The GDPR in Perspective for Financial Services

The long-anticipated EU General Data Protection Regulation (GDPR) takes effect on May 25, 2018. It will directly affect businesses operating in Europe or those outside the Euro zone that serve its citizens. Organizations found to be non-compliant will be fined substantially. GDPR creates a compelling opportunity for financial services firms—but it requires firms to balance the way they manage risk and meet heightened customer demands to deliver products and services in an engaging way.

Why? GDPR will shift the strategic planning assumptions in many financial services organizations. Changing course will require a material investment of time, human capital, and financial resources, but as we’ve said before, it will also create opportunities to build trust with customers. For financial services, the regulation presents an opportunity to refocus compliance priorities, address data protection gaps, and align technology strategy to strengthen customer relationships and deliver on their evolving expectations.

To capture this opportunity, financial services firms should anchor their approach to GDPR implementation in three principles:

  1. Data minimization: Collect only necessary data through the right processes, and make sure it’s stored in the right place.
  2. Top-down sponsorship: The C-suite must make GDPR a priority for the organization, and be committed to an enterprise-wide cultural shift. Make sure you have the right communication to drive the employee behaviors, with visible leadership.
  3. Focus on 'customer privacy': GDPR involves an ongoing commitment to improve customer data management while building customer trust. As we’ve discussed previously, data privacy goes beyond GDPR regulation and can be a true strategic differentiator. And much of the “how” of complying with the regulation will be determined after it comes into effect in May – so be prepared to adjust.

In our work, we’ve observed a number of failure points in GDPR implementation:

  1. Data retention policies: Data is stored on multiple systems, employee laptops, and data stores. Knowing what to do with it is a challenge, e.g. sourcing new Suspicious Activity Reports (SARs) and the retention of data used to support previously submitted SARs. Lack of discipline around data lifecycle management means that organizations often hold onto data that adds little value, but lots of risk.
  2. Lack of business engagement: Legal, Risk, and Audit tend to lead the implementation of GDPR as a 'check the box' exercise, and other employees likely don’t understand how GDPR will impact them. Firms often fail to allocate budget to educate employees and, as a result, only a small group of 'data owners' understand the full impact of GDPR on the firm.
  3. Lack of clarity on data ownership: Data stewards do not always understand the specific data they own, or the responsibilities associated with ownership.

With insight into the GDPR, financial services can take a more focused approach to GDPR compliance:

  1. Revisit vendor management governance practices. U.S. financial services firms rely heavily on third-party vendors to conduct business. Ensuring data is handled in a GDPR-compliant manner cannot be outsourced. U.S. firms need to create new levels of visibility into how the vendors secure their customer data, and how they secure European vendor data. The first step is to work with procurement to reevaluate Master Service Agreements (MSAs) with a focus on data ownership and liability.
  2. Have a “break glass in case of emergency” plan. Some of the harshest GDPR penalties stem from a failure to report data breaches in a timely manner. U.S. financial services firms with multiple business units, each potentially maintaining separate customer data stores, will struggle to comply without a unified escalation process that can short-circuit the complex organizational structures of most financial services firms.
  3. Mind the user experience. GDPR will require disclosures and data masking that can negatively impact the customer experience. Creating a GDPR-compliant experience, e.g. EU website versus U.S. website, while maintaining design elements that promote user engagement may be challenging—but a necessity for firms competing on experience. Firms can integrate GDPR compliance into user experience planning to balance competing demands for privacy and ease of access to financial services. Organizations should consider the potential for GDPR-like regulations to expand to other countries that hit closer to home, such as Canada.
  4. Customer data…gone but not forgotten? U.S. financial services firms have a bad habit of keeping data long after a customer ends their relationship. Under GDPR, individuals can request that a firm “delete and forget” them. U.S. firms must be prepared to manage this request, especially when it comes to data used in targeted marketing or that which can be provided to third parties. Moreover, GDPR’s consumer rights obligations could create conflicts with other regulatory mandates to preserve information. Take, for example, FINRA’s new rule to protect seniors and vulnerable adults from financial exploitation. What governance processes might be needed to deal with these new policy inconsistencies?

Instilling data minimization processes with an eye towards customer privacy will build the right habits for GDPR success. With people at the heart of change, C-suite engagement and employee awareness create the right mindset for GDPR compliance. Management of vendors, risk, and data are make-or-break factors for successful compliance. However, there are also opportunities for financial services firms to be customer champions in building trust and meeting privacy expectations.