By Emma Erskine-Fox, Associate, TLT LLP
It’s now been just over a year since the General Data Protection Regulation (GDPR) came into effect across the European Union, bringing with it panic, misinformation and scores of emails asking us to consent to stay on mailing lists we’d forgotten we’d signed up to.
Despite the Information Commissioner’s assurances that the GDPR would not be “the next Y2K”, it was hard for businesses not to get swept up in the fear of €20 million fines and catastrophic data breach headlines.
The GDPR implications for the financial services sector were undoubtedly significant, and the move towards digitisation and open banking has compounded an already complicated privacy landscape in an industry where trust is crucial.
A year after the legislation kicked in, some of the initial fears of huge fines and weekly regulatory audits have been dispelled. But privacy compliance in digital banking remains a key area of concern and continues to impact innovation in the sector.
Privacy as strategy
There is no doubt that the GDPR has brought privacy to the forefront of everyone’s minds. By virtue of concepts like data protection by design, what was once an afterthought is now a key part of strategic decision-making in most organisations. It’s no wonder that data privacy and security are frequently identified as among the top concerns for boards, given the financial and reputational impact of large-scale breaches such as Equifax, Cambridge Analytica and Marriott.
Incorporating privacy considerations from the outset of a project is a key tenet of the GDPR. While this ensures compliance and encourages best practice, an unintended side effect can be projects falling at the first hurdle. In a traditionally risk-averse industry, digital banking decision-makers often view GDPR compliance as a costly and challenging exercise and ultimately something that could obstruct projects further down the line. These reservations can lead to a reluctance to invest and innovation stalling for fear of getting it wrong.
But getting privacy compliance right can have huge benefits. Digital and data-heavy industries are centred around consumer trust and in an age where data is a key public concern, one of the best ways to build this trust is to be able to show customers that your data handling practices are robust and ethical. Businesses that can find inventive solutions to privacy challenges are going to be in the best competitive position in the digital banking arena.
It is therefore important that data privacy and security continues to be a key part of the digital banking strategy. Changing the perception at board-level to focus on the benefits, rather than the risks, of the GDPR can help to ensure that the role the GDPR plays in decision-making is facilitative, rather than prohibitive.
Security and trust: hand-in-hand?
Although no GDPR compliance journey has been painless, what the GDPR has undoubtedly done is forced organisations to tighten their data handling practices and review their security procedures. At the same time, an increased focus on customer control over their data means that power is being put back in consumers’ hands. GDPR data cleansing exercises have also resulted in businesses holding better quality, more relevant personal data. All of this means that the digital banking revolution should be coinciding with a time when consumers are more confident than ever that their data is being treated in the right way.
However, we are also living in a time when data breaches are in the headlines every day. The press furore (and occasional fake news) around the GDPR has led to a huge boost in consumers’ awareness of their rights and the risks of giving away their data. Privacy has become a mainstream concern for the public and consumer trust is hard to come by.
Another challenge for building trust in digital banking is that engaging with banks has historically been seen as simply an everyday necessity. The shift towards digital requires consumers to see banking as something they can engage with on another level and from which they can reap clear benefits. Initiatives like open banking are helping to push this message, but it’s a slow burn. Privacy compliance is, of course, crucial, but focussing customer messaging on the benefit to consumers of data sharing and the value exchange can help to drive uptake.
Another key part of building and maintaining trust is preparing for the inevitable. Even those organisations with the strongest security measures and the best consumer messaging are never safe from the risk of attack. Hackers are becoming ever more sophisticated and most businesses and consumers now accept that a data breach is not a case of “if” but “when”. But often it’s not the breach itself, but the handling of it, that can be “make or break” for an organisation’s reputation. Digital banking businesses that have robust incident management processes and strong communications teams will be best able to protect their reputation and maintain consumer trust in the event of a security breach.
The role of data ethics
There is an increasing body of work and thought around the subject of data ethics and its importance in the financial services industry. Consumers increasingly want to see the businesses that they interact with taking an ethical approach to the way that they operate, from sustainability to treatment of their people. Data is no different.
UK Finance has produced a data ethics paper in collaboration with KPMG which emphasises that financial institutions must be seen as trusted custodians of customer data in order to succeed in the digital space. And it’s not necessarily about what not to do with data; businesses should focus on harnessing data to drive outcomes in the interests of customers.
Privacy compliance and data ethics are intrinsically linked, but having a data ethics framework enables businesses to distil privacy compliance down into something that consumers can easily understand and relate to, resulting in increased potential for consumer engagement.
Open banking and GDPR: friends or foes?
The concurrence of the GDPR and open banking raises some particularly interesting privacy challenges. Customers are being asked to open up their data at a time when large organisations are under more scrutiny than ever when it comes to their data practices. Consumers have historically been told by their banks that they must never, ever, under any circumstances, share their data. Open banking is a significant shift away from this message and one that has naturally taken some time to bed in.
Our research shows that organisations are very much alive to the data concerns surrounding open banking and the clear link between data practices and consumer trust. Half (49%) of survey respondents believed that high-profile data breaches have damaged customer trust in open banking, whilst damage to customer confidence as a result of data loss or misuse was the biggest data-related concern for financial services companies under open banking.
The GDPR is not in direct tension with open banking. Open banking is about transparency, handing control back to the customer and ensuring data is shared in a secure manner to the benefit of the customer; all things that are key requirements of the privacy legal framework. But open banking is also new. There is a lack of public understanding about how the technology behind open banking works, which can lead to fear and uncertainty among customers about the use of their data in an open banking context.
The challenge for financial services organisations therefore lies not only in balancing GDPR compliance and open banking, but in effective communication with customers that reassures them that their data is in safe hands. Shifting the focus onto the benefits of open banking for consumers, including the privacy and security benefits, will help businesses to overcome the privacy trust hurdle in open banking.
GDPR: a blessing or a curse for digital banking?
The GDPR was never intended to stifle innovation. In the words of Elizabeth Denham, the UK’s Information Commissioner: “Privacy does not have to be the price we pay for innovation. The two can sit side by side.” Consumer trust is critical to the success of digital banking and a large part of building that trust is instilling confidence in how businesses are handling customers’ personal information.
The GDPR is only a curse if businesses choose to see it that way. It has the potential to be a real facilitator of customer trust in digital banking, but it’s important to change the perception of the GDPR as an inhibitor. If decision-makers continue to view the GDPR as an insurmountable hurdle, innovation will stall and digital banking will struggle to move forward. If those with the power to make decisions start seeing the GDPR as an enabler and a way to harness customer data, build trust and gain a competitive advantage, this can pave the way for creative solutions to drive innovation and success in digital banking.