits to both processors and controllers, he says. "‘Privacy by design' is another new requirement that comes in with GDPR. The idea behind this is that if you are creating a new system or aggregating systems across the globe, or if you are doing something different with data, you should design in privacy right from the beginning. This allows any risks to individuals' data to be mitigated during the design phase.

"I have seen cases where had this been applied it would have saved a lot of money and time. Often, privacy issues come up far too late in the process. Perhaps IT has been developing a system for some time and brings a lawyer in at the end and asks if the system can go live, only to hear that it can't because it's illegal."

Mazzone says that if firms understand the philosophy behind GDPR, the benefits will become clear.

"The commission is saying that what companies have to realize is that having access to personal information about you and me-this is an asset. And a company needs to protect that asset, just as it would any other, whether it's the building it owns, its manufacturing plants or the cash it has in the vault."

Banks that maintain consent in the right way, with a seamless digital experience where personal data is transparently managed and easily accessible in a portal, are building trust and loyalty, she says. "It will enable them to know their customer better, because clients will naturally start to share more information with them."

Mazzone concludes: "How you manage that asset has to be respected by the people that gave you that asset to use. Once banks understand this fundamental belief, the regulation starts to make sense not only as something that protects individuals, but also a driver that companies can turn into a positive in how they structure the business to grow revenue."