Co-authored by Graham Thomson, Principal, Capgemini & Jeremy Gray, Managing Consultant, Capgemini.
“It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.” – Elizabeth Denham, ICO Information Commissioner
The EU General Data Protection Regulation (“GDPR”), which is undoubtedly the most important change in data privacy regulation in 20 years was introduced on 25 May 2018. Banks should by now have implemented their strategy and failure to meet their obligations could result in huge fines.
Although, most Banks have programmes in place to move towards full compliance with GDPR, many are waiting to assess the full impact of this change as the Information Commissioners Office (“ICO”)1 provides more guidance. Some believe that there may be a period of bedding in for Banks that are still behind with their GDPR compliant processes. Banks that are taking demonstrable steps to achieve full compliance, may be given reasonable time to make the necessary changes. We think Banks should seize this period to move towards full compliance. This would help them in avoiding the very real risk of severely damaging negative press coverage or large fines impacting on their reputation and customer trust.
Capgemini Perspective on GDPR Maturity Levels
Many Banks are not yet fully GDPR compliant, and significant work remains to be done to increase not only compliance levels but also compliance maturity and to bridge the gap between the level of preparedness of Banks and the expectation of individual customers.
A recent survey by Capgemini published in May 2018 found that 51% of Banks and 53% of Insurers are still lagging behind or are only partially GDPR compliant, showing there is still work to do.
Note: Based on executive responses to the question: “How ready is your organization for the GDPR? (please select one that applies to your organization) – completely compliant, largely compliant, partially compliant by the deadline, and lagging behind.”
Source: Capgemini Digital Transformation Institute GDPR Executive Survey, March–April 2018.
Furthermore, the survey predicts that even by the end of 2018, more than 26% of all companies surveyed will still not be fully compliant with the requirements risking large breaches and fines.
Leadership & Culture
Human error is a significant source of data breaches and Bank employees will often come into frequent contact with personal data during all aspects of the data processing journey. As the consequences of breaches are so much more significant, the human contribution to protection cannot be overlooked. Employees need much greater awareness of the importance of processing data lawfully and securely, the behaviours they must adopt and the rules they must follow to ensure Data Privacy is embedded in staff culture to ensure a sustainably compliant Bank.
A recent survey by Capgemini published in May 2018 shows that only 43% of follower organisations (organisations that are not fully or largely compliant with GDPR) provided additional training on GDPR to employees that handle personal data and only 33% of leading organisations are committed to ingraining GDPR into the DNA of their organisation.
Source: Capgemini Digital Transformation Institute GDPR Executive Survey, March–April 2018, 341 Leading organizations, 759 followers.
Sustainable Employee Culture
Employee attitudes to personal data handling must be strengthened. Banks must develop and nurture a sustainable culture where the importance of keeping personal data safe is understood and met, that data is only used for legal purposes, and that there is the appropriate level of security such as encryption at all stages of the process. There also needs to be an entrenched culture of accountability that creates a climate of trust for colleagues and customers alike.
This could be done in a variety of ways such as:
- Including employees and working collaboratively with them from the outset to design and implement the new GDPR procedures into their roles according to principles they request to bring them on the journey together.
- Frequent and appropriate communications should be designed and delivered regularly through a variety of channels to ensure there is a Bank wide understanding of what changes have occurred and which are still expected.
- Personalising the GDPR learning for functions, grades and teams of individuals so they feel valued and understand the importance of the changes and their role in delivering them.
- Taking regular temperature checks by listening to employees on how the changes are being received by both staff and customers to drive a real time feedback loop to ensure they are part of the change and the change is sustainable given their other BAU demands.
New systems, processes and roles
Meeting the obligations of GDPR will mean that many systems and processes will have to change, such as those that display Data Privacy Notices and gather consents, administer consumer rights, handle complaints and incidents, and how data is shared with third parties. Staff, especially those that are customer-facing, must be fully prepared for the changes and know where to turn to for help.
To meet the new obligations, the role of the Data Privacy Officer (“DPO”) must be strengthened and should become full-time; for some companies, where the DPO role is seen as a subset of one person’s duties, this may mean recruiting additional staff and investing in training.
We have helped multiple Banks meet their GDPR responsibilities and ensure that GDPR is integrated into the culture of the Bank to ensure sustainable GDPR compliance. We believe it is critical to maintain the focus on moving towards full GDPR compliance to ensure that damaging fines and sanctions remain off the CEO agenda.
(1) Information Commissioners Office (ICO): The UK’s independent regulatory authority established to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.