What the GDPR Means for the Banking Industry
Standfirst: New regulations put customers in control of their own data and could have major implications for the banking industry.
The rise of digital technology and the increased use of data has transformed the banking industry. It’s opened up a host of possibilities, but as so often opportunity comes hand in hand with danger. The more banks use digital technology to interact with customers and the more data they store, the more vulnerable it will be to attack.
New rules for a new threat
In a very short time, cyber security has shot to the top of most organisations’ agenda. All that sensitive personal data stored online represents an enticing target for the criminals. While progress has been made, financial organisations are still struggling to keep data safe, as proved by the recent hack on credit scoring agency Equifax.
For all the risks, though, the benefits – both for banks and consumers – are worth it. Banks can gather more information about their customers than ever before and deliver increasingly personalised services. Customers can process transactions more quickly and access, make more convenient payments and access a wider range of services via their computer.
So, data will become more mobile and ubiquitous, which is why regulators have made moves to update the laws. Starting from 25th May, 2018, the European Data Protection regulations will give customers greater control over their own data. Banks will have to gain freely given, unambiguous and informed consent when they use customer data. Customers will have the right to complain and seek redress if their information is misused in any way, shape or form.
It’s good news for customers, then, but these changes have potentially serious implications for banks. First there’s the penalties. Organisations deemed at fault for a data breach could be fined up €20million or 4% of annual turnover, whichever sum is greater. To put that into context, experts revealed that the £880,500 paid in fines by British companies in 2015 could be up to 70 times higher thanks to the new GDPR rules.
Banks should take particular note. Not only do they handle large quantities of data, but they are also one of the prime targets for data thieves. Although measures have improved dramatically defences are constantly playing catch up against the data thieves. So here are key steps every financial organisation should be taking.
- Upgrade defences. A bank will need excellent first and second line cyber defences. Make IT teams the hub of operations, and continually update security systems to keep pace with the latest threats.
- Educate staff: Cyber-crime may be high tech, but it is still human error which causes the most problems. So, security must involve much more than just the IT department. Make sure staff are informed about the latest attacks, and the importance of keeping work and personal passwords separate. Set up a clear strategy for managing who does, and who does not, have access to key systems. In many companies, even relatively junior members of staff have access to important systems. Make sure people can only access the information they need to do their job.
- Assess infrastructure: New regulatory requirements will have to integrate with existing systems. Take a look at what you’re doing as an organisation and decide how it can be adjusted to meet new demands.
- Think global: Regulations will have implications for data across international borders – anything captured by a company which is based in the EU, even if their customers are based outside.
The rules of the game are changing rapidly and the days when banks could view cyber-crime as a secondary consideration are sadly far behind us. It’s key to every aspect of operations, and the penalties could pose a real threat to the financial health of even the biggest corporations.