May 11, 2018

GDPR: On your marks

GDPR: On your marks

This May, the European Union’s General Data Protection Regulation (GDPR) finally comes into force, profoundly changing the continent’s business and consumer landscape in ways that will impact the payments and finance industry. The new rules are designed to counter a panoply of problems including identity theft, cyber-attacks, hacking, unethical data usage, and growing consumer concerns about data privacy. But it poses a big challenge for businesses large and small, with research last year suggesting that many firms were not on track to be compliant, risking heavy fines. The finance and payments sector is among those most exposed to the changes.

Consumer empowerment is the thrust of GDPR. European citizens will now have far greater control over the collection, usage and processing of their data. Indeed, the very definition of what constitutes ‘data privacy’ are now more demanding, including not just personal information but other identifiable data, like IP addresses. More important is what consumers can do to assert their data rights. They can request access to data held about them, and invoke their ‘right’ to be forgotten, provided that does not fall foul of regulatory requirements. Their consent must be explicitly obtained at every step, with firms obliged to explain the purpose of all data-collation and eliminate all ‘pre-checked’ options. Companies need a high level of readiness to comply with all the new terms. For instance, they must be able to provide customer data in a structured and machine-readable format on request, no small feat for those whose customer base could reach into the tens of millions.

The finance payments industry is heavily affected. These companies collect, or are privy to, much sensitive and personal information, whether it be the names and account information of payment participants, or invoices, and remittance flow data. They also gather considerable information during customer onboarding and transaction accounting, much of which is required by other regulations. Due to the sensitivity of finance and payments, they must be ready to identify and respond to breaches fast – reporting them within 72 hours, which is not long given the resources required to identify incidents, conduct analysis forensics and stem further breaches.

To be ready, finance companies cannot merely put their ‘data house’ in order. They need to fundamentally re-organise systems to ensure GDPR-compliant data protection by design and, to respond fast enough to breaches, they must conduct preemptive planning and risk assessment. They also need to look closely at their vendor partners. GDPR requires end-to-end data accountability, meaning data passed to third parties must be handled compliantly. Companies are accountable for breaches even by third party firms – such as aggregating and selling customer data, or weaknesses enabling hackers to attack a bank – even if those firms are outside the EU. Companies also need to figure out how to square GDPR with other regulatory trends, such as the pressure to increase data-sharing to fight financial crime, and to navigate uncertainty around how the regulation should be implemented in the UK, a huge financial centre poised to leave the EU, but which is implementing GDPR.

The consequences for falling short of GDPR are significant. For major failures, companies can be fined up to EU20m, or 4% of global turnover, with more minor failures, such as disorganised data protocols leading to delays or failures to report breaches, prompting fines of up to 2%.

However, while GDPR represents a sizeable cost and headache for businesses, the benefits of a harmonised system are significant. Consumer’s increased trust in data privacy could lead them to conduct more of their activities online, for instance, and GDPR provides the necessary stimulus for financial services firms to put together a whole-of-business data governance architecture, making them more resilient to cybercrime or data breakdowns, and better protectors of their customers.