The European Union’s General Data Protection Regulation comes into force on 25 May 2018 and all member states are expected to incorporate it into their national laws.
GDPR is a data protection framework which is designed to extend the powers of the EU over companies which collect, store and process data about EU citizens.
The idea is to provide greater protection for citizens by holding companies more accountable for their actions.
GDPR covers many areas, including individuals’ rights to be informed, right of access, of erasure, data portability and so on.
One of the key aspects affecting companies is the requirement to store data about users within EU borders, rather than outside, say in the US, for example.
This has led to a number of companies, such as Zoho, to construct data centres within the EU in anticipation of the new rules.
Moreover, GDPR will probably mean that any data breaches will be made public almost immediately after they occur, rather than when the hacked companies feel it is judicious.
Banks and financial institutions are perhaps the most interested in GDPR since so many of them have operations across the continent and indeed the world.
Even the UK, which is planning to leave the EU, will see many companies complying with GDPR, but it remains to be seen whether simply complying with GDPR as a company carries much weight if the country you are located in is not part of the EU.
This sort of uncertainty is what might lead companies to avoid considering the UK as a place to build their data centres.
Nonetheless, the UK has one of the largest financial centres in the world – London. And if it wants to maintain that position it will have to do something to comply with GDPR even if it’s outside the EU.What does GDPR mean, especially in light of Brexit? Click To Tweet
Matt Hancock, the UK minister responsible for data protection says the UK will mirror GDPR by introducing new laws which look more or less like the same thing.
In answer to a parliamentary committee, Hancock said: “We are matching them [the EU and GDPR] rather than asking them to match anything new from the UK.”
This approach, said Hancock, will ensure the continued flow of data between the EU and the UK even after Brexit, which is a process that is taking place at the same time as GDPR comes in.
Hancock acknowledged the uncertainties. “The reason there are so many questions around data protection is that the EU is moving its own domestic law at the same time as we will be going through the Article 50 process. We have got to make sure that we look at the whole [of the data protection and privacy changes taking place].”
Banks and financial institutions – of which there are many in the UK – enjoy a “significantly higher level of trust” from consumers in the cybersecurity of their systems than any other sector, according to a report by Capgemini.
The study, The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer and More Secure, surveyed 7,600 consumers and over 180 senior data privacy and security professionals from banking and insurance firms from eight countries:
- the Netherlands;
- United Kingdom; and
- United States.
It found that slightly more than 30 per cent of bank executives say their organisations have made “strong progress” in implementing draft guidelines on GDPR, which include the requirement to make public any data breaches within 72 hours or face large penalties.
And while banks may have the trust of the people, the reality is that security is not 100 per cent guaranteed, according to Capgemini.
Mike Turner, global cybersecurity chief operating officer at Capgemini, says: “Consumers implicitly trust banks with their money and data, but this faith is rooted in a mistaken belief their provider can be 100 per cent secure.
“While banks are evolving to combat the sophisticated threat cybercriminals pose, public understanding of the threats and challenges remains low.”
Zhiwei Jiang, global head of financial services, insights and data at Capgemini, says: “When GDPR is introduced and all breaches are likely to be made public soon after they occur, many people will be in for a surprise.
“The introduction of GDPR legislation next year is a prime opportunity for business transformation for banks and insurers to become the digital fortresses consumers believe them to be.”