SDL GDPR Blog

Welcoming GDPR to the Shard

It’s not very often that you get to hear the views, and insights, from brands – particularly those in financial services – on some of the big challenges facing their industry. Last week I had the opportunity to do just that when I joined a panel of leading experts across the financial world to discuss a range of topics associated with the upcoming General Data Protection Regulation (GDPR); how it impacts their business and what financial brands need to consider.

The event, “Mitigating the Risks of GDPR Compliance," was attended by an exclusive group of financial professionals involved in security and compliance. The panel itself featured Steven Light, Head of Digital Content and Channels, Coutts; Theresa Farrenson, Technology Business Partner, AON; and Vanessa Barnett, Consultant Solicitor, Keystone Law.

Setting the Agenda

Opening remarks from SDL’s CEO, Adolfo Hernandez, outlined the challenges facing businesses today. “We now have access to more processing power in our pockets than ever," he explained. “With a click of a button we can order almost anything." He went on to highlight how this is shifting the game for so many industries. And financial services is not alone.

People no longer carry lots of cash. eCommerce and mobile payments are changing everything – and this means financial brands need to engage with customers in exciting and new ways. They need to act like retailers.

Although this is the right approach, it also opens a host of challenges; particularly around security and compliance. Brands are having to undergo enormous digital transformation projects, using their wealth of content and knowledge to engage with consumers in digital ways.

But content – and ensuring its security and governance – is the Achilles heel of any big digital transformation project. Take a look at the recent Equifax story as an example. We now live in a world where consumers are in control. The upcoming GDPR regulation has huge potential to damage brands  like never before.

Education, Education, Education

Companies spend millions on security – especially in the financial services industry, which faces some of the toughest regulations. As Steven Light, Coutts, points out, “brands need to be extremely careful with what they’re doing with customer data. You can spend millions on security but it can all mean nothing if one employee unknowingly makes a mistake. Something like 20% of mistakes are human errors."

Traditionally banks used to budget for just fines. That’s no longer possible when 4% of revenue is on the line. It’s now about education and prevention.

Who’s Responsible?

Panelists were asked who, within the organization, should be responsible for GDPR compliance. Vanessa Barnett, Keystone Law, tackled the issue first explaining that – for the past 15 years at least – brands have been “smashing together their IT systems and IP." They’re left with a mix of old and new. Panelists agreed how brands are continually having to evolve systems to deal with regulations, and how content is rarely thought of when it comes to compliance.

Vanessa explained how it’s fundamentally an IT problem. “In order to be GDPR compliant, you need to understand the processes behind content – where it sits at all times." However, it appears to be largely a cross-functional issue. I pointed out that not  all of this is internal – there are so many teams and translators now involved externally on content. It all needs far more collaboration.

Security at the Core

The panelists were asked about PII levels of security, and how its scope of change is impacting the industry. Theresa Farrenson AON, explained that “generally the insurance sector is very good at security." They’re trying to get into exciting things like biometric security, and working out how to present customer information in a secure way. The panelists discussed how cloud technologies no longer hold the stigma of five, ten years ago. But, businesses need to understand where their provider holds their data, at all times. Brands need to have security at their very core.

The conversation quickly turned to transparency. As Vanessa explains, “People aren’t sure how transparent they should be." Theresa singled out Tesco as a shining example of a business with complete – almost too much – transparency. “A quick look at their web page outlines everything they do with your data."

Be More Creative

Vanessa – who admits to carrying a copy of the 140 page GDPR report – explains that at its very core, the regulation is about protecting humans. “That’s very different from other regulations and gives you plenty of creativity. Think about GDPR as if it’s your foundation level. You must have a lawful basis for contacting them, you can’t  just keep spamming."

Stephen explained that within his marketing team they’re putting customers at the core of everything. “If we’re going to send an email to a customer, we always ask ourselves whether they want to receive it. Never forget there’s a customer at the end of that piece of communication."

Vanessa agreed. “If you can document and show your argument, why it’s necessary to contact them, and actually how you’re protecting their rights – balanced with your own reason for contacting them – then you’ve overcome your main hurdle."

All the panelists agreed: rather than being a hindrance, GDPR offers huge opportunities if you strike the right balance. Panelists were then asked how to address this balance at pace, when you’re undergoing a significant transformation and you’re hampered by legacy systems. The cloud – and all the agile benefits it offers – naturally followed as the potential answer.

Is Cloud the Answer?

Advances in cloud technology, of course, make digital transformation easier. Everyone on the panel agreed that the cloud is now a trusted, mature technology. The financial industry’s perception is very different than it was just a few years ago.

However, as Vanessa explains, historically looking at data privacy credentials among suppliers was a tick box activity. “Of the 20 hours now spent negotiating contracts, about 15 is spent negotiating privacy elements. Data custody is the big challenge with cloud suppliers."

Brands, it seems, want an indemnity for the full level of the fine at stake. They also need to know where their data’s hosted, at all times, with a complete and real-time audit trail.

These were just some of the many topics we discussed during the session. I’ve been working in the industry for more than 15 years, and it still gave me some thinking to do about just how ready businesses really are. Over the coming months I’ll be going into each area in more depth, providing more insights from these discussions that will help you get ready for a post-GDPR world.