Jamie Crawley investigates the effect that GDPR has had on financial services, and what impact can be expected in private banking in the years ahead.

May 25th will mark the one year anniversary of GDPR’s adoption in law. This landmark piece of legislation affecting the personal data of all individuals in the European Union promised to completely transform privacy law and data protection requirements.

As the deadline approached, panic inevitably seeped through all industries, fuelling an industry of experts offering their advice and services.

Added to this, banks have been preoccupied with making themselves PSD2-ready. According to Swedish open banking platform, Tink, 41% of banks missed 14th March “sandbox” deadline. Some might say it does not help that the two regulations seem completely at odds with one another.

“GDPR creates additional challenges for financial services providers who are also required to address the requirements of PSD2,” says Heidi Bleau of RSA Fraud & Risk Intelligence Solutions.

“There is a direct conflict – in one sense, they are being forced to open their doors to allow the seamless sharing of data while at the same time having to regulate such sharing.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

So, in a hectic period of compliance for financial services, what has been the impact of GDPR on the industry and what can financial firms expect from it in the future?

The Opt Outers

One of the cornerstones of GDPR is the “opt out” policy, where individuals can request to see what personal data companies hold on them, and ask them to delete it if needs be.

However, fears that companies would be met with requests by the truckload from customers wishing to access their data or have it deleted proved unfounded. Beverley Aspeling, Credit Suisse’s group data protection officer, reports that the number of these rapidly tailed off to single-figure monthly returns. She describes this as “a pleasant surprise”.

Compared to other industries, for financial services GDPR may well not have been the short, sharp shock it threatened to be, due to banks being more used to diligent data management.

“Companies in the financial sector are already used to complying with an array of disclosure and auditing requirements,” says Matt Lock, director of sales engineers at data security company, Varonis.

“GDPR adds another wrinkle to a company’s to-do list, but the companies that have fine-tuned their reporting requirements down to a science and decided to tackle it head-on are typically in the best shape.”

This is echoed by Beverley Aspeling who feels this new wrinkle was enthusiastically ironed out by Credit Suisse.

“For us, a lot of GDPR was not new. Things like data access requests, we were already doing that in a number of our jurisdictions; for data breaches, we were already required to notify regulators in certain instances.

“So it wasn’t a case of, ‘Oh, my goodness, this is all brand new!’ It was much more how we build on the pieces that maybe we weren’t doing quite as formally as GDPR requires.”

GDPR Article 33

An area where GDPR’s impact has certainly been felt is the obligation, under Article 33, to report a breach within 72 hours of its occurrence. The sheer volume of these reported has helped confirm the old adage that “it’s not if, it’s when.”

“What I’ve always thought the most important factor of GDPR is it’s going to create a de facto benchmark that is going to decide what’s good in terms of privacy management and what’s bad,” says Ryan Dodd, founder of cyber-risk company, Cyberhedge.

Ryan Dodd

 

“I think that as GDPR lives on, it’s going to create the situation where companies are going to have to start to report that they have a GDPR breach. That creates this line between what’s good management of data, cyber and privacy protection, and what’s bad. That’s what I think will be the legacy.”

Tim Hickman, partner at global law firm White & Case, points out that Article 33 has, if anything, counted against GDPR’s impact and credibility.

“Every data breach test has to be reported. There is a very small get-out [clause] if you’ve worked out within the first 72 hours that there’s no risk of harm to be affected individuals, but the reality is that nobody is very likely to be able to do that within 72 hours. So every breach is getting reported by many large companies, which has resulted in the regulators being totally snowed under.

“In addition, the regulators are struggling to keep hold of their people, as they’re getting offered much higher salaries in private practice. This is still a hot topic and companies are still hiring in the space, and an underfunded regulator is struggling to keep up with the salaries elsewhere.”

Hickman also sees blind-spots in GDPR’s drafting, which will lead to litigation. The potential fines on the table mean that it is in companies’ interests to go to court when levied with such penalties. This is where GDPR will be more severely tested, as the gaps in the legislation are challenged.

In time, though, it seems likely that a framework for a successful claim in court will be established, and GDPR’s impact will accelerate.

“Currently, there are a number of claims working their way through the courts,” Hickman continues. “A lot of them are getting defeated on technical grounds – poor understanding of process or the law and so on – but it’s not going to take very many individual claimants to win big against companies for there to spring up a cottage industry, much as we’ve seen with PPI.

“Once a template is in place where someone has won against a deep-pocketed defendant, it will set a mechanism by which a lot of claimant law firms will look at this, and say, ‘Hey, there’s a business model here.’”

Tim Hickman

The next GDPR culprits

GDPR has also brought about a great deal more awareness and concern for the ownership and the use of data by large companies, as Ryan Dodd explains.

“You look at how Facebook and Google have been exposed, in terms of how they manage the privacy of their customers. It’s hard to imagine that happening if GDPR not been created.”

While its purpose might not appear to be about naming and shaming companies, regulators must be aware of the need to demonstrate that their bite is as good as their bark as the above obstacles are encountered.

Since GDPR’s introduction, the technology industry has borne the brunt of regulators’ wrath. Some of the technology giants have been notoriously laissez-faire with their data management, and have been responsible for bringing the matter to the public’s attention.

“I suspect the regulators’ credibility will evaporate if they don’t start issuing more fines in the multi-millions, and also issuing them outside of the tech space,” Hickman says. “Then, if you look at who they are most likely to go after once they’ve dealt with the tech industry, it seems most likely that it will be financial services.

“They have deep pockets and are very popular targets, even if it’s only for political as opposed to legal reasons.

“So I suspect that in the immediate medium term, we’re going to see someone successfully sue a bank.

“Banks have a lot of data, and it’s essentially impossible to be 100% compliant in legislation. So there is definitely fault there, and the only question is who can attach a monetary value to it successfully in court?”