Banks are facing major challenges in changing their processes to comply with the GDPR which will come into force in less than a year from now.
The technical challenges ahead for banks to comply with the GDPR may not be overcome in the next twelve months.
The General Data Protection Regulation (GDPR), among other things, will make it prohibitively expensive for banks and other organisations if they choose not to follow data protection and cyber-security rules in place. The Payment Card Industry Security Standards Council (PCI SSC) believes that thanks to GDPR, UK businesses may have to pay fines of up to £122bn because of their failure to protect customer data in the future, compared to just £1.4bn in 2015.
Failure to protect customer or company data from breaches will result in fines of either 4% of a bank's annual worldwide turnover or €20 million, whichever will be higher. According to a recent survey of 500 IT executives conducted by Varonis Systems, as many as 42% believed that banks will be made an example for breaching GDPR rules and may attract the heaviest of fines.
Banks are now expressing serious concerns over their ability to adapt to the upcoming legislation in the next twelve months. “Banks are struggling with legacy systems. From our discussions with chief technology officers at banks, they are concerned the technical challenge may be impossible given there is only a year to go,” said Chris McMillan, a partner at consultancy firm Oliver Wyman to FT.
“At some banks, a customer’s data may be held on more than 100 systems, and each of these takes a long time to change, even for a simple change. Sometimes even the simplest changes take months and months. Multiply that by a hundred and it becomes a very complicated task,” he added.
McMillan also states that had GDPR been in place for the last five years, "FTSE 100 companies could owe up to £25 billion in fines to EU regulators." He adds that most businesses are not ready for regulations which will require them to answer consumers on why personal data is being collected, how it will be used and to delete or edit such data on customer request.
GDPR will also require companies and banks to conduct data privacy impact assessments to identify risks and mitigations before engaging in high-risk activities like processing data which may result in identity theft or financial loss. At the same time, each separate data collection activity by an enterprise will require clear affirmative consent from involved parties.
Surprisingly, many UK businesses, including banks, feel that they may not be required to comply with GDPR regulations because of Brexit. According to Dr Elizabeth Maxwell, Technical Director for EMEA at Compuware, this is despite the fact that the government has left no stones unturned to confirm its adherence to the GDPR. Minister of State for Digital and Culture Matt Hancock has emphasized that in order to ensure an uninterrupted flow of data between EU-member states and the UK post-Brexit, the GDPR will be implemented in full.
It is also believed that a many UK businesses are either not conversant with the harsh fines and punishments laid out in the GDPR or are not serious about implementing strict data protection practices, despite the fact that the GDPR is very clear on what companies need to do and what will happen if they don't follow the rules.