Two days from the one-year anniversary of the implementation into European law of the General Data Protection Regulation (GDPR), PBI asks the experts what the impact has been on private banks.
GDPR sought to give individuals greater control of the storage and use of their data by companies and hold said companies to account for misuse of data and reporting of cyber breaches.
Much interest was generated among the public as the GDPR deadline approached on May 25th 2018. The majority of headline news since has concerned the tech industry, suggesting financial services has its house very much in order.
What lies ahead for the private banks and what wider effect will GDPR have?
GDPR “a damp squib”
Many commentators would say the short-term impact of GDPR has been minimal.
“After much fanfare, GDPR’s first year of implementation felt like a damp squib,” says Linda Gibson, director of regulatory change and compliance risk at Pershing of BNY Mellon.
“While the regulation has brought with it an elevated awareness of data privacy, the truth is that so far it has been very difficult to judge its successes, however noble its intentions were.
“Despite the ICO (Information Commissioner’s Office)’s well-documented additional enforcement powers, we are yet to see tangible evidence of the legislation’s regulatory impact in the UK.
“That will understandably take time.”
Effect of GDPR on private banks
While private banks have not been targeted by regulators to anything like the extent that tech giants have been, Tim Hickman of global law firm White & Case suggests this could change.
“I suspect the regulators’ credibility will evaporate if they don’t start issuing more fines outside of the tech space,” he told PBI.
“Then, if you look at who they are most likely to go after, it seems most likely that it will be financial services.
“They have deep pockets and are very popular targets, even if it’s only for political as opposed to legal reasons.”
Linda Gibson echoes this, stressing the importance of private banks remaining vigilant to the dangers of non-compliance with GDPR.
“The lack of enforcement in the financial services sector should not lull firms into a false sense of security.
“Bad GDPR compliance is not just about the regulatory cost: it spans far wider than financial penalties.
“Reputationally, companies cannot afford to break client trust by misusing client data.
“If you cannot keep data safe, the bottom line is that your business will not grow.”
GDPR – the bigger picture for private banks
What GDPR has succeeded in is raising awareness for the issue of data protection and cybersecurity, which points toward a culture change in the way businesses operate.
Furthermore, should the regulators’ bear their teeth, it will be easier to recognise which companies are vigilant with data management and which are not.
“Like most other major regulatory change, the market is ultimately waiting for guidance of what good and bad GDPR compliance actually looks like,” Linda Gibson says.
“Good GDPR compliance is about strong cybersecurity, and over the last twelve months it has unintentionally caused firms to think about how data protection sits at the heart of their operational resilience.
“As a result, data security no longer sits within the confines of the IT department. It must be a c-suite priority.
“GDPR is not a one-off exercise but an integral part of the governance and oversight of a firm’s entire systems and controls.
“In the ICO’s own words, data protection should be an integral part of a firm’s cultural fabric.”
This is also the view of Ryan Dodd, founder of cyber-risk consultancy Cyberhedge.
“I think that as GDPR lives on, it’s going to create a situation where companies are going to have to start to report that they have a GDPR breach,” he told PBI in April.
“That creates this line between what’s good management of data, cyber and privacy protection, and what’s bad. That’s what I think will be the legacy.”