Impact of GDPR on the Financial Services Will Be “Significant”

Impact of GDPR on the Financial Services Will Be “Significant”
February 02 12:19 2015 Print This Article

EU GDPR Summit | Data Security & ProtectionLast week I chaired a seminar jointly organised by the Worshipful Company of Marketors and the Financial Services Forum at Cass Business School on the impact of the EU General Data Protection Regulation (GDPR) on the financial services sector.

EU-Reg-seminar-at-Cass-BusiOn the panel (L-R) were Martin Hickley, a data governance, protection and privacy specialist; Hazel Grant, partner and head of privacy and information law at Fieldfisher LLP; myself; Jenny Moseley, director and co-founder of Opt-4 and Chris Wood, head of business compliance in the UK for HSBC.

The journey of the GDPR to the present day has been a long and at times controversial one. In January 2012, the European Commission (EC) issued a proposal for a European-wide data protection reform.

In March 2014, a first reading of a draft bill went through the European Parliament and a second version was voted on by the Council of Ministers – in effect creating two drafts of the same Regulation with significant differences between them with the Council of Ministers declaring that nothing is agreed until everything is agreed.

To date these drafts have had more amendments than any previous body of EU regulation and given the priority to gain consent on this landmark regulation by EC President Jean-Claude Juncker, many believe that the GDPR will be agreed by all parties by the middle of 2015.

Although differences remain, the feeling among the panel was that the financial services sector can’t adopt a ‘wait and see’ approach in the vain hope it will go away. It won’t.

Data protection and the security of data is perhaps the biggest issue facing the sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five percent of global turnover or €100m.

To underlie the vulnerability that large organisations have to becoming a victim of a data breach on grand scale, just 30 minutes before the seminar begun, both Facebook and Instagram were hacked by Lizard Squad, resulting in a ‘denial of service attack’ – denied by Facebook.

Either way, 1.6bn users of the social network couldn’t access their accounts for over half an hour. Lizard Squad and other hackers like them represent a continuing threat to the data that financial services firms hold on servers that can be infiltrated by those who are determined to carry out such attacks.

Under the new GDPR, data protection authorities (DPAs) will ‘hold hands’ and in doing so provide a so-called one-stop shop for complainants of financial services firms irrespective where the issue took place within the EU.

The GDPR will effectively replace the former Data Protection Directive 95/46/EC as well as make the existing Data Protection Act 1998 redundant by bringing in a European-wide approach to data protection and security that moves away from the patchwork approach that exists at present. It also places data processors and data controllers with equal legal responsibilities with respect to the transfer and use of data.

A proposed ‘data protection seal’ will notify consumers that the financial services firm complies with the supervisory authority and can transfer data to third parties on a lawful basis in the hope that consumers will be reassured about the higher standards of data protection that such a firm complies with.

The obligation to report breaches – however small – will be the responsibility of the Data Protection Officer (DPO) who will work independently within a large financial services organisation and the reporting of such breaches is likely to be done within 24 hours.

Some of the concerns on the panel of data protection experts was around slippage in the timetable to introduce the GDPR and that delays had created a false sense of comfort for senior executives who may not appreciate the threat to business continuity that the GDPR actually represents.

The issue of customer consent was also widely discussed and it’s clear that many banks are re-wiring their approach from the position of protecting the customer as the paramount principle in how they manage their business.

Under the new EU Regulation, financial services firms must obtain consent and this must be freely given for a specific purpose rather than for some blanket purpose. However, there’s still some argument between lawyers as to whether implied consent is a dead duck – and some lawyers feel that implied consent in certain circumstances will still be lawful under the GDPR.

A major cause for a data breach can be identified as human error and clearly the issue of education and training will be core to the way in which this risk within financial services can be reduced.

However, there was a recognition, particularly with junior staff, that such a risk could never be 100% eradicated, leaving open the possibility of fines and sanctions as a real possibility under the GDPR. Typical human error includes the failure to encrypt data, a lack of privacy policies and even mis-directed communications, whether post, fax or email.

As well as fines, DPAs like to ‘name and shame’ those firms that have fallen below the standards expected of them and the reputation damage to the brand in such cases could easily outstrip the financial penalties imposed. For example, the French authorities recently forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.

Top Ten Tips for marketers

  • Write down a set of data protection policies and procedures and ensure that these are compliant with the GDPR. Such policies and procedures should include what actions need to happen in the event of a data breach.
  • Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud, so marketing professionals should pay particular attention to passport details and other personal information stored on their servers.
  • All companies need to invest in education and training all employees involved in collection and processing of data with a view to reducing the risk of human error and as far as possible try and automate as many processes as possible in order to reduce the risk of human error.
  • All companies need to set very clear, fair and transparent rules for obtaining customer consent.
  • All companies shouldn’t keep data forever – unless of course it’s to ensure that they don’t contact someone who has expressly said that they don’t want to be contacted in the future and not having such information could lead to them being contacted again by accident.
  • All companies should have a policy for destroying out-of-date data.
  • All companies need to recognise the risk of consumer activism where one aggrieved customer can very quickly galvanise a mass campaign against the brand on Twitter and social network sites.
  • Marketing professionals need to integrate data protection fully into all business processes and not treat this as an add-on or side issue.
  • Marketers should consider the GDPR as a marketing opportunity and potentially a source of competitive advantage by performing data processing tasks more efficiently and accurately.
  • Customers should be treated as a source of business rather than a piece of data and need to be treated fairly, with respect to their rights to privacy and without cynicism.

Article originally published here.

view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


  1. janie.carls
    June 25, 14:56 #1 janie.carls

    Thanks for finally talking about >Significant Impact of
    GDPR on Financial Services | EU Data Protection & Privacy <Loved it!

    Reply to this comment
  2. Stephaine Lindblom
    July 13, 13:26 #2 Stephaine Lindblom

    I absolutely love your blog.. Excellent colors & theme.

    Reply to this comment
  3. wallywilkes
    September 10, 20:19 #3 wallywilkes

    Have you ever considereԁ publishing an e-book or gueѕt authoring on other
    websites? Ӏ hаve a blog based on the same іnformatіon yoᥙ discuss and would reаlly like to have you share some stories/informɑtion. I know my readeгs
    would appreciate ʏour work.

    Reply to this comment

Add a Comment