New rules boost data privacy rights

This right – established in a case against Google that empowers EU citizens to ask for personal content to be removed from search engines – has had important implications for financial services by broadening the legal recognition of a data controller, thereby widening the goalposts for those seeking to punish breaches.

But it has also opened a path that could ultimately lead to a brave new world in which there is general recognition of a far more important “right to be respected” when it comes to personal data – just one of the opportunities that embracing the GDPR offers those who approach it in the right spirit.

The GDPR, a milestone in European data protection, is the result of an ambitious three-year reform process and replaces the 1995 EU Data Protection Directive. The regulation is set to come into force in less than two years, on 25 May 2018.

At root, it strengthens and clarifies protection of the individual in an environment in which data is proliferating. This has significant implications for the financial services sector, where data protection and security are key issues – not least because the move is backed up by sharp regulatory teeth with which breaches are punishable through far more considerable fines than is currently the case.

While data protection is already high on the day-to-day agenda in the sector, the GDPR requires operators to raise their game. It is crucial for businesses to be aware of its impact on their data infrastructure and legacy systems, which can often be circumstantially uneven as a result of acquisition and organic growth.

In summary, the regulations toughen the penalties for non-compliance; extend the territorial reach of privacy rules to organisations outside the EU processing data relating to its citizens; require the creation of data protection officers in most if not all organisations; tighten protocols on breaches; and shake up rules on erasure and portability – the right to access and move personal data.

The nature of the relationship between data controllers (the brands a consumer agrees can be the ‘custodians’ of their data), and data processors (the service providers who often very proactively support these same brands with data management and insight services) is evolving as well. Data processors have to ensure that they, too, are even more beyond reproach than they must be already, as they also take on new liabilities.

A key challenge for the financial industry is the requirement to obtain a customer’s ‘unambiguous’ consent for personal data to be processed, however beneficial and well-meaning the aims of processing their data may be. Organisations will need to ensure they retain proof that this has been freely given and the customer has been fully informed about what is involved.

Inevitably, change on such a scale can prompt people to cry in despair, and the GDPR is seen by an exasperated few as yet another regulatory burden that makes data much less interesting.

Viewed in a more positive light, it offers sustainable opportunities for businesses approaching the situation in a spirit that recognises personal data ultimately belongs to the consumer. Seen this way, it can be credibly argued that the regulation is broad enough to allow businesses to continue leveraging the value of data fruitfully.

Take the notion of “know your customer”, which derives from the simple wisdom that if you engage with a consumer well you are more likely to build a long-term relationship. It is this wisdom that underpinned the FSA’s retail distribution review (RDR), launched in 2006 to enhance consumer confidence in financial advisers.

One perhaps unintended consequence of the RDR was a reduction in the number of IFAs, put by some sources at up to 20 per cent, and this has made it even more imperative for fund managers to know who the customers they now have to deal with directly are – something the new data rules ensure.

The requirement under the GDPR for companies to understand what personal data actually is has implications for how they conduct erasure and approach data profiling and portability, but also offers opportunities.

That is because in order to comply, companies must start by knowing their data. They need to know where all their data repositories are, what data they hold, and how it is being used – a process greatly aided by specialists who help companies audit data.

While this can be seen as a form of stock-taking, it is also a way of unlocking value: an audit can identify what data is useful and how a company can best leverage its value as much as be seen as yet another ‘cost of compliance’.

While some will be frustrated with heightening compliance costs, weighing these up against the risk of hefty fines and reputational damage for not doing so is a no-brainer.

Perhaps the most important opportunity offered by the GDPR is the prospect it holds for consumers of a new, if unstated, “right to be respected”.

The new framework apparently replaces the right to be forgotten with a more limited right to erasure of personal data by a data controller in certain situations. An individual will be able to contact a company and ask it to wipe data, making it imperative for businesses to ensure they can manage this process.

But is the much vaunted “right to be forgotten” such a credible instrument – indeed, do most consumers really want to be forgotten?

In many cases the answer may well be “no”, because what consumers want above all else is to be respected. They only want to be “forgotten” if the companies with whom they engage and so hold their data do not respect that information.

Individuals often opt for data to be erased either because they do not fully understand how it can and should be protected by a brand they engage with, or because they have had a bad experience with that brand.

But is wiping it really going to enhance their experience? Clearing a cache on a web browser, for example, may offer advantages in terms of privacy – but can be frustrating when you have to spend time searching for familiar websites. Removing cookies is all well and good, but when strange advertisements are served up it is a different prospect.

Businesses that engage with the GDPR positively can interact far more effectively with consumers who want nothing more than to be respected and this, in turn, can foster a more ambient culture of respect for consumer data, avoiding the very need to be “forgotten”.

A huge amount of work has gone into shaping the GDPR into a positive tool which, if understood and embraced fully, offers companies a real opportunity to create value from data.

While there will be a cost of compliance, debates over personal data will continue – and the GDPR will never assuage the concerns of everyone – the bigger prize could ultimately be this new culture of respect for personal data.

Ruaraidh Thomas is managing director at DST