GDPR is the mother of all regulation for financial services

Borrowing the sentiment of Apple CEO Tim Cook who earlier this month described their Project Titan; Artificial Intelligence (AI) for autonomous vehicles as being the ‘mother of all AI projects’, General Data Protection Regulation (GDPR) equally represents the mother of all regulation for Financial Services (FS). Yet all too often, we are seeing FS firms who have misunderstood both the concept and the detail of GDPR. Because of this, they have limited their view of the regulation to one that constrains, instead of one which presents opportunities.

With less than a year to up until GDPR comes into force, its impact on FS within the UK can be viewed as a microcosm of the wider state of the FS market; both the frequency and fullness of change is ever-increasing, and yet, based on the majority of senior change leaders, the industry and its incumbent firms are not ready.

On the truth that no tangible product is exchanged in the marketplace of FS, we can accept that FS is fundamentally about data transformation; data is the currency! Accepting this truth, there are five key challenges relating to the impacts to GDPR on UK FS firms:

The scope of GDPR is too onerous for some FS organisations

The 11 Chapters containing the 99 Articles of GDPR brings about both enhanced and new requirements, which beyond being demanding and complex, are uninterpretable in certain places.

The enhanced consent requirements due to their scope will detrimentally interfere with sales. GDPR is not strictly a tick-box exercise but to contrary, it is also an outcomes-based regulation and thus, this affords organisations to pragmatically ‘bake-it’ into their operations. It offers a set of standardised requirements so organisations can work towards the ‘tick-box’ sections whilst defining their positions on the slightly ‘grey’ areas. This will encourage organisations to incorporate data as a design principle for both their raison d’être, and their future. Just as FinTech and InsurTechs are less concerned with sales but rather focused on engagement, this is an opportunity for FS to decouple sales as their primary reason for interactions.

Brexit is not a GDPR get out clause

Technically, Brexit will probably make any GDPR implementation redundant as after meeting it (2018) they will no longer be regulated against it post-Brexit (2019). This said, there should be no uncertainty in that GDPR will be the leading regulation on data across the World and will be an absolute requirement if a firm choses to target EU citizens as customers, regardless of where the firm is based.

As such, it will be the prominent standard of compliance. Therefore, GDPR should become the de facto UK standard irrespective of Brexit, and as such, the Government’s position is clear; “We are implementing the GDPR in full…from a position of harmonisation rather than a position of differences”

The cost of achieving compliance will be high

Costly programme teams are being initiated, which is consequently consuming the budgets of other programmes, and potentially, GDPR could kibosh existing tech investments such as Big Data etc. Conversely, investment in GDPR technical capabilities from security to data portability further complicates technology estates.

Organisations should form their teams primarily of internal resources who best understand operations, applications and the internal landscape, and thereafter, supplement accordingly with external experts. With regards to tech investments, organisations should determine the underlying objectives they commissioned the new technologies for as well as view GDPR as aiding them to manage the key source of input and output of their technology estates; data.

The cost of maintaining GDPR compliance will be operationally high

GDPR will bring about additional and non-value adding operational requirements on and thus, will increase the cost of doing business with no perceived benefits e.g. Data Subject Access Requests (DSAR) will put a drain on resources.

GDPR will redress the dynamic between Data-Subjects (DS) and organisations as trust is the prize on offer through transparency and accountability. Therefore, this presents the engagement opportunity to align existing operations to becoming more customer-centric as well as building new products and propositions that not only inherit such virtues but in doing so, are operationally viable. So while the high costs are likely unavoidable, the benefits are there for the taking as well.

The penalties for non-compliance are severe

The penalties for breaches could easily put smaller firms out of business as well as significantly impact larger organisations for breaches and non-compliance.

One of the most common misdirections with GDPR is that focus has been on the severity of fines. This is flawed in that suspension orders on organisations for large-scale breaches will impact them much more e.g. imagine the impact to cash-flows for an Insurer suspended from selling new business following a significant breach. This would be a much more tangible impact than any reputational damage in the short-term

Long term impact of GDPR

In summary, the true impact of GDPR will be unknown for some time until after the implementation date. However, whilst most Data-Subjects are unaware of GDPR, they are consciously aware of how they want to be treated including their data. Therefore, just as the EU wants data protection to become a human right, the impact of GDPR should be an opportunity for organisations to better prepare for the data-centric world that we all live in and more importantly, the data-centric world that they wish to succeed in.

By Sumit Sethi, Consultant at Altus Consulting


Photo Credit: Creative Commons

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.