The General Data Privacy Regulation is a new regulation for the digital age. Any organization with a single European Union customer will be subject to the most sweeping individual data controls in history.
If there’s a silver lining in this sweeping new regulation, it’s that GDPR is inadvertently presenting issuers with the chance to shore up their data management practices.
Implementing tools like data hubs can ensure that global organizations give all employees the 360-degree view of customer data they need to excel in the digital age, whether that means using big, clean, clear data to perfect new marketing campaigns or discover hidden cross-sell and upsell opportunities.
That’s the ultimate irony of GDPR: the biggest data privacy regulation in history is not algorithmic, numerical, or financial, but purely people-related.
In one sense, GDPR is business as usual. For over two decades the EU has been the strongest global advocate of customer data privacy, having established the Data Protection Directive in 1995. And recently Brussels has not hesitated to fine U.S. tech behemoths for European operations that skirt data rules.
But GDPR—with notorious provisions like Article 17, the “Right to erasure,” otherwise known as the “right to be forgotten,” sets a new standard. In essence, it’s an attempt to strike the optimal balance of power between business and customer. Implicit in it is an understanding that, in today’s world, the most valuable asset in any transaction is customer data.
This is something FIs intuitively understand. Their core element is customer data, in the broadest sense: They collect IP addresses that surf their websites and capture detailed information about individual ATM transactions.
But whether they consider a dataset a marketing and analytics tool or the most sensitive piece of information in the organization, they have always controlled that data. When they’ve been beholden to anyone, it’s been the government. And now the government is making them accountable to their customers.
With that in mind, it’s necessary to take a step back and think through the implications of GDPR.
One reason that “erasure” has gotten so much press is because it embodies the most intense spirit and soul of GDPR: that a person owns their data. Asking a bank to erase it is simply the farthest end point along the chain of new rights.
A typical EU citizen who wants to explore his new GDPR rights might say to their bank, “What do you know about me?” forcing the bank, on demand, to quickly scrape its systems for every last bit of information it has ever captured and stored about the customer.
To comply, the bank would not only have to say which data it has and where it lives; it would also have to tell the customer about it and potentially give the customer a copy of it (Article 15, “Right of access by the data subject”) in a widely accepted machine readable format (like a JSON or CSV file). a deeply entrenched, long-term customer to easily take their business (and banking history) to another financial institution.
Of course, customers can’t just demand that erasure occur that moment. For instance, GDPR wouldn’t supersede a Bank Secrecy Act provision that requires a U.S. bank to keep some records for seven years. And most customers won’t take these steps without a decent reason.
But issuers need to be ready for any customers who show any interest in any personal data. Imagine, in a pre-GDPR world, a client of two decades that is thinking about switching banks. One deterrent might be the hassle of obtaining and transporting years of transaction history.
In a GDPR world, Article 20, “Right to data portability,” removes the barriers. If customers want to transport their information, their bank must, in a reasonable period of time, furnish them all their pertinent account data for the express purpose of the customer taking that data to another organization—i.e., a competitor—to start new history.
This is particularly worrisome for issuing banks whose business relies on building personal customer loyalty over time. For most financial institutions, a customer is profitable only when they have three or more products with the bank; newer digital banks in particular need lots of customers to turn profit. Institutions might lose money on checking accounts but profit when those customers take out a loan. The old regulations gave issuers an advantage in establishing customer loyalty. The new ones bring new challenges.