GDPR – 3 Months Down, 21 to Go

Since the General Data Privacy Regulation (GDPR) was formally announced as being a regulation from 25th May 2018 onwards, 3 months have passed. So what’s happened in that time?

Differing responses to GDPR

So depending on which part of the business you’re in, the initial response seemed to have been somewhere between panic and apathy.

People in privacy, risk, legal and compliance now know for certain that they don’t have long to ensure their organisations have a plan and roadmap for compliance. Okay; nobody panicked but given the size of maximum fines for non-compliance (€20m or 4% annual world-wide turnover) there is a great deal at stake from a financial viewpoint let alone from a reputational viewpoint. And imagine how investors will react to the market reduction in value or reduced profit/dividend payments, in the scale of the maximum possible, due to a GDPR non-compliance?

For many in the traditional data community, the response has been much more muted. Apathy is too strong a word, but you’ll hopefully get the sense that many in the data space didn’t regard GDPR as a big deal. Many saw it as just another regulatory compliance requirement to add to their ever growing list. Most IT/data departments in Financial Services institutions have clear methods, ideas and plans for managing data; so GDPR would just be another use case for these.

From the conversations I was having, I think it’s fair to say many in Financial Services needed awareness and education about GDPR and its requirements plus its implications. The diagram below shows how we saw the breakdown of organisations and their status of activity regarding GDPR.

 

GDPR status pyramid

 

In reality, even those that had been following the development of GDPR, very few were at the action stage. This is due to the nature of the sometimes subtle, but significant, changes in regulatory wording and the implications of these. The difference between ‘may’ and ‘will’ can be a very significant one. I think institutions were waiting to see the final wording to know exactly what they’d need to be compliant with.

3 months on

Firstly, I’ve spoken to more senior Executives with the word ‘Privacy’ in their job title than I have in the entirety of my 30-year IT career. I’ve also spoken to as many senior Executives from the Legal departments in Financial Services institutions than I can remember.

The main reason for this seems to be that these communities are the ones who have picked up and looked at GDPR in detail and realised the scale of the challenge they have in front of themselves. The requirements wording of the regulation seems innocuous in places but the implementation of the requirements can be very significant.

Some of the more common issues that get raised by these communities include:

  • This is now a regulation, so everybody concerned has to adhere to it. There is nothing optional about it. How do we get our organisation to understand this?
  • Existing business processes rarely (if ever) have privacy requirements built into them, so how does an organisation retrofit this?
  • Financial Services institutions collect lots of data, to improve customer service for example, and now explicit consent will be needed to do this; so how is data going to be managed in the future?
  • The obligations on controllers and processors of data means that wherever an institution sits within an information supply chain, they are now likely to have much more privacy responsibility plus the associated burdens; so how does an institution work all this out?
  • Many existing contracts have blanket data use statements within them and which will no longer be acceptable under GDPR, so how many need rewording and renegotiating?
  • Customers will now have enhanced rights around understanding what data an institution holds on them, so what happens if lots of customers all want to issue a Subject Access Request? Does the institution have the resources to respond to this within the timeframes allowed?
  • Does the institution even know where all the GDPR relevant data is within their information supply chains?

I could go on. As you can see, there are a great deal of data related challenges related to these issues. One hurdle is that these aren’t the usual data requirements, rather these are business issues that require the right people, process, technology and data to address them.

Nothing new there then? Well, the scope of data entities in question now includes this non-exhaustive list:

  • Customers
  • Clients
  • Contacts
  • Employees
  • Prospects
  • Contractors
  • 3rd party service providers

And this is where the data community enters the story. Many regulations in Financial Services relate to Finance or Risk data although some requirements, such as KYC, are different. The data community has realised that there is a huge amount of data in scope for GDPR and this is probably the first time anything has come along on this scale.

So what we’ve seen recently is the data community rapidly getting educated on the requirements for GDPR and beginning to put early plans in place. Chief Data Officer roles, or equivalent, have been driving this initiative and the reasons for this are quite profound.

Many CDOs, or equivalent, have been struggling with getting senior stakeholders and the rest of their organisation thinking about better data management; both holistically and across the organisation. Suddenly, GDPR comes along and provides a major business driver for such a requirement. Chief Data Officers now have a reason why their institution needs to holistically improve its data management practices. This is now a major opportunity for organisational change and has many associated benefits.

So what’s happening now?

The whole idea that GDPR is an opportunity is rapidly taking off. Stakeholders from many different parts of Financial Services institutions recognise this as a potential ‘once-in-a-generation’ chance to transform their data management practices. After many years of trying to get their institutions to recognise the true value of data and the benefits of good data management practices, GDPR comes along and provides the best business driver a CDO could wish for.

The size of the possible fines has really gotten the attention of senior Executives and the realisation that this is an enterprise-wide issue, and touches so many business processes, means these Executives are looking at institution-wide changes around data management to support GDPR compliance.

This means there are exciting and challenging times ahead in the Financial Services world.

What next?

I’ve written previous blogs on GDPR in Financial Services on my blog page – click here to find more of these resources.

To help organisations get a better understanding of the opportunity around GDPR and how it provides a common link between compliance and other aspects, such as Customer Centricity, we co-sponsored (with Cognizant) an IDC Executive Brief called ‘Data Governance, Customer-Centricity, and the GDPR’ on the subject. Click here to access this Executive Brief.

In support of this, we’re also organising a ‘GDPR in Financial Services Round Table’ event in London on Thursday 29th September. We’ll be having the Executive Brief author come along to provide us more insight into IDC’s view of GDPR and how it supports many of the existing business drivers in Financial Services. Click here to send an email about this event.

Comments