Don’t panic, it will all be fine
We’re in new territory, or we will be eventually. When we first all started to hear about GDPR, it came into public discussion surrounded by very heavy ultimate deterrents; everyone was brought up short to hear about the size of the fines, sending out bad vibes and not an inconsiderable ruffle of activity. Rightly so, who wants to face having to fork out 4% of their global annual turnover? There was something of a fear factor in play and a feeling that fines were going to get issued all over the place.
Now we’ve all had time to consider rationally what the impact will be. Slowly, but surely, most financial institutions have been making their plans. The panic is over. The fear has gone. Now that the fanfare for GDPR has ended – the first phase, the new beginning, the search for true facts about likely outcomes and essential strategies – the banking sector will move into the second phase.
New strategies will emerge to embrace data protection as a central value in a bank’s value proposition. In searching to gain the business advantage from GDPR, banks will become masters of managing data. They’ll want the world to know. A responsible approach to managing data, particularly with Open Banking and the use of APIs, will enrich the customer experience as customers grow to understand why it should, and how it can.
Do customers think in terms of ‘customer experience’, or is that just marketing terminology? I think they probably do. I am one. We’re all one. Customers know when they get great service or indifferent treatment, superior proactivity or apathetic inactivity, something that makes them feel special, or something that makes them vow never to return. They get it. We get it.
The data imperative has always been with us
Data, and how we obtain it, store it, manage it, and leverage it for business benefit, is growing in direct proportion to the ceaseless forward momentum of the technologies that serve it (or enable it to serve us) and the increasing sophistication and effectiveness of the threats that go along with them.
You can assume that around 70-80% of the thrust of GDPR, and certainly the bulk of the ‘spirit’ of the regulation, was already there in 1995, in the Data Protection Directive of the European Parliament:
I saw an article on Risk.net that stated that… “GDPR represents the biggest overhaul of European data privacy law for 20 years. It replaces the existing Data Protection Directive, brings in new rights for consumers governing how their data is stored and used, and enshrines in law the ‘right to be forgotten’. Where firms suffer a data breach, for instance as a result of a cyber-attack, they will be required to notify their regulator within 72 hours – something authorities hope will remedy current under-reporting of cyber breaches.”
Doing the right thing
The context to draw from such writings is two-fold. Firstly, that regulators are acting in the best interests of the citizen; GDPR is about protection, not about bureaucracy gone mad or finding clever ways of making big money from big business. Secondly, that if companies make their best efforts to comply with the spirit of the law they are not likely to fall foul of it. The fines are there to initially deter, and only ultimately punish, organisations that are found to repeatedly neglect, abuse, or remain ignorant of, the legislation (remembering that ignorance is no defence in the eyes of the law).
Banks are now taking GDPR in their stride mainly because most of them have been doing the right thing; doing what is expected and (reading both on and between the lines) what is mandated. They have taken steps in the right direction. The optimum strategy is to assimilate responsible protection of data into the customer experience to deliver great service, superior proactivity, and something that makes customers feel special. Data is at the heart of the new customer experience.
In doing the right thing, banks have been seeking the advice of experts, of whom I am proud to count DXC as being in the vanguard, and making appropriate preparations. They will not be fined if they are seen to be on the journey. The regulators will not rush to fine. They will talk about breaches if they’re informed within 72 hours. If an organisation has done what was required, it will not be fined for the one that got away.
Two objectives in the light of GDPR
The optimum strategy for any bank is to be ready for what it needs to be ready for. This may sound obvious, but it’s an important mind-set if one is to avoid the fear factor and avoid over-investing in areas that may initially be peripheral (possible judged as ‘nice to’, rather than ‘must’ haves). It’s a case of fighting the right battles; these are the ones you have no choice other than to fight, but they are also those you can enter with the greatest likelihood of victory.
There are two focus areas, two groups a bank must keep happy: the customer, and the FCA. To the first a bank needs to show care, responsibility, and trustworthiness; to the second it needs to show that it has control. This control can be demonstrated, and exercised, with minimum infrastructure change or investment to instigate the controls and show that a bank is paying attention to what it is required to pay attention to.
With GDPR ticked off, what’s next?
Personal data has been officially acknowledged as sensitive and valuable for at least the two decades since the Data Protection Directive. It will only become more so from here on in. Personal data is a commodity that will increase in value with the advent of payment service providers (PSPs) heralded by PSD2. How can banks therefor gain an advantage from these trends?
I’d suggest that the key lies in trust. This will go to the heart of the improved customer experience, right there alongside the importance of data. Trust is bound up with security. On this topic, I suspect the threat universe is about to expand.
More, more, more
GDPR, PSD2, and open banking will all contribute to increasing vulnerabilities. More data will be flying around in more places between more organisations. Even though it will be subject to more regulation, it will still be subject to more potential exposure, proliferating entry points, and fresh and challenging attack vectors.
With any step forward comes new threats. Even though the changes in play now with PSD2 are designed to create more choice, they will bring more vulnerabilities. This is technology as it progresses. Mobile banking, for example, has made banking so easy for people; it’s smart, convenient and relevant to lifestyles. At the same time it brings greater exposure, millions of endpoints, and increased likelihood of picking up keylogger trojans.
If trust is essential to the customer experience then robust security is quintessential. Managing data is only going to intensify. The two converge; more data means more protection. More data also means more business opportunity. I was going to say it’s a fine balance, but it’s not. It’s the only way forward; embrace the data, embrace GDPR and make sure your security is never one iota less than the best it can be. If trust goes from a bank, what’s left? If trust carries on getting deeper, there’s everything to play for.