IT 
ES 
Everyone has seen the impact of GDPR. Businesses have completely reviewed their data protection and privacy practices, and countless hours have been spent getting them up to scratch before the deadline hit. For banks though, GDPR isn’t the biggest risk to brands. This isn’t to understate its importance – banks should absolutely be taking the legislation seriously – but GDPR is representative of a larger change in consumer attitudes to data. As such, banks should have already evolved their practices, in the interests of maintaining a customer base that trusts them and reducing the risk to their business.
55% of British people trust banks according to a YouGov survey late last year, which is higher than any other European country, although there is an underlying cynicism about whether they act in consumer best interests. However, there are some warning signs on the horizon, data is fundamentally a trust issue, and a recent survey by Vertias found that consumers are most likely (56%) to target banks with personal data requests post-GDPR.
There are many aspects of GDPR to consider, but we wanted to look specifically at Article 5, which establishes requirements behind personal data. Below we’ve looked at each of these elements and explored how they make sense from a purely business practice perspective.
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
Data concerns are front of mind. 49% of consumers don’t believe that businesses care about their data privacy. This becomes even worse when examining financial institutions, trusted by only 32%.
Banks need to give consumers a reason to change their mind, and to do this banks must be forthcoming with how they handle data. It’s essential that banks are being open about how you use data, what you keep and why you keep it.
No longer can you just hide behind infinite terms and conditions or privacy policy pages. You need to provide a way for consumers to easily understand the implications for them and their data.
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
These two points both discuss the relevancy of data. Banks should only be collecting data that they have a specific need for. Beyond the legislation, there are two other factors.
Consumers are becoming more protective of their data, so if you are asking for additional and potentially unnecessary information you’re increasing the risk that the consumer will refuse to oblige, or worse – refuse to become a customer.
The other reason is a matter of best practice. Data is only useful if its clean and is able to be analysed. While it can be tempting to collect as much data as possible, it’s more important that you can use it for insight or action. For instance, WWS Customer Management uses data to create more efficient bank branches that shorten queue times and help advisors provide better service. As such, banks need to ensure they are collecting only the data they require.
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
It’s quite scary how much inaccurate data there is. Much of it is still being used to make marketing and business decisions. A Deloitte study from last year found that “only 29% of the data on these consumers as a whole was more than 50% accurate.” That’s an incredible statistic, and one that shows that data must be looked at closely before you take any significant actions off the back of it.
If it’s not accurate, or you’re unsure – delete or rectify it immediately.
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
It can be tempting to keep customer data even if they’ve closed their account with you. You may believe that you can win them back, and therefore you need to continue to communicate to them. However, this needs to be considered carefully – there’s a thin line between helping and hassling.
Be reasonable with this data – and regularly evaluate engagement rates. It might be time to let go, and it might save your brand’s reputation in the long run.
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
This is an incredibly important point and revisits the earlier point on consumer trust. Trust is already low for financial institutions, and if you haven’t taken the necessary precautions you’re putting the entire company at risk, as well as the finances of countless individuals and businesses.
GDPR is having a profound effect on our industry – but through following its requirements you may find that it brings many opportunities with it. You just have to know how to make use of them.
