Two years to comply: how must FIs adapt to incoming data privacy regulation?
Stuart Lacey, Trunomi: to comply with GDPR, banks might have to completely overhaul their legacy systems in just 24 months
This week marks exactly two years until the General Data Protection Regulation (GDPR) comes into force. It will fundamentally change the way that companies capture, manage and store information.
To comply with the GDPR, financial institutions face the prospect of having to completely overhaul legacy systems and practices in just 24 months.
Customer is truly king
Under the new regulation, every financial institution that collects, processes or shares an individual’s personal data will need to gain their “freely given, specific, informed and unambiguous” consent.
Banks will have to redraft the standard terms and conditions that are the bedrock of agreements with consumer and business customers. Critically, it must also be possible to withdraw this consent. A single agreement will no longer suffice, with financial institutions facing what will become an exponential rise in communication to achieve consent for each specific use case.
Savvy organisations are already investigating digital means to manage this flow. However, it is not as simple as creating a process through which to ask for consent.
Under GDPR, institutions have to consider the need to capture gained consent in an auditable workflow. Undertaking this task with anything other than an automated, secure, digital communication link with the customer would be a huge administration and compliance burden.
New rights beyond consent
GDPR also legislates the Right to be Forgotten and Data Portability. Both aim to provide customers with greater control over their personal data and digital identity.
For the Right to be Forgotten, the regulation stipulates that consent should not be regarded as freely-given if the data subject (the consumer or entity) has no genuine and free choice and is unable to refuse or withdraw consent without detriment.
In a nutshell, individuals can request the erasure of their personal data. This includes the obligation of the the financial institution to take reasonable steps to inform third parties too.
A “customer-driven” approach to information sharing is becoming increasingly attractive to financial institutions grappling with this new privacy agenda. This enables the customer to both share and rescind data on a case by case basis. To administer this approach, firms are exploring digital rights management services that create a digital ‘vault’ for customers to store their personal data.
Digital Rights Management for personal data not only enables the Right to Be Forgotten but also simplifies and streamlines Data Portability. In two years’ time with the GDPR comes into force, customers will be able to request copies of their personal data in a useable format that they can transmit electronically to another processing system.
The cost of non-compliance
Financial institutions have been given a very real incentive to address these new requirements, facing far more stringent penalties than ever before for mishandling data.
The GDPR will impose a significant financial penalty of 4% of annual global turnover or €20 million, whichever is greater. Individuals and businesses alike have come to expect their data to be handled responsibly. They may vote with their feet if data is mishandled or misused.
As regulation becomes more sophisticated, so too must the technology that powers the customer experience, risk, compliance, and many other critical functions.
Financial institutions that are facing these pressures are increasingly collaborating with regtech startups. Regtech businesses offer solutions that integrate with institutions’ existing technology, making it as simple as possible for them to “plug in” compliance solutions that can help meet stringent deadlines such as GDPR in May 2018.
In today’s climate of increased legal scrutiny and reputational vulnerability, it is unthinkable for an organisation not to take all efforts to reduce corporate risk and eliminate liability, especially in relation to global data protection challenges.
If the regulatory environment is not compelling enough, many institutions are already struggling to engage new customers via digital channels. Industry reports of account opening abandonment rates at 30-40% prove the significant challenge ahead.
The need for effective digital user experiences is clear: technology can improve efficiency for the bank; provide an auditable trail and clear proof of consent for regulators; and build loyalty and trust for customers.
Consent governed by the EU GDPR will be enforced in just 24 months. The clock is ticking. While 2018 may seem a long way away, legacy processes aren’t overhauled overnight.
By Stuart Lacey, CEO and founder of Trunomi
