In March 2018 news outlets reported that an academic had harvested data on millions of Facebook users before passing it to Cambridge Analytica, a political consultancy contracted by representatives during the 2016 US Presidential election. As the European Union prepares to bring its General Data Protection Regulation (GDPR) into force, such a massive unauthorized transfer of user data has not only focused the attention of firms preparing to comply with the new legislation, it has also highlighted changing attitudes to data and the way it is used.
GDPR is more than a regulatory requirement: it is both a starting gun for a new wave of data protection and a bell sounding closing time on an era of unfettered data sharing. Because it targets every institution that processes Europeans’ data, it represents one of the most wide-ranging and powerful articles of data legislation ever published, with profound implications for many different companies in sectors beyond finance.
While federal and state-specific data privacy laws1 are established in the US, and various laws have been drafted in Europe, GDPR is one of the first pieces of legislation that makes processing data a potentially risky act for businesses. As an era of ‘frictionless’ data draws to a close, this report examines several key trends and considerations for risk managers in the finance sector:
- Implementation is just around the corner. GDPR comes into force in May 2018, and covers data privacy, data breaches, the right to be forgotten, and the right to demand the suspension of data processing. It will require firms to know precisely where their customers’ data is at all times, and mandates hefty fines (up to 4% of annual revenue) for breaches.
- Financial Institutions (FIs) should be moving into the final mile of compliance. Those still struggling may be able to repurpose their pre-existing risk frameworks to comply. It’s possible they may even be shielded to some extent by the comparative vulnerability of corporate firms, which tend to have weaker data management and reporting infrastructures. However, any reprieves will be temporary.
- The impact will differ across the financial services sector, hitting retail banks hardest. Financial services is a diverse ecosystem, and institutions managing large amounts of consumer data are highly exposed. They rely on a wide variety of customer information moving across different outsourcing or supply chain networks.
- GDPR throws light on previously unexplored relationships, such as those between retail banks and credit card outsourcing companies. The new regulation will compel firms to examine these dynamics from both a technical and a legal standpoint to assess how much risk is associated with them.
- GDPR overlaps with existing threats and compliance requirements. Firms should consider how regulations such as BCBS 239 and MiFID II2 interact and overlap with the requirements of GDPR, and how the regulation will affect pre-existing threats such as cyber security.
- FIs will have compliance obligations in many areas, so should focus on those areas where they are weakest. They should already be incorporating GDPR obligations into control processes such as Governance, Risk and Compliance (GRC) frameworks, mapping out their data, and establishing location controls and privacy requirements.
- GDPR involves several challenging governance requirements – most significantly, the potential ‘repapering’ of contracts with third parties (to ensure they are complying too) and the employment of a Data Protection Officer (DPO). How FIs address these will depend on the complexity and size of their organizations, and the responsibilities and workload of their existing compliance teams.
- Consumer data is no longer ‘risk-free’. FIs have been injecting customer data into their processes for years, to try and enhance their margins (often not by much) in areas such as consumer credit scoring. GDPR may compel them to re-examine the risks and rewards of using customer data, which FIs may stop using altogether in some cases.
Ultimately, although complying with GDPR requirements is likely to be fraught with cost and complexity, it represents a ‘new normal’. For FIs, GDPR compliance – while onerous – can prove valuable, helping them prepare for other data legislation that will inevitably follow.
1Such as the California Electronic Communications Privacy Act (CalECPA).
2Basel Committee on Banking Supervision Principles 239: Principles for Effective Risk Data Aggregation and Risk Reporting and the Markets in Financial Instruments Directive II.