We speak to Payments Cards & Mobile about how the majority of organisations think they’re GPDR compliant and actually aren’t. The fines that could be imposed for non‐compliance could be up 4 percent of global annual turnover or 20 million euros – whatever is the greater.
Data privacy is driving the European Union’s General Data Protection Regulations (GDPR) in the UK, and yet it’s widely felt that banks and other financial services institutions have run out of time to find ways to comply with the requirements. Looming on the horizon for failing to comply is a dark cloud of significant financial penalties.
“This is deliberate and removes the ability of organisations to argue that paying a small fine (typically the level issued by the Information Commissioner’s Office) is cheaper than following with the law. The ICO now has no excuse but to start enforcing the data protection regulations as it should have done under the earlier régime. Parliament will need to hold the ICO to account if it does not enforce the régime properly.”
- Lars Davies, CEO Kalypton
“Most banking and financial services companies are woefully behind” says Davies. He adds: “Actual figures are hard to come by, but the media is beginning to highlight the issue. See, for example ‘Businesses failing to prepare for EU rules on data protection’, The Financial Times, 18 June, 2017.” He also highlights a report in Risk.net, whose article headline and standfirst compare the demands created by GDPR to “boiling the ocean”, claiming that GDPR’s data demands are overwhelming the banks. It adds: “Re‐papering of existing contracts could stretch beyond May 2018, forcing dealers to rely on regulatory forbearance.”
Top tips: Tech deployment
To assist banks and financial services organisations to comply with GDPR, Davies and Thomas offer 6 top tips for deploying new technology to solve GDPR and to protect data privacy:
- Read the regulation.
- Stop making excuses.
- Understand that you cannot derogate your responsibility to suppliers or third parties.
- Make sure that the technology you implement does not require the use of a regulatory sandbox.
- Make sure that your suppliers understand the requirements of the GDPR.
- Measure the ROI of this effort in terms of not just reactive compliance but in developing a differentiator of trust.
Davies then concludes: “This late flurry of activity to meet a regulation driven deadline is typical of the financial services industry. The industry really needs to get out of a reactive mode of operation and into a mode of operation that proactively considers security and privacy from the bottom up.” He also finds that there is an increasing “acknowledgement that financial services companies are really technology companies and that data is their biggest asset.”
So, in his opinion the objective has “therefore to be the trusted holder of sensitive customer data. This contrasts significantly with the business model of the likes of Google and Amazon, who provide loss‐leading services to capture that data and monetise it.” At the end of the day, trust is a vital part of compliance.