On May 25th, 2018, the biggest overhaul of EU data protection law will come into force for all EU Member States with the introduction of the General Data Protection Regulation (GDPR).
This date will mark the passing of 23 years since the Data Protection Directive initially took root in 1995. Back then, we were paying for goods and services mainly with cash or checks, and using dial-up internet to browse online (shopping online was still an alien activity for most of us at that early stage). This was also a time long before the proliferation of email, payment technologies and instant social media that we interact with today.
Twenty-three years later, the world has become a more digitalized and globalized place and our data protection legislation must be strengthened to keep up with these advances.
Whilst the basic principles of existing national data protection regimes will be retained, GDPR will introduce several new concepts, including new and enhanced data subject rights, which will have an impact on how banks handle, store, access, use and transfer data.
At the very core of this new regulation is the recognition that the ownership of data resides with the individual, not with the data controllers/ processors.
What is GDPR?
GDPR, one of the most lobbied regulations in the EU (taking a full four years of negotiation and ratcheting up 4,000 pieces of amendments before finally reaching consensus), marks a significant development in the field of data protection legislation.
It offers a far more rigorous approach to the protection of data privacy than its predecessor, introducing considerable updates to align data protection laws with the technological advances made over the last two decades.
Its key aim is to protect natural persons in the European Union (EU) regarding the processing of personal data (1) and to enshrine the protection of personal data as a fundamental right in supranational law. In an increasingly digitalized and globalized world, GDPR provides a single data protection framework for all banks and financial institutions processing data within the European Union.
The stakes are high
GDPR introduces substantial financial penalties for firms failing to meet the new rules on the management of personal data of EU residents. Under the new regulation, banks could see fines of up to €10m or 2% of their global turnover or up to €20m (2) or 4% of global turnover (or whichever is greater) depending on the gravity of the offence. This is a considerable increase compared to previous penalties. To put it into context, fines for offenders under the UK Data Protection Act 1998 are capped at £500,000. As a result, this potentially could be one of the highest punitive regulations to hit financial institutions in quite a while.
Banks are particularly impacted by GDPR due to the vast volumes of data and documentation collected, held, stored, processed and used relating to private individuals, the majority of which are deemed to be confidential and sensitive in nature. For this reason, banks may find themselves in the immediate line of sight for regulators seeking to set a tone and an example with an early fine or two.
GDPR will certainly have a significant impact on Client Lifecycle Management activities, increasing the regulatory requirements related to client and counterparty data protection for banks, and will have far-reaching effects on banks’ operations, processes, systems and organizations.
However, there is an upside.
GDPR has the potential to act as a catalyst for banks to improve client and counterparty data management practices, policies, systems and operations.
Data is traditionally one of the biggest challenges facing banks, as they seek to move from existing siloed and disconnected repositories to more digitalized and integrated data environments.
According to Chartis Research in their report on Risk IT spend in 2017 (3), the biggest area of risk technology spend for Tier 1 banks is on risk, governance and integration technology, especially data integration, estimating the worldwide market to be in the region of $23.8bn in size, growing at a rate of 6% since 2016. GDPR represents an opportunity to not only rethink data protection but data management, building on existing data management capabilities to achieve true data integration and the creation of a 360-degree view of all clients and counterparties.
The question is, are banks ready for GDPR?
Right now, the answer to that is most likely no, at least not fully prepared. Banks will need to get to grips with this new stringent regulation well before next May; however, they are prevented from doing so due to the level of uncertainty that prevails across the board, with guidance coming out in a piecemeal fashion from supervisory authorities. In the absence of industry standard models or final guidance, many banks are hesitant to make substantial amendments to their business processes.
Despite the lack of clarity, guidance and preparedness, non-compliance is not an option given the significant punitive damages associated with this regulation. Banks are hopeful that regulators and supervisory authorities will issue more guidance and clarification before the May deadline.
There’s no doubt that GDPR is a massive operational, compliance and technological challenge for banks and particularly more so given the large volume of personal data coursing through their organizations. To stay compliant, banks will need to undertake a root-and-branch review of how
In our next blog, we will further examine the impact of GDPR on Client Lifecycle Management processes, particularly in the areas of compliance, client and counterparty data management, client onboarding and offboarding.