Over the next 15 minutes I want to say a few words about the new Data Protection regulations that will be coming into force next year. I appreciate that data protection might not be the sexiest of topics but it certainly brings with it some significant threats. However, if you can adopt the right attitude and approach then there also some significant opportunities for you to exploit.
But, before I start, I should just remind you that IRESS is an IT supplier; we are not lawyers or compliance experts. So, whilst we are very happy to share our views and thoughts you should, of course, consult your own Compliance Officer for any definitive guidance you might need.
So, what is the GDPR? As I’m sure you are all aware it is a piece of EU regulation that is in the process of being interpreted and applied by all member states. And, despite the UK’s stated intent to leave the EU, the UK government has already stated that this particular piece of EU regulation will be applied in the post BREXIT world.
So, come the 25th May next year, the General Data Protection Regulation will replace the 1996 Data Protection Directive with an aim of :-
Harmonising data privacy laws across the EU Giving individuals greater protection, rights and controls over how their data is used. And, generally bringing data protection regulation into line with the considerable advance in technology over the last twenty years.
And, for those of you that might not be familiar with the new regulations I shall, very quickly, run through the key principles:-
• Firstly, all personal data must be processed lawfully and in a transparent manner. Specifically, you must have a legal basis for collecting and holding personal data; It must also be clear why you wish to hold that data, i.e. what you will be using it for • Second, you must obtain specific and explicit consent – reliance on consumer inertia, e.g. to leave a check-box unticked will not be allowed • Third, the data you collect must be only be sufficient – and no more – for the purpose(s) in hand • Fourth, the data must be accurate, kept up-to-date and only retained for as long as necessary • Fifth, it must be kept secure • And finally the consumer must have the right to access their data, to have it erased or corrected or restrict the ways in which it is used. They also have the right to have their data returned to them, or passed to others, in electronic format
In summary, there’s nothing within the GDPR that you, or I, might take issue with from a personal perspective but overall, it does go quite a bit further than the current DPA rules and all business should ensure that they fully understand the detail of what will be required of them come the 25th May 2018.
So, let’s now look at the threats, i.e. the things that could happen to your business if you fail to comply fully.
The first, and most obvious, threat is the level of fines that can be imposed. Under current regulation the maximum fine is half a million pounds – which isn’t insignificant – but, under the GDPR this rises to a maximum of twenty million Euros or 4% of annual turnover, whichever is the greater.
So, for the likes of Facebook, who had a turnover of $27bn in 2016, a GDPR fine could touch a billion! And, yes although Facebook is based in the US, because they have many consumer users within the EU they will be caught if their actions cause a breech in respect of those EU customers!
However, perhaps even more significant is the potential for reputational damage. As I’m sure you will recall there have been several high-profile data protection / data security issues that have hit the headlines over the last few years. Talk-Talk were fined £400,000 but I suspect the impact on their brand and reputation cost them far more than that.
Consumer trust takes a long while to build but it can be destroyed pretty quickly; I guess the people at Volkswagen wish they had never tried to hike their diesel emission ratings with, what they thought was some smart technology!
So, UK businesses are going to have to comply but, there are dangers with being overly zealous with your compliance activities! We’ve heard some stories that some businesses are leaving GDPR compliance to their IT departments and that they’ve simply decided that the best way of not being seen to hold, or process, personal data inappropriately is to simply get rid of it!
Whilst this approach might be quick, easy and resolve the compliance issue one might question what it will do to the business itself, i.e. it could result in a loss of highly valuable insight and information about your clients. A question of avoiding a fine but losing far more in terms of potential earnings!
Personally, I believe a more mature approach is required, i.e. understand the new rules, think through what personal data you need to collect, and then make sure you process and store it correctly.
So, let me now take off the “black hat of doom” and let’s look at the some of the opportunities that this new piece of regulation presents.
The first and most obvious opportunity must be to build trust both within your existing customer-base and within society generally, i.e. it’s a chance to be seen as “one of the good guys”. As society moves ever further into the online, automated service delivery world so the value of being trusted by consumers must surely increase.
There can be little doubt that we, as consumers, will expect to execute more and more of our daily lives online but we will also have that nagging doubt about the security of our information and data.
And, I suspect that we’re already beginning to see consumers subliminally factor in data security and data management into our supplier selection decisions. Reputations do matter; just look at the recent issues around Ryanair; there’s no way my wife will ever book a flight with them again!
GDPR presents a great opportunity to set out your stall with regards to handling customer data; to let people know that you not only comply with the new rules but that you actually value their data and will be processing it properly and doing everything you can to keep it secure.
And, of course, as businesses we’re all now focused on digital transformation, i.e. using technology to build solutions through which consumers can self-serve and which automate back-office processing.
When all’s said and done a great deal of what we, in the financial services industry, do is concerned with collating, manipulating and processing data; tasks which can now be executed, using technology, many times faster and at a fraction of the cost of traditional methods.
But, digital transformation can only happen if systems have access to the right data, i.e. data that is accurate, current and reliable. So, whilst some businesses might see the GDPR as yet another piece of complex regulation with which they must comply the more enlightened will recognise it as a timely input into the design of their digital services; Services that will give their clients a smoother, richer experience as well as one that is safe and secure.
Hopefully by now I’ll have convinced you of the need to take GDPR seriously, and the value of taking a positive approach, however, there’s one more point that I would like to make and that is around timing. At present only 6% of UK firms see GDPR compliance as a priority – which probably means they will be leaving it as late as they can to do the minimum possible.
This means that next summer our consumer email in-boxes will start to empty as many firms realise that they can no longer spam us with all sorts of dubious offers! But, for those firms that have thought things through, and have acted early to collect the right consents from their clients, this presents a real opportunity, i.e. an opportunity hit their less crowded in-boxes with much more relevant / targeted offers. And, surely that’s where the competitive advantage for any digital offering really lies, i.e. in being able to make the right offer, to the right clients at the right time through a channel where your message will actually get read.
So, let’s now pull things together.
Clearly there’s no choice about compliance with the new GDPR regulations, however, you can choose what approach you take. Of course, a reactive, minimalist approach might be all that your business can afford in the short-term but surely, a more proactive foresighted investment will reap significant rewards downstream. What is clear is that if you get it wrong the fines and reputational damage will be significant but, if you get it right then there’s a real opportunity to build trusted relationships with your clients and society as a whole.
Personally, I would encourage you to ensure that GDPR is taken seriously within your businesses; that compliance is run as a business-driven project; you start collecting consumer consents as preferences as soon as possible and that you think strategically rather than tactically about how you collect, process and manage your clients’ data.
Thank very much for your time and I hope you enjoy the rest of today’s conference.
GDPR - Threat or opportunity?
Threat or opportunity?
IRESS is a supplier of software products and solutions for the financial services market. Whilst we
seek to understand relevant changes to the regulations that will affect our clients’ businesses, we
do not purport to offer definitive advice or guidance as regards the meaning or interpretation of any
new regulations. As such, any views and / or statements made within this presentation should not
be relied upon and your own particular position should be checked with your Compliance Officer
and / or Compliance Service provider.
• Replace 1996 Data Protection Directive
• Will apply after Brexit
• Give individuals greater protection, rights
and control over personal data
• Harmonise data privacy laws
• Laws that reflect our technology
and data-driven world
What is GDPR?
• Honour individual rights to request erasure,
rectification, restriction or a copy of information
• Fair and transparent processing
• Specific and explicit consent
• Limited to what is relevant and necessary
• Kept accurate and for no longer than is necessary
• Ensure appropriate security
What does it mean?
• Greater security and transparency =
• Impacts customer attraction, retention
• Communicate your policy changes
• Accurate / up to date data is a requirement
• Fundamental to any digital transformation initiative
• Opportunity to offer customers:
o More flexibility on channel
o A richer experience
o Greater service value
• Just 6% of UK firms regard GDPR
compliance as a priority*
• Inboxes will be less crowded
• Opportunity to be seen and heard
• Start collecting consent and preferences now
• Be more relevant and engaging
*Research conducted by Sophos – survey of 625 IT decision makers
Get it wrong:
The reputational and financial
threats are huge
Get it right:
The reputational and financial
opportunities are huge
GDPR should be a business-driven project.
Collect consents and preferences now.
Think strategically about your technology.
(don’t build your next legacy system)