24
THE ROUTE TO COMPLIANCE
Save the data – GDPR deadline looms for unprepared banks
As if trying to deal with Brexit and PSD2 wasn’t enough, another piece of legislation is headed full-speed towards the banks. But are they prepared for the 2018 deadline? Alex Hamilton investigates
Senior Reporter Alex Hamilton
I
t’s less than 10 months away, yet for some companies the General Data Protection Regulation (GDPR) is still an afterthought. The latest European Union-based legislation is set to change the world of financial data, however. Compliance with GDPR is no laughing matter: fines of up to €20 million, or 4% of a company’s annual turnover, can be dished out to legislation laggards.
For years, banks have sat on reams of customer data. Now, with the industry finally waking up to the idea that data is worth its (virtual) weight in gold, the rug could be about to be pulled out from under them. A YouGov survey earlier this year revealed how unprepared the sector might be. Just 47% of UK financial services firms reported that they had started preparation for GDPR, despite 12% admitting the maximum fine for non-compliance would force them out of business.
The big surprise for many firms will be that GDPR applies to them, says Nitin Aggarwal, vice president for data analytics at research firm The Smart Cube. Data management is typically not top of the agenda for smaller companies, and they tend not to have in-house skills and resources to address new requirements. “After the go-live date, the government will have to demonstrate it is serious about enforcement. We are likely to see cases against companies of all sizes, showing the impact of non-compliance.”
Nitin Aggarwal: Government must enforce regulations
Adam Nash, EMEA manager at US- based security firm Webroot, adds: “The complex regulations introduce a level of scrutiny around data management many firms are unlikely to have experienced.” Webroot research, he says, indicated that a quarter of SMEs thought GDPR was only an advisory measure rather than a compulsory law. 10% believed the
regulation was only applicable to very large or multinational companies.
Brexit has thrown a spanner into the works for UK firms. Almost half of those asked by Webroot were uncertain if they would have to remain compliant after the Brexit negotiations finish. “There remains a lot of confusion and businesses are running short on time to iron this out,” says Nash. “One-fifth of UK firms subject to GDPR still haven’t started the compliance process. And 71% of them haven’t budgeted for the extra resources required.”
Adam Nash: A quarter of SMEs thought GDPR was advisory
In the financial services industry, most organisations “have a head start”, according to Darren Anstee, CTO at Arbor Networks. FIs are used to working within an environment that “regulates both access to, communications around, and storage of data.” Banks are “more ready than most”, he states. They’re used to operating in a tight regulatory environment and investing in the right solutions and processes.
Legitimate interest
With greater control over data comes greater responsibility for consumers, and an ability to hold their data collectors to ransom. The law of legitimate interest in GDPR allows for the erasure of data held by a bank or FI if it holds no importance to its relationship with the customer. Banks, the largest holders of data in the world, have a right to be nervous, don’t they?
“Disclosure and transparency are the key words here,” says Aggarwal. Banks will not only have to be transparent with
www.ibsintelligence.com | © IBS Intelligence 2017
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48
