GDPR affects all kinds of organisations that handle customers’ data, from high street stores to global internet retailers and village schools to public sector agencies that hold millions of individuals’ data. It also doesn’t only apply to European organisations. Any company that interacts with EU residents – from anywhere in the world – has to give you control over your data, for example.
What’s more, while GDPR is an EU initiative, we’ll still get its benefits after Brexit. The government has said it will continue to apply to the UK and has incorporated it into domestic law.
Will GDPR be tricky for companies?
Some observers describe GDPR as a monumental shift in data protection. But in reality it builds on the principles established by the DPA: it’s an evolution not a revolution. Implementation will still be challenging for some companies though.
One main point of difference in the new rules is an emphasis on accountability. Companies and other organisations will have to prove they are in compliance and show they are looking after your rights; in the past they only got in trouble if things went wrong and data was misused or poorly protected.
The other change is that the GDPR has teeth compared to the DPA when it comes to sanctions. Currently, companies can be fined up to £500,000 by the Information Commissioner’s Office (ICO) which enforces the DPA, though in practice, its highest fine to date is £400,000.
Under GDPR, the maximum penalty is €20 million or 4% of annual global turnover – whichever is higher. The risk of non-compliance should be sufficiently high to ensure all companies pay closer attention to your data than they might have done in the past.
What should my bank be doing?
Banks are just one of the types of organisations that must comply with GDPR. However, as a prolific generator of data, the banking sector is likely to be particularly affected.
For some traditional banks, the priority is simply discovering what data they hold, and where it is. They can’t keep your data up to date and establish whether they have a legal right to hold it if it can’t be located in the first place. It might sound unlikely that banks don’t know what information they look after. But just think about the number of occasions you’ve been transferred from one customer service adviser to another, only to have to answer the same security questions again, and explain your problem or request from the start.
Large banks often operate dozens or even hundreds of systems – some stitched together in an ad hoc way, others operating on a standalone basis – and use thousands of different file types. Often, this IT patchwork stems from past acquisitions; banks have taken the path of least resistance and maintained legacy systems rather than migrating them to a new system. GDPR may cause banks to regret not integrating them sooner.
Not all banks are like this. Starling had the luxury of creating systems from scratch at a time when the requirements of GDPR were emerging. Consequently, it hasn’t been necessary to re-think our approach to data collection, storage and use. The GDPR principles of privacy by design and default (which were not present in the DPA) are hardwired into all of our interactions with you and your personal data; full compliance will therefore be significantly more straightforward for Starling than for some other banks.