The implications of GDPR for financial services firms

The new regulation will come into force on 25 May 2018. All firms should be assessing their interactions with customers’ personal data now  
by Ritchie Bann

Many a regulatory acronym has landed on the financial services sector in recent years, but complying with the General Data Protection Regulation (GDPR) promises to be one of the most exacting undertakings of all. And the clock is ticking.

GDPR, which comes into force on 25 May 2018, is all about giving individuals control of their data. The new rules apply to all companies across the EU – and potentially beyond – that process personal data, but financial services firms will be especially affected as they hold so much highly confidential customer information. The Review answers some of the most pressing questions on the matter.
What will GDPR change?Under GDPR, individuals will be able to control how their data is used, know where it is stored and have a right to transfer or, in some circumstances, erase it. In instances of misuse, individuals will have increased rights to legal recourse alongside existing rights to claim compensation. 

See table comparing GDPR, DPA, PECR and ePrivacyIndividuals’ requests for the information a company holds on them will be free under GDPR. They currently cost £10 under the 1998 Data Protection Act (DPA). If this leads to a high volume of requests, this could create a problem for firms, because if requests can’t be met quickly, companies will be in breach of GDPR. 

Although GDPR will surpass all data protection laws in the UK, the EU’s 2003 Privacy and Electronic Communications Regulations (which sets out rules for electronic communications) will remain in force. That is, until the new ePrivacy Regulation arrives. How does the GDPR define 'personal data'?The DPA, currently in force, has a broad definition of personal data, which includes any information relating to an individual, including descriptive details, telephone number, or the pet they own. 

The definition of data has been expanded under GDPR to include genetic and biometric data, as well as online identifiers such as IP addresses.
The road to GDPR compliance

25 May 2018
After almost seven years of negotiations in Brussels and beyond, GDPR will finally come into force in the UK and across the EU.

April 2016
GDPR finally adopted by both the European Parliament and Council. Regulation given two-year post-adoption grace period, becoming law on 25 May 2018, and will apply directly to each member state without the need of local law.

December 2015

European Parliament and Council come to agreement on GDPR.

June 2015

Council of the European Union approves first reading of GDPR.

March 2014

European Parliament approves first reading of GDPR regulation.

January 2012

The European Commission publishes initial proposal for updated data protection regulation.
What is the cost of non-compliance?GDPR non-compliance can lead to fines for firms of up to 4% of annual global turnover or €20m, whichever is greater. Under the DPA, the current maximum fine in the UK is £500,000.

A 2017 report by Consult Hyperion – GDPR: banks, breaches and billion euro fines – forecasts that GDPR will cost banks €4.7bn in fines over the next three years, with financial institutions expected to experience 384 data breaches, and tier one banks facing fines as high as €260m per breach.

GDPR fines will also be meted out following a cyber attack if a firm that has been hacked hasn’t taken appropriate steps to protect customer data. Any data breach must also be reported within 72 hours. The financial services sector is already the most attacked by cyber criminals, according to the IBM X-Force Threat Intelligence Index. 
Will Brexit mean UK firms don’t have to comply with GDPR?No. In Brexit and data protection, a House of Commons briefing paper published in October 2017, the government confirms that it will bring GDPR into UK law regardless of any Brexit settlement.  
Is there any conflicting legislation?Yes: the revised Payment Services Directive (PSD2). As a way of encouraging more competition, PSD2 requires banks to open their payments infrastructure and customer data assets to grant third parties access to this information on behalf of customers. This new regime is called ‘open banking’ and commentators are concerned that it will increase the chances of a breach. 

This article was originally published in the Q1 2018 print edition of The Review. The print edition is available to all members who opt in to receive it, except student members. All eligible members who would like to receive future editions in the post should log in to MyCISI, click on My Account/Communications and set their preference to 'Yes'. 
Seen a blog, news story or discussion online that you think might interest CISI members? Email
Published: 26 Mar 2018
  • Change
  • The Review

No Comments

Sign in to leave a comment

Leave a comment