Two months into GDPR, the costs and impacts are starting to be felt across the financial service sector. Bobsguide speaks with Jon Szehofner, founding partner of GD Financial Markets, to discuss what he has seen so far.
What has been the impact so far of GDPR on customers?
The May 25 deadline for GDPR has come and gone and for most people the most tangible aspect was probably the flurry of emails they received in the run up to the deadline. Mostly, containing privacy notices from companies they had forgotten they had signed up with in the first place. Brief coverage in the news over the go-live period highlighted that the majority of members of the public were unaware of what GDPR stood for or what it meant for them. This may well have been the first and last that they will hear about GDPR, and for companies, it may be tempting to think that the hard work is done and it is back to business as usual.
What has been the impact so far on UK financial services institutions?
We can all read the GDPR regulations; the Information Commissioners Office has provided a number of straightforward guides to the regulations. However, implementation of the new rules come with some pretty significant practical implications, and while companies have put in place procedures to reflect the rules, I suspect these are to a greater extent untested.
Looking specifically at the banking sector, I have heard many within the industry describe the job of trying to comply with the regime across all their global businesses as thankless, and as a consequence have needed to prioritise certain requirements over others. Many acknowledge that even the requirements that were implemented are likely to be untested or properly embedded, and that they are now very much focussed on scoping and delivering the Day 2 plan and could even find themselves relying on regulatory forbearance on some matters (i.e. third party contracts).
From a risk management perspective and with respect to any attempts made to quantify potential losses from a data breach, banks are expressing a need for better tools that enable these calculations. Similar to what we see in how banks measure Credit and Market risks, they need greater investment and allocation of resources to enable them to forecast exposures to data misuse and breach.
How much on average is GDPR compliance costing UK financial services firms?
According to research conducted by SIA Partners, the implementation costs of GDPR for banks has been on average £66m, which is the highest of any sector. The average implementation cost for Financial Service companies (non-banks) was much less, although still significant at £8m.
The higher implementation cost to banks can in some part be explained by the complexity of systems architecture and the fact that banks have many other regulatory (and other) requirements to comply with. They have an enormous obligation to protection consumers and simultaneously comply with a number of other provisions that protect people.
Will working with other European companies become more or less difficult for UK financial services firms?
As an EU regulation, the GDPR will make working/transacting with other European companies easier because we have harmonised standards for processing and using data. For the UK and its banks, this will of course depend on any changes that may occur as a result of leaving the European Union and whether the UK diverges from the spirit of the regulation.
That said, the GDPR does enforce stricter oversight obligations of any third party providers that have access to or process personal data. These requirements need careful consideration and ongoing proactive management.
Have we seen any major data breaches? What actions have been taken and what can we learn?
There have been two major breeches identified since May 25, neither of which occurred with financial services. These have been Ticketmaster and Dixons Carphone.
Ticketmaster suffered a malware attack through a third party that processes the company’s data. This impacted 40,000 customers. This case is particularly interesting because the breech took place over a period of time which spans both the 1998 Data Protection Act and the 2018 Data Protection Act (GDPR) ie it happened over the period of time before, during and after the GDPR deadline came into effect. The ICO’s response to this, which is currently in the evidence-collection stage, may therefore set the tone for future cases of data breeches. What’s more, Ticketmaster had been warned of possible data security issues in April by Monzo, who had noted fraudulent activity on some of its clients’ accounts. Ticketmaster will therefore be subject to scrutiny on their investigation procedures which were either not appropriate or were appropriate, but found nothing.
The other major recent data recent breech was at Dixons Carphone which has seen a repeated case of data breech, having been fined £400,000 in 2015 under the Data Protection Act 1998. Interestingly, the latest breech occurred before the May 25 deadline but was not discovered until after that deadline. As a recurring issue, the regulators may take a dim view of the lack of progress that has been made in addressing data security and processing concerns at Dixons Carphone.
Both of which will prove interesting use cases to financial services firms. The Ticketmaster example in particular brings into greater focus the need for an appropriate oversight/governance of third parties who access/process personal data – a practice that is commonplace within financial services.