Regulation is nothing new to the financial services industry, but GDPR is a different animal altogether. It codifies into law an extraordinary level of accountability for organizations, and they are feeling the pressure. With great responsibility, though, can come great rewards – beyond merely complying with GDPR.
Setting the Context: Today’s Technology Landscape
According to a 2017 survey by Varonis Systems, 76 percent of IT executives working in financial services said they face serious challenges in preparing for GDPR. In fact, banking respondents to the Accenture 2017 Global Risk Management Study cited escalating demand from various regulators in multiple jurisdictions as their top concern. Almost 60 percent of those surveyed said they need to upgrade their systems and capabilities to deliver more transparent reporting to regulators.
Yet GDPR is not the only technology issue facing financial services organizations.Keeping pace with today’s changing digital technology is another challenge. Nearly all (90 percent) of the professionals surveyed for the Accenture Banking Technology Vision 2017 report said that their organizations “must innovate at an increasingly rapid pace just to keep a competitive advantage.”
Remaining competitive requires a constant focus on the customer experience to increase transactions and ensure retention. Digital transformation projects require leveraging customer data – an untapped source at many financial institutions – to create new technologies and services and optimize them for personalization, speed, and ease of use.In addition, building in privacy by design and maintaining it across multiple consumer platforms is a major undertaking. So is integrating new technology with legacy applications and infrastructure.
Cyber threats are also a rising concern. According to the Ponemon Institute’s 2017 Cost of Cyber Crime Study, financial services companies have the highest annualized cost of cyber crime at $18.28 million (along with utilities and energy). The global average cost of cyber crime is now $11.7 million, up nearly 23 percent from the year before. The average annual number of security breaches is up nearly 30 percent.
Business Benefits of GDPR
A GDPR compliance initiative can help with all of these issues. Three benefits in particular can come from a GDPR exercise – if you approach it the right way.
- Reduce Costs
Besides avoiding its stiff fines and penalties, thecost savings from a GDPR endeavour could be substantial. For example, according to People Data Labs, approximately 18 percent of data in people databases such as a CRM or ATS system is duplicated. With the insights gleaned from your GDPR compliance project, your IT organisation can identify areas of duplication to eliminate or consolidate. The result could be decreases in systems cost, capacity waste, IT time, maintenance expenses, slower backups, and data centre costs.Better data management will also reduce staff time when customers invoke the “right to be forgotten” principle of GDPR and ask you to delete all their digital data.
- Decrease Risks
Complying with GDPR will enable you to pinpoint where sensitive information is being stored as well as determine the supporting processes and technologies against a defined control framework. This knowledge will help you plan and execute remediation strategies, such as deciding whether to encrypt, archive or delete the data to prevent misuse or duplication of data elsewhere.Better securing your highly regulated and sensitive data can help prevent data breaches – whether from hackers or insiders. In addition, you can prove to auditors that controls exist for identifying and reporting on all sensitive data.
- Improve the Customer Experience
Preparing for GDPR gives you a better understanding of your customer-facing processes and applications as well as their purpose within the organization. This will help you create and deliver digital solutions that customers want, in the way they want them, while ensuring data privacy controls are in place. Having superlative security and privacy processes can improve your reputation and competitiveness as well – increasing customer acquisition and retention.
The savviest banks will capitalize on GDPR to offer new services to customers. As Chris McMillan, a partner at management consulting firm Oliver Wyman, told the Financial Times: “A bank could see you have a direct debit to a telco and ask you for permission to request the data from the telco to check you are getting the best deal. That would be a compelling proposition for a customer, knowing their bank is trying to save them money.”
Getting GDPR Right
Realizing the benefits of a GDPR project requires four initiatives:
- Log your tech and data assets and determine their use
- Analyse your data landscape to ascertain how well that data is protected
- Understand data lineage and where and how that data is being used
- Target and prioritise investments and planning activities required to support GDPR compliance
For an undertaking this complex, you need to organize a cross-functional data governance team to collaborate and drive your GDPR efforts. The team should include representatives from functions such as legal, data privacy, IT security and risk management, enterprise architecture, and the enterprise program management office (EPMO).
In this era of digitization and regulations, protecting data privacy and proving that you are doing it lawfully under GDPR is paramount. With the associated business benefits that are possible as a result, financial institutions should see GDPR as an opportunity rather than a burden.
Nicola McCoy is director of enterprise architecture consulting with Planview. She has more than 20 years’ experience working within information security, enterprise architecture, global technology, and enterprise software roles. She has deep experience in helping organisations to understand operational resilience, information security, and how to manage risk within a connected enterprise, while communicating their current risk posture to senior (C-level) stakeholders.