Data has become incredibly powerful for financial services companies, who are increasingly using technology to mine it for insights and opportunities. But with great power comes great responsibility, and the protection of customer data has become a core regulatory requirement for firms operating in the UK, Ireland, and across the EU.
We recently held a webinar on this topic with fscom experts Nick Gumbley (Associate Director) and Will Finn (Senior Manager). In this blog, we summarise their advice on what companies need to know about regulations on customer data, and how they can set up a framework to meet these challenges head on.
The global spread of data protection regulations
Data protection has landed firmly on the regulatory agenda in recent years. The EU’s General Data Protection Regulation (GDPR) was formally introduced in the EU and the UK in 2018. After Brexit, the UK’s regime shifted to the UK GDPR and Data Protection Act 2018 – which has subtle differences but ultimately very similar provisions. The regulations have three aims:
- To protect individuals’ data.
- To provide them with a mechanism to seek recourse if they believe their data has been used illegally or in a way they didn’t agree to.
- To allow companies to use data as more opportunities present themselves by creating a framework around it that protects customers’ rights.
Firms in the UK answer to the Information Commissioner’s Office and Financial Conduct Authority, while Irish firms are accountable to the Central Bank of Ireland, the Data Protection Authority of Ireland and EU and EEA regulators. But companies are also expected to respond to two important groups:
- Individuals: GDPR empowers individuals by making clear that they own their data and giving them legal rights to ensure businesses are using their data transparently and for legitimate purposes. Individuals can complain to national authorities and make subject access requests or right to be forgotten requests.
- Organisations: When a company signs contracts with clients, these will include clauses around data protection, information security and data privacy which must be delivered on.
The costs of failing to protect customers’ data
After four years of GDPR, it’s already clear that the regulations have teeth. Over 1,000 fines have been issued under the EU regulation, including an eye-watering €746 million fine for Amazon in July 2021. Financial services companies have been targeted, such as a €463,000 fine for the Bank of Ireland for errors impacting the creditworthiness of data subjects, delays in informing these individuals, and lack of appropriate organisational and technological measures around their data.
Even where fines have been smaller – the regulations are applied proportionately after all – companies still suffer reputational damage from a breach. This is especially true in financial services, where High-Net Worth Individuals will be quick to withdraw their business if they lose confidence in how their data is handled.
How can companies protect customer data?
Companies need to put in place the right processes around their use of data. The UK GDPR says data protection should be implemented by design and by default, which means data protection and privacy should be built into every step of every action that involves processing personal data.
We recommend five practical steps to improve your handling of customer data:
- Business overview: You should gain an end-to-end understanding of what processing of data occurs across the services you deliver to customers, including those carried out by third parties. Undertake a data privacy impact assessment (DPIA) to identify and manage risks to customer data when launching a new product.
- Review existing documentation: Firms have hundreds of documents relevant to data protection and a discovery exercise can capture them into a single inventory. This also meets the UK regulator’s expectation that firms should populate a record of their data processing.
- Validate findings: Companies should develop a data classification scheme which communicates to all employees what kind of customer data needs to be protected. This should be kept simple with a small number of categories of data (from restricted to public), and accompanied by clear guidance on how to handle each type and training for key staff.
- Update policies and procedures: Based on the findings in the previous three stages and the regulations, companies should update their policies and procedures around data and present them to the company and its third parties.
- Learn lessons: The compliance exercise should be documented along with lessons learned, and these should be periodically reviewed and updated. DPIAs can help to assess compliance on an ongoing basis.
In our extensive experience advising clients on data protection, we recommend paying particular attention to:
- Third parties: Firms should engage with third parties who are helping to process customer data at every stage of their relationship to ensure their compliance.
- Governance: Clearly define who in the organisation is accountable for managing data protection. This ensures firms meet, for example, obligations to respond to Subject Access Requests in a timely way.
- Incident management: Companies need an effective incident and privacy breach detection regime. The IT and information security function in a firm should work closely with the data protection officer on this.
- Regulatory changes: GDPR is just the start of a new regulatory approach to protecting and overseeing the use of customer data, and firms need to stay on top of developments as they arise in the future. There are some differences between the EU’s and UK’s regulations, particularly around the age a child can consent to data processing and companies’ ability to process personal data, and firms should watch for future divergence.
- Services: The protection of customer data should be front of mind when designing and launching a new product or service, and data should be deleted or returned to customers when a product is retired.
You can read more about fscom’s advice on data protection on our website. We can help companies to manage data protection requirements and cyber risk. Contact us today for a free consultation.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.