The EU’s General Data Protection Regulation (GDPR) comes into force on May 28, 2018. Any organization whose customers include EU citizens will be affected. GDPR is the most far reaching data protection legislation so far created and is set to impose new levels of rigor of business process and data management capabilities within Financial Services firms.
PWC recently described the approach of many firms to data transfers as a ‘gentleman’s club’ of informal agreements. This is only one area of Financial Services where GDPR will dramatically change business operations.
GDPR gives EU residents unprecedented control over their personal data – and personal data is defined so widely it includes web behaviors and cookies and anyone can request this information from any organizations with which they interact.
A quick look at the insurance industry with its historic under-investment in systems highlights the challenge where firms don’t really know what data they hold, where it resides and how they’re currently using it. I don’t want to go into the details of GDPR legislation – you can access some great resources here, but I will take a brief look here at some important implications for Financial Services.
Consent and transparency
The issue of customer consent is perhaps the hottest GDPR topic for Financial Services. Consent, as defined by GDPR, must be ‘freely given, specific, informed and unambiguous’ (GDPR para 32) and often ‘explicit’. Your customer must know why they are giving consent, what they are consenting to and that they have given consent.
You can no longer gain consent for one thing and then use the data for a range of other applications. Each data use will need an individual consent. There is still some discussion whether ‘implied consent’ or ‘legitimate interest‘ can still be used to defend the use of personal data. It is safer to use the GDPR approach to ensure that you are compliant and not caught up with details in constant litigation.
Transparency becomes key when dealing with customers to ensure that you can defend consent that is ‘informed and unambiguous’. Financial Services firms will need to re-visit their customer-facing contracts. Your contract terms must be plain and understandable. If a regulator can suggest that the contract imposes too high a degree of technical knowledge, it is unlikely that they will agree consent was given under GDPR.
Data Transfers and data supply chain
Although consent is gaining the attention, data transfers must be an area of major concern for Financial Services. Modern organizations have established what can be described a data supply chain and you will now need visibility and control of how third parties – clients, suppliers, brokers and partners – use personal data of your customers.
Where data transfers are necessary, you must manage the risks inherent in these transfers and ensure that your customer’s details are properly protected by these third parties because, in many cases, you will be more responsible for their breaches than they are. New contract terms will need to be created to manage third party relationships to mitigate this risk.
If we accept PWC’s description of data transfers as a ‘gentleman’s club’ then GDPR represents a good opportunity to reassess your Information Governance structures. The ability to control the acquisition, management, retention and disposal of all information – both structured and unstructured – across your business operations helps reduce risk. Sound information governance can facilitate compliance with GDPR and your other regulatory requirements.
Data portability and the right to be forgotten
EU residents will now have the right to receive all their personal data, that they have previously given, in a commonly used and machine-readable format. The key idea is to be able to switch service providers with ease. Even though Financial Services firms in many EU countries are already used to porting data between suppliers, the breadth of information – beyond demographic and account information – requires that all organizations will need to ensure they can bring all customer information together.
The real reason for this approach comes under the right to data portability – an individual has the right to demand that every instance of information on them, held on every business application, portable device and communications system, back-up server and Cloud service that your company uses, to be transmitted to another data processor “without hindrance”.
The ‘Right to be Forgotten’ means that the data subject can also ask for you to remove all the personal data that you hold on them. If you cannot justify holding the data then it has to be deleted. This is likely to impose a new normal. The current approach for most Financial Services firms is to hoard data to exploit its value across customer experience and business operations. Now firms will have to hold as little information as possible, for as short a period as possible and delete the information as soon as possible.
Big data and ‘profiling’
This raises the question whether GDPR signals the end of Big Data. There is little doubt GDPR imposes specific constraints on ‘profiling’ which it defines in GDPR Article 4(4) as ‘any form of automated processing of personal data … to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements’ Leaving aside the growing use of predictive analytics to drive personalized customer services, many established business processes such as the insurance industries use of telematics in the underwriting process is potentially under threat.
As customers continually show a demand for personalized service, Financial Service firms need to find a way to continue Big Data activities in a way that is GDPR compliant. The first approach will be around ‘explicit consent’ so that you have the right to use data for the specific purpose. However, another area to examine is the use of ‘anonymization’ and ‘pseudononymization’ of data as a means to retain personal data beyond its primary use for deployment in trending and locational analysis.
If you haven’t started to properly prepare for GDPR then you may already be behind and opening yourself up to the danger of major fines. You’ll need to appoint a Data Protection Officer, establish a cross-functional team to access the full impact of GDPR across your organization and provide a comprehensive and honest audit of where you are today. You’ll also need to consider exactly how you are managing the data and content within your organization.
The days of multiple instances and duplications of unmanaged customer information in various applications and databases is over. A centralized strategy for the management of enterprise information – underpinned by a flexible and scalable Enterprise Information Management (EIM) platform – is needed to ensure GDPR for large, global Financial Services organizations.