In this day and age, data has become the most cherished commodity in the world. Massive amounts of personal data are constantly being produced and managed by a growing group of operators across nations, often without any control on the part of individuals. While conventional wisdom has been that data is acquired and owned by companies, the European Union’s General Data Protection Regulation (GDPR) has set to bring that control back to the individuals. Considering this complete regulatory shift, the new order of data management will have the biggest impact on information technologies, artificial intelligence, and big data analytics, all of which are components of operations in the financial industry.
On 25 May 2018, the European Union’s GDPR became directly applicable in the EU members states, expanding to European Economic Area countries on 20 July 2018. GDPR supersedes the 1995 EU Data Protection Directive 95/46/EC, strengthening several rights, including the right to be forgotten, the right to restrict processing, the right to object or curtail the collection of certain types of data, the right to data portability, as well as the right to access own data, the right to be notified of data breaches, and the right to change or rectify own data. Under this new doctrine, penalties for non-compliance are steep, ranging from EUR 20 million to 4 percent of a company’s annual revenues. It is also worth noting that although GDPR primarily affects organizations operating within the EU, it’s influence extends well beyond the EU borders, as any entity dealing with EU-based businesses or possessing the personal data of EU individuals is required to be compliant.
Financial institutions and banks are most affected by the regulation, due to their nature of storing and processing immense amounts of personal consumer data. As the financial industry moves to incorporate such data at a scale for analysis and forecasts, GDPR compliance becomes even more critical. GDPR impacts almost all aspects of the financial industry, including customer onboarding, relationship management, accounting, data analysis and forecasting, marketing and sales efforts, as well as negotiating business partnerships and vendor management. For instance, GDPR has even set standards for how to manage recorded customer call center conversations.
Under the new standards, the industry needs to adapt to the supreme of customer consent, requiring it to be freely given, specific, informed, and unambiguous before collecting personal data. Further, the “right to be forgotten” requires the industry to effectively manage large inventories of data and outline the location of data in order to properly process customer requests for personal data removal in cases when there is no more justified need to store and process that data. GDPR also places the obligation on entities to inform data supervisors of data breaches within 72 hours, as well as provide information to affected parties, including consumers.
All entities working with personal data must now appoint a specific data protection officer (DPO), who is responsible for “large-scale systematic monitoring of individuals” by companies. This directly impacts how institutions handle personalized marketing, fraud detection, and customer segmentation. The newly designated DPO would be responsible for macro-level data management, monitoring compliance, training personnel, conducting internal audits, and advising on data protection techniques.
Vendor management has also been brought to the forefront due to the growing trend of outsourcing technological functions and exposure of personal data. The financial industry will inevitably have to implement strict processes in relation to its vendors and auxiliary companies, which process customer data. In this respect, GDPR merges the responsibility of the company and its subcontractors or auxiliary companies, rendering it impossible for companies to dissociate from their vendors’ non-compliance.
It goes without saying that the organizations that implement and ensure GDPR compliance will benefit from increased customer trust, improve their loyalty, and generate good publicity, which will in turn translate to numerous monetary and reputational benefits, regardless of their geographic location. It is evident that the Court of Justice of the European Union has exhibited a wide judicial reach, along with the European Commission’s formal and informal powers in ensuring compliance. Therefore, it is imperative for organizations, especially organizations managing large amounts of personal data, such as financial institutions and banks, to follow the aforementioned guidelines and ensure full compliance with the new rules.