New technology solves GDPR for Banking and Financial Services

We speak to Pay­ments Cards & Mobile about how the major­ity of organ­isa­tions think they’re GPDR com­pli­ant and actu­ally aren’t. The fines that could be imposed for non-compliance could be up 4 per­cent of global annual turnover or 20 mil­lion euros – whatever is the greater.


Data pri­vacy is driv­ing the European Union’s Gen­eral Data Pro­tec­tion Reg­u­la­tions (GDPR) in the UK, and yet it’s widely felt that banks and other fin­an­cial ser­vices insti­tu­tions have run out of time to find ways to com­ply with the require­ments. Loom­ing on the hori­zon for fail­ing to com­ply is a dark cloud of sig­ni­fic­ant fin­an­cial penalties.

This is deliberate and removes the ability of organisations to argue that paying a small fine (typically the level issued by the Information Commissioner’s Office) is cheaper than following with the law. The ICO now has no excuse but to start enforcing the data protection regulations as it should have done under the earlier régime. Parliament will need to hold the ICO to account if it does not enforce the régime properly.”
- Lars Davies, CEO Kalypton

Most bank­ing and fin­an­cial ser­vices com­pan­ies are woe­fully behind” says Dav­ies. He adds: “Actual fig­ures are hard to come by, but the media is begin­ning to high­light the issue. See, for example Busi­nesses fail­ing to pre­pare for EU rules on data pro­tec­tion’, The Fin­an­cial Times, 18 June, 2017.” He also high­lights a report in Risk.net, whose art­icle head­line and stand­first com­pare the demands cre­ated by GDPR to “boil­ing the ocean”, claim­ing that GDPR’s data demands are over­whelm­ing the banks. It adds: “Re-papering of exist­ing con­tracts could stretch bey­ond May 2018, for­cing deal­ers to rely on reg­u­lat­ory forbearance.”

Top tips: Tech deployment

To assist banks and fin­an­cial ser­vices organ­isa­tions to com­ply with GDPR, Dav­ies and Thomas offer 6 top tips for deploy­ing new tech­no­logy to solve GDPR and to pro­tect data privacy:

  1. Read the regulation.
  2. Stop mak­ing excuses.
  3. Under­stand that you can­not derog­ate your respons­ib­il­ity to sup­pli­ers or third parties.
  4. Make sure that the tech­no­logy you imple­ment does not require the use of a reg­u­lat­ory sandbox.
  5. Make sure that your sup­pli­ers under­stand the require­ments of the GDPR.
  6. Meas­ure the ROI of this effort in terms of not just react­ive com­pli­ance but in devel­op­ing a dif­fer­en­ti­ator of trust.

Dav­ies then con­cludes: “This late flurry of activ­ity to meet a reg­u­la­tion driven dead­line is typ­ical of the fin­an­cial ser­vices industry. The industry really needs to get out of a react­ive mode of oper­a­tion and into a mode of oper­a­tion that pro­act­ively con­siders secur­ity and pri­vacy from the bot­tom up.” He also finds that there is an increas­ing “acknow­ledge­ment that fin­an­cial ser­vices com­pan­ies are really tech­no­logy com­pan­ies and that data is their biggest asset.”

So, in his opin­ion the object­ive has “there­fore to be the trus­ted holder of sens­it­ive cus­tomer data. This con­trasts sig­ni­fic­antly with the busi­ness model of the likes of Google and Amazon, who provide loss-leading ser­vices to cap­ture that data and mon­et­ise it.” At the end of the day, trust is a vital part of compliance.

Click here to read the entire art­icle on www.PaymentsCardsAndMobile.com