Since the EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018, financial services firms have been waiting to see how seriously the EU would enforce penalties on organisations found to be non-compliant.
For the first few months, it was safe to say that it appeared the EU was taking a decidedly conciliatory approach. For the most part, information commissioners seemed to lean toward a less-strict approach—if an organisation at least had a plan to be compliant, then they would be given time to execute that plan and move towards achieving full GDPR compliance.
This was borne out by the research conducted by AIIM and Nuxeo just after the May 25 2018 deadline. While just 30 percent of organisations said they were 100 percent ready, an additional 50 percent said they were 75 percent of the way toward achieving compliance. But as we approach one year since GDPR came into effect, and with signs the EU is getting much tougher with penalties, it’s time for financial firms to accelerate their GDPR compliance initiatives, or risk facing substantial fines.
The consequences of GDPR non-compliance
Since the start of the year, the EU has upped its stance on enforcing GDPR. News emerged in January 2019 that Google is to be fined 50 million euros by the French data regulator CNIL for a breach of the EU’s data protection rules, and there has been a number of smaller penalties announced too.
While Google is still mulling over its options, this is clearly a landmark case. Targeting an internet giant, one of the biggest companies in the world whose very business model is built on the use of consumer data, means that no organisation can feel truly safe.
But there are other consequences of non-compliance that can be just as damaging. Respondents in the AIIM / Nuxeo research said their organisation’s investment in GDPR compliance was motivated first by the legal obligation, then reputational damage, and thirdly the prospect of a fine. The damage to reputation is especially pertinent in financial services. Consumer data is an increasingly highly prized asset. Any bank or other financial services firm found to be in breach of GDPR (i.e. not protecting its customer’s data effectively) could find the long-term brand impact more of a problem than any fine.
Another point to consider is that GDPR is not regulation that has a fixed end point. Not only did firms have to ensure that all existing data was managed in accordance with GDPR, but they also had to do so with every new item of data entering the organisation. When we live in an era that generates more data and content than at any other time in history, that is no small undertaking, and further increases the pressure on financial services firms to implement solutions that manage compliance on an on-going basis.
Increased volume of SARs
A perhaps slightly overlooked aspect of GDPR is the Subject Access Request (SAR), which is issued by an EU citizen who wishes to see the personally identifiable information (PII) held on them by an organisation. There is no fee for this service, and organisations must respond within 30 days.
As expected, the enactment of GDPR has led to an increase in the volume of SARs over the past 12 months. Furthermore, research by cloud and data firm Talend revealed that just 50% of FS firms are fulfilling SARs within the legal timeframe, so there is a clear issue to address.
Part of the reason that some financial services firms are struggling with SARs is because they are addressing GDPR as purely a data issue, when they should be approaching it from a data, content, and process perspective. A content services platform (CSP) approach can be a major asset when it comes to GDPR compliance and efficiently handling SARs. These platforms can help firms easily identify data residing within multiple, different information systems and repositories within the business, and quickly serve up this data as SAR requests are made.
The benefits of a CSP-powered approach to GDPR
A CSP can also look at file systems for unstructured content in the enterprise systems it connects with, as well as with database applications containing structured data. A centralised hub that connects structured data systems with unstructured content repositories means organisations benefit from a 360-degree view of GDPR related data.
There is also the prospect of financial services firms differentiating themselves via GDPR compliance and using that in their marketing. Demonstrating that they care about their customer’s data privacy will become a powerful unique selling point (USP) and can be a true differentiator. Consumers are asked for more and more of their data by financial services organisations, so surely those firms that proactively and transparently protect that data will be favoured over those that do not.
It’s clear that GDPR fines are going to be enforced more strictly in 2019, and those financial services firms could also face other penalties that come with non-compliance, such as damage to the brand. The best way of addressing this is to approach GDPR from an intelligent information management perspective, not just data, otherwise financial services companies could run into serious difficulties.