The Veritas GDPR 2017 Report surveyed 900 business decision-makers across 8 significant countries, and despite 31 percent of the respondents believing that they are already compliant, Young says the study shows that they aren’t compliant to GDPR.
Data privacy is driving the European Union’s General Data Protection Regulations (GDPR) in the UK, and yet it’s widely felt that banks and other financial services institutions have run out of time to find ways to comply with the requirements. Looming on the horizon for failing to comply is a dark cloud of significant financial penalties. Ashton Young, writing for Data Centre News on 26th July 2017 in his article ‘Majority of Organisations Think They’re GPDR Compliant Actually Aren’t’, says a global study by Veritas says the fines that could be imposed for non-compliance could be up 4 percent of global annual turnover or 20 million euros – whatever is the greater.
“This is deliberate and removes the ability of organisations to argue that paying a small fine (typically the level issued by the Information Commissioner’s Office) is cheaper than following with the law. The ICO now has no excuse but to start enforcing the data protection regulations as it should have done under the earlier regime. Parliament will need to hold the ICO to account if it does not enforce the regime properly.”
– Lars Davies, CEO Kalypton
“Most banking and financial services companies are woefully behind” says Davies. He adds: “Actual figures are hard to come by, but the media is beginning to highlight the issue. See, for example ‘Businesses failing to prepare for EU rules on data protection’, The Financial Times, 18 June, 2017.” He also highlights a report in Risk.net, whose article headline and standfirst compare the demands created by GDPR to “boiling the ocean”, claiming that GDPR’s data demands are overwhelming the banks. It adds: “Re-papering of existing contracts could stretch beyond May 2018, forcing dealers to rely on regulatory forbearance.”
New tech design
Despite this issue, he feels that new technology can help organisations to comply with GDPR, but it needs to be well-designed technology with data privacy in mind: “Most ‘new tech’ is new technology for the sake of it. To be classed as a solution, it needs to solve a problem. To solve a problem, that technology needs to be designed to meet the legal requirements, operational requirements, and technical requirements that pertain to that problem.”
“That is why we designed Tereon to provide distributed trust in private ledgers rather than DLT”, he says before elaborating: “The customer data is held only in the ledgers of their financial services provider. The audit trail relating to that data is shared widely so that the integrity of that data can be validated without having to expose the data or even the data traffic itself.”
Alun Thomas, an investor in Kalypton, believes that GDPR compliance needs to be a structured consulting process that is supporting by new technologies. “The argument is that if you manage the data cycle correctly; capturing it, maintaining it with control of access and authenticity and then destroy it, then the problem be it MiFID or GDPR or whatever is solved”, he claims. He believes that there is too much following the leader in Fintech, and so he thinks it’s important to go back to first principles to deliver tools that permit a radical change. When people jump on a bandwagon, there is no room for innovation and no space for improvement. All that you get is hype.