Written by Jon Szehofner
GD Financial Markets’ Partner, Jon Szehofner, addresses some of the key questions relating to GDPR for financial services institutions:
What has been the impact so far of GDPR on customers?
“The May 25th deadline for GDPR has come and gone and for most people the most tangible aspect was probably the flurry of emails they received in the run up to the deadline. Mostly, containing privacy notices from companies they had forgotten they had signed up with in the first place. Brief coverage in the news over the go-live period highlighted that the majority of members of the public were unaware of what GDPR stood for or what it meant for them. This may well have been the first and last that they will hear about GDPR, and for companies, it may be tempting to think that the hard work is done and it is back to ‘business as usual’.”
What has been the impact so far on UK financial services institutions?
“We can all read the GDPR regulations; the Information Commissioners Office has provided a number of straightforward guides to the regulations: click here to read them. However, implementation of the new rules come with some pretty significant practical implications, and while companies have put in place procedures to reflect the rules, I suspect these are to a greater extent untested.
“Looking specifically at the banking sector, I have heard many within the industry describe the job of trying to comply with the regime across all their global businesses as thankless, and as a consequence have needed to prioritise certain requirements over others. Many acknowledge that even the requirements that were implemented are likely to be untested or properly embedded, and that they are now very much focussed on scoping and delivering the Day 2 plan and could even find themselves relying on regulatory forbearance on some matters (i.e. updating and executing third party contracts).
“From a risk management perspective and with respect to any attempts made to quantify potential losses from a data breach, banks are expressing a need for better tools that enable these calculations. Similar to what we see in how banks measure Credit and Market risks, they need greater investment and allocation of resources to enable them to forecast exposures to data misuse and breach.”
How much on average is GDPR compliance costing UK financial services firms?
“According to research conducted by SIA Partners, the implementation costs of GDPR for banks has been on average £66 million, which is the highest of any sector. The average implementation cost for Financial Service companies (non-banks) was much less, although still significant at £8 million.
“The higher implementation cost to banks can in some part be explained by the complexity of systems architecture and the fact that banks have many other regulatory (and other) requirements to comply with. They have an enormous obligation to protect consumers and simultaneously comply with a number of other provisions that protect people.”
Will working with other European companies become more or less difficult for UK financial services firms?
“As an EU regulation, the GDPR will make working/transacting with other European companies easier because we have harmonised standards for processing and using data. For the UK and its banks, this will of course depend on any changes that may occur as a result of leaving the European Union and whether the UK diverges from the spirit of the regulation.
“That said, the GDPR does enforce stricter oversight obligations of any third party providers that have access to or process personal data. These requirements need careful consideration and ongoing proactive management.”
Have we seen any major data breaches? What actions have been taken and what can we learn?
“There have been a number of breaches identified since 25th May. Although not in financial services it is worth looking at two of the more significant ones – Ticketmaster and Dixons Carphone.
“Ticketmaster suffered a malware attack through a third party that processes the company’s data. This impacted 40,000 customers. This case is particularly interesting because the breach took place over a period of time which spans both the 1998 Data Protection Act and the 2018 Data Protection Act (GDPR) i.e. it happened over the period of time before, during and after the GDPR deadline came into effect. The ICO’s response to this, which is currently in the evidence-collection stage, may therefore set the tone for future cases of data breaches. What’s more, Ticketmaster had been warned of possible data security issues in April by Monzo, who had noted fraudulent activity on some of its clients’ accounts. Ticketmaster will therefore be subject to scrutiny on their investigation procedures which were either not appropriate or were appropriate but found nothing.
“The other major recent data recent breach was at Dixons Carphone which has seen a repeated case of data breach, having been fined £400,000 in 2015 under the Data Protection Act 1998. Interestingly, the latest breach occurred before the May 25th deadline but was not discovered until after that deadline. As a recurring issue, the regulators may take a dim view of the apparent lack of progress that has been made in addressing data security and processing concerns at Dixons Carphone.
“Both of these will prove interesting use cases to financial services firms. The Ticketmaster example in particular brings into greater focus the need for an appropriate oversight/governance of third parties who access/process personal data – a practice that is commonplace within financial services.”
How comfortable are you with your current level of GDPR compliance?
“We have seen many organisations take a risk-based approach to delivering GDPR compliance i.e. accepting that delivering all of the stated requirements by the compliance deadline is not achievable and therefore prioritising the most important (the requirements that would leave the organisation most exposed from a legal and customer experience perspective).
“Given this, what are some of the questions that senior management should be asking of those responsible for delivering GDPR:
- Do you have a clear and documented understanding of the compliance gaps, with a plan to deliver these in day 2?
- Have the requirements implemented ahead of the compliance deadline been sufficiently tested with real world scenarios?
- Do you have a clear view of your responsibilities with regard to third party data processing (either where the organisation is a data processor or uses a third party which has access to or processor data on the firm’s behalf)
- Have any customers asked to either see their data the organisation holds on them or have their data deleted? How did the organisation respond?
- How does the organisation plan to maintain GDPR compliance on an ongoing basis?
- Do you have a clear set of GDPR conformant procedures to follow in the event of a data breach?”
GD Financial Markets is working with clients to help them assess their conformance with GDPR and put in place appropriate processes and systems. If you would like to know more contact firstname.lastname@example.org .
Contact the Author
I am a co-founder of GD Financial Markets LLP, and an experienced management consultant who specialises in delivery oversight and client relationship management. I ensure that our portfolio of client engagements are risk managed and delivered on-time and to budget. I have led numerous high-profile engagements for global investment banks and market utilities, with a focus on post-trade services, risk management, regulatory reform and managed services.