GDPR: A key regulatory challenge for 2017
On 25 May 2018, the European Commission’s General Data Protection Regulation will come into force and standardise data protection regimes across the EU. Every bank operating within the Union (and indeed any business or organisation) must comply, or face significant fines. Failure to meet the standards will land organisations with a fine of either 20 million euros or 4% of their international turnover, whichever is higher. In other words, banks will be seeking to comply promptly… but what does that actually involve?
Before we dig into that question, we have to address the elephant in the room: Brexit. Brexit will not get UK firms off the hook; GDPR means GDPR. This is partially because the UK will still be in the EU at the point when businesses must be compliant, but also because we will continue to have regulatory parity with the EU for the foreseeable future. Simultaneously, the ICO commissioner has also made it clear that it and the government believes the new regime to be good for the UK’s expanding ‘digital economy.’
The key driving force behind the new GDPR is that the existing framework was conceived well before the emergence and rapid evolution of digital and internet services that capture, store and share huge volumes of personal data. The EU’s fundamental stance is that everyone has a right to the protection of their data and to guarantee this right individuals must have greater control over how their data is used. So the new regulation is formed around three core concepts: consent, control and transparency. The key features of the changes are as follows:
- Customers must give explicit consent for their data to be used and have it clearly explained to them how it will be used.
- Companies must make it clear what customers can do should they feel that their data is being used differently.
- Customers will have a right to be forgotten and all data will be wiped after a set period of time.
- Should a cyberattack or other data breach occur, firms will have 72 hours to contact all the individuals affected, as well as the national data protection organisation.
Obviously, these changes have massive consequences for how banks organise their back office systems and database management, but at Mapa our core focus is on what GDPR means for customer-facing services. The key changes we expect to see will be in how data capture and use is explained to customers, how consent is acquired, and then how customers can manage and potentially retract that consent. Remember that every bank will also need to get consent from their existing customers before the end of May 2018; this is not just about new customers.
We expect, therefore, to see changes to some key customer journeys over the next year, the most significant being around new-to-brand onboarding journeys. Will firms make customers read more about data use? Will they use other forms of media? Will customers be able to personalise their preferences? These things are yet to be determined, but we expect that changes will start being made soon. The other journeys that will be affected include setting-up internet and mobile banking, and application journeys for existing customers.
The other area where we expect to see changes in digital platforms is where customers can control and change their preferences. The question is, how granular will this control be? Will customers be able to create highly personalised permission profiles, or will it remain relatively high level? This is a particularly critical question when it comes to permissions around data sharing because of the other major EU-led regulatory change affecting the sector, PSDII. Indeed, the intersection of PSDII and GDPR will be very interesting.
GDPR may be a headache for payment service providers (PSPs) and account information services (AISs) that are hoping to take advantage of the opportunities PSDII presents. All of these opportunities are based around the aggregation of information, which in turn necessitates data sharing between platforms. Linking bank accounts to these platforms remains a key sticking point and, even once PSDII is in place, cumbersome data permission management processes might hinder some platforms from really taking off.
However, it will all be up to the individual user and, as ever, different customers are going to behave in different ways, reflecting varying degrees of tolerance to data sharing. Ultimately, GDPR is about putting the individual in control. Banks are going to have to ensure that they can offer the correct level of control and clarity around how data is used. On top of this they will also need to be able to articulate how data sharing can truly benefit customers, as well as the bank.