Banks are facing a major compliance challenge after GDPR comes into force. If customers decided to massively request for insight into what data is held about them, then banks will face a daunting task replying to all requests. If processes and data governance are not fully prepared for the potential data request tsunami, then they risk facing serious issues and even fines.
The General Data Protection Regulation (GDPR), which comes into force in May 2018, could see businesses globally stung for billions, with a recent study by Oliver Wyman predicting that FTSE 100 firms could be hit by around $5 billion in fines each year. The regulation will protect EU residents from a range of potentially abusive, manipulative and unsafe uses of their data, which means that companies may be caught out unless they update their practices radically. Those found in contempt of the new legislation will be liable to fines of $20 million, or 4% of global revenues, depending on the size of an organisation.
The large severity of GDPR fines is largely tied to a data breach for banks. However, the stringent punishments will not be confined to breaches from the financial sector. Recently, the Hilton Hotel chain was fined $700,000 for a data breach in New York state. However, under the GDPR, which covers firms even outside the EU who handle the data of citizens, that fine could have been $420 million. In Hilton’s case, that roughly translates as $2 per lost record versus $1,200 per lost record.
The implementation of GDPR is chiefly aimed at empowering consumers to take back control of their data. According to a new survey from Opinium among 2,000 UK professionals, commissioned by Baringa Partners, they are likely to do just that. Three quarters (72%) of the respondents indicated they are likely to ask what personal data is held on them if their bank is obliged to respond. Under GDPR, individuals will have the right to find out whether or not personal data concerning them is being processed, where and for what purpose.
GDPR obliges banks to provide clients with a free electronic copy of their full personal data within a month of their request. If they fail to do so, it will be considered a Tier 1 breach of the rules, leading to a potential fine, which, while unlikely for such a lower level breach, could end in the previously mentioned handover of 4% of a firm’s global turnover.
In terms of client request compliance, however, banks face a real issue in the sheer volume of requests they may soon face. Even if only half of the reported 72% follow through on making a request, that proportion would see over 18 million people in the UK file a request. Following up on this is a task. It requires that digital processes are aligned across the back office – records can sit in core banking systems but also sales and marketing or other areas. This also means that data governance should be good, ensuring a smooth transition internally to the client.
According to a warning from Daniel Golding, Director at Baringa, “Firms that lack centralised data governance systems will struggle to respond in an efficient and timely way.” Down the line, this ultimately means they may face higher costs.
Worryingly, researchers have shown that many firms are not fully prepared. To be properly prepared, Golding contended that banks first need to ensure that they understand all the personal data that they hold across their systems. Then they should consider investing in new or enhanced operating systems to allow them to easily trace and erase personal data if they are asked to by customers. He stated, “Ultimately, it’s about creating a holistic and highly responsive data governance system.”
Compliance to client privacy related requests presents a major risk for banks following GDPR. The knock on effect of data breaches, which will likely become far more transparent and public due to the GDPR, may well see customers lose trust in their banks.
“Almost a third of people (29%) say that they would immediately switch to another bank if their provider suffered a major breach where their personally identifiable data was leaked,” said Golding, before concluding, “From next May, data governance becomes a real bottom line issue, with customer retention at risk, as well as the potential for staggering fines should data requests go unheeded.”