Written by Sumit Sethi, Guest Blogger on Monday 3 July 2017
This article first appeared in GDPR: Report in June 2017
Borrowing the sentiment of Apple CEO Tim Cook who earlier this year described their Project Titan; Artificial Intelligence (AI) for autonomous vehicles as being the ‘mother of all AI projects’, General Data Protection Regulation (GDPR) equally represents the mother of all regulation for Financial Services (FS). Yet all too often, we are seeing FS firms who have misunderstood both the concept and the detail of GDPR. Because of this, they have limited their view of the regulation to one that constrains, instead of one which presents opportunities.
With less than a year to go until GDPR comes into force, its impact on FS within the UK can be viewed as a microcosm of the wider state of the FS market; both the frequency and fullness of change is ever-increasing, and yet, based on the surveys of senior change leaders, the industry and its incumbent firms are not ready.
On the truth that no tangible product is exchanged in the marketplace of FS, we can accept that FS is fundamentally about data transformation; data is the currency! Accepting this truth, there are five key challenges relating to the impacts of GDPR on UK FS firms:
- The scope of GDPR is too onerous for some FS organisations
The 11 Chapters containing the 99 Articles of GDPR brings about both enhanced and new requirements, which beyond being demanding and complex, are uninterpretable in certain places.
The enhanced consent requirements, due to their scope, will detrimentally interfere with sales. GDPR is not strictly a tick-box exercise, but is an outcomes-based regulation which presents organisations with the pragmatic opportunity to “bake-it” into their operations. It offers a set of standardised requirements so organisations can work towards the ‘tick-box’ sections whilst defining their positions on the slightly ‘grey’ areas. This will encourage organisations to incorporate data as a design principle for both their raison d’être, and their future. Just as FinTech and InsurTechs are less concerned with sales but rather focused on engagement, this is an opportunity for FS to decouple sales as their primary reason for interactions.
- Brexit is not a GDPR get-out clause
There should be no uncertainty in that GDPR will be the leading regulation on data across the World and will be an absolute requirement if a firm choses to target EU citizens as customers, regardless of where the firm is based. As such, it will become the prominent standard of compliance. Therefore, GDPR should become the de facto UK standard irrespective of Brexit, and as such, the Government’s position is clear; “We are implementing the GDPR in full…from a position of harmonisation rather than a position of differences”
- The cost of achieving compliance will be high
Costly programme teams are being initiated, which is consequently consuming the budgets of other programmes, and potentially, GDPR could kibosh existing tech investments such as Big Data etc. Conversely, investment in GDPR technical capabilities from security to data portability further complicate technology estates.
Organisations should form their teams primarily of internal resources who best understand operations, applications and the internal landscape, and thereafter, supplement accordingly with external experts. With regards to tech investments, organisations should determine the underlying objectives they commissioned the new technologies for, as well as view GDPR as aiding them in managing the key source of input and output of their technology estates: data.
- The operational cost of maintaining GDPR compliance will be high
GDPR will bring about additional and non-value adding operational requirements, and thus will increase the cost of doing business with no perceived benefits e.g. Data Subject Access Requests (SAR) will put a drain on resources.
GDPR will redress the dynamic between Data-Subjects (DS) and organisations as trust is the prize on offer through transparency and accountability. Therefore, this presents the engagement opportunity to align existing operations to becoming more customer-centric as well as building new products and propositions that not only inherit such virtues but in doing so, are operationally viable. Whilst the high costs are likely unavoidable, the benefits are there for the taking as well.
- The penalties for non-compliance are severe
The penalties for breaches could easily put smaller firms out of business as well as significantly impact larger organisations. One of the most common misdirections with GDPR is that focus has been on the severity of fines. This is flawed in that suspension orders on organisations for large-scale breaches will impact them much more e.g. imagine the impact to cash-flows for an Insurer suspended from selling new business following a significant breach. This would be a much more tangible impact than any reputational damage in the short-term
In summary, the true impact of GDPR will be unknown for some time until after the implementation date. However, whilst most Data-Subjects are unaware of GDPR, they are consciously aware of how they want to be treated including their data. Therefore, just as the EU wants data protection to become a human right, the impact of GDPR should be an opportunity for organisations to better prepare for the data-centric world that we all live in and more importantly, the data-centric world that they wish to succeed in.