The clock is ticking and there are less than 90 days before the General Data Protection Regulation comes into force on 25 May. For risk managers, there is absolutely no time to waste.
Many in-house risk professionals working within financial services are most likely ahead of the game. They will have conducted rigorous training sessions and are feeling confident that their firms are ready for this landmark piece of legislation that has been adopted by the UK despite Brexit.
But is there any additional work they should be doing in preparation? One important issue that is becoming increasingly apparent relates to consumer awareness. To date, much of the compliance preparation is likely to have been inward-looking, in terms of making sure there is sufficient employee understanding, in studying FCA and ICO briefings and perhaps in working with regulatory lawyers and compliance consultants to ensure the business is ready.
From multinationals to sole traders
But, what might take some by surprise is the growing knowledge amongst the general public. Did risk managers realise that The Sun would run an article to provide a guide to GDPR, for example? The message was that although the GDPR may be aimed more at large organizations such as Facebook, sole traders such as plumbers and window cleaners could face crippling fines if they do not follow the rules on data privacy.
So rather than firms just expecting their customers to agree to be blasé about having their data used for marketing purposes, there could be far higher numbers saying they have concerns about what information is held about them and more than expected could say they want to exercise their right to be forgotten.
A consumer confidence and attitude tracking survey called The QT and conducted by media agency the7stars questioned around 1,000 people to find out their views on GDPR and came up with some interesting findings, which should also make businesses sit up and take notice. These included:
- 58% of consumers see the GDPR as a positive step forward
- 58% also say they are not clear exactly what data is held about them
- 33% plan to take advantage of their right to be forgotten
- 19% said they were confident their data was being used responsibly
- 27% said they did not really know what GDPR is and how it affects them
- 75% believe there is a role for government to make GDPR clearer
This suggests that although many are not totally clear on GDPR, they are likely to have some idea and where their data is concerned; they want firms to take a hands-off approach.
If a third do follow through and say to financial services firms, for example, that they want their data deleted, then this is going to have serious repercussions. What is more, the rules mean that historic customers cannot be contacted unless prior consent has been obtained and this is again going to be bad news, not least for insurers.
Pushing up insurer costs
In fact, one analyst – Consumer Intelligence – claimed that home and motor insurers could face an estimated £100 million bill because of the need to obtain explicit permission from customers old and new, to store their information.
So, the options are to either invest in a time-consuming exercise to resolicit the data or instead to rely on business coming through price comparison websites, which will hike costs for insurers considerably. Meanwhile Consumer Intelligence said its research found only one in three drivers were likely to give their permission for their data to be stored by an insurer.
The fact of the matter is that GDPR is going to result in far more consumers having at least some knowledge about their data and to become more careful about its storage and use. It is also going to push up the value of data, making it a scarcer commodity and those companies who fail to be compliant, will become known for all the wrong reasons.
Great service and deals, rewards for loyalty and being totally committed to security are likely to engender trust, and mean that plenty of customers will have no qualms about allowing their data to be retained. This is clearly the route to take, but while the best-prepared firms will adapt, there is no doubt that GDPR also means a new reality for all.