After a winter season of Aussie/Irish and multiple other types of flu and cold hitting productivity, we now have a new epidemic gripping European companies – and even governments – in the spring of 2018: GDPR panic. Apparently of the EU nations only Germany and Austria are likely to have the required infrastructure and regulations in place for the 25th May deadline, with the other 26 caught like mad March hares in the headlights of this approaching juggernaut. To mix animal behavioural metaphors, has everyone had their heads buried in the sand since May 2016 (when the regulation actually came into force, with a 2-year grace period) hoping it would go away? Heads are now fully extracted and it’s still there.
One sector that is likely to be caught with its trousers down is banking. It seems likely that hardly any banks will be compliant in time. A senior lawyer at HSBC has complained about lack of clarity in the GDPR wording – or rather that the law couldn’t possibly mean what it says, so please could the ICO clarify what was actually going to be enforced.
One big problem for banks is that they have personal data stretching back years, much of it gathered without the stringent process required by the GDPR. To “repaper” this (i.e. to go back to the data subjects and request consent and/or inform the data subjects in a GDPR-conforming way) is entirely unfeasible. Some of this data may be necessary for the performance of contracts with data subjects or for the banks’ “overriding legitimate interests”. (If they can successfully argue that if either of those cases apply, then consent may no longer be required, albeit that the data subject must be still informed of the processing.) But potentially some data is only kept so that money can be made from targeted marketing to customers and ex-customers. The banks will have a much stickier wicket defending that use. They may therefore have to flush this lucre down the toilet. “Boo-hoo!”, thinks the man-in-the-street, still smarting from the unfairness of the cold he caught from the banking sector’s “sneeze” in 2008. “This is exactly the sort of of abuse of data that GDPR is designed to protect against.”
There may even be problems with using the data for overriding legitimate interests, if that use includes automated decision-making (ADM) (e.g. to judge creditworthiness). It seems likely the financial sector uses ADM since it has been an early adopter of big data methods that can, for instance, potentially decide that you are a poor risk from the speed at which you type into an online application form. Even basic credit risk profiling by postcode could count as ADM. GDPR has scary teeth when it comes to the right of data subjects to challenge such profiling.
Finally, many banks are struggling with legacy systems which are hard to access, and a customer’s data may be distributed across many systems. As well as making it extremely difficult to audit personal data, it will make it very difficult to respond in a timely manner to a request from a data subject to know what data is held on them, let alone a request to erase it.
This could all mean a world of pain for the sector. The headmaster’s cane on the wall is a potential fine of €20M or 4% of annual worldwide turnover, whichever is the greater, as well as a potential injunction to delete all personal data in possession of the company. We’re not talking “Tickler”! Fortunately for the banks, the ICO (the English “supervisory authority” handling the enforcement of GDPR) is in line to be a merciful god, at least initially. ICO senior technology officer Peter Brown has said, “We’re not going to bang everyone’s door down on 26 May, saying, ‘Give us a cheque for 4% of your annual turnover.’ But it is an opportunity to put in place the right data protection practices and those that get it right will benefit.” Furthermore, the ICO have stated that repapering of existing consents may not be necessary. French and German authorities however are lining up to be less than friendly so who knows quite what will transpire, given the spaghetti of clauses in GDPR aiming to ensure that implementation is harmonised across Europe.
Maybe the banks’ best hope is that the enforcement agencies of those 26 EU states will simply not be ready by the deadline either.
Disclaimer: This article is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. It reflects the views and opinions of its author and not of the company as a whole.