In the age of the smartphone, we all live online. The emails and texts you send, the news and entertainment you consume, how you get from A to B, and your shopping and banking habits all exist somewhere in the Cloud. Companies that can harness this information have the world at their feet. By analysing your data, they know what you want before you want it – and can profit handsomely by serving it to you.
Life online has many upsides. But there’s a growing concern and unease that we don’t know where our data is, who has access to it, whether it’s adequately protected, and what it is being used for. We’re all too used to being contacted by a stranger in a call centre who has purchased our name and address on the internet, and is eager to help us with a PPI claim. Unfortunately, data protection seems to be an afterthought for some companies.
The longevity of data on the internet also raises plenty of issues. Do we still want that embarrassing comment we made on social media when we were a teenager to be visible when we’re applying for jobs? What happens to data when someone dies? Can their family insist that their Facebook page is taken down? Society is only just getting to grips with these sorts of challenges because they simply didn’t exist in the past.
So, what's the solution?
To bring data protection into the 21st century, the European Commission has created the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018. GDPR will regulate how businesses and other organisations collect, store, protect and use the personal data of European Union (EU) residents. Its overall aim is to wrest control of the estimated 2.5 quintillion bytes of data generated every day away from the internet giants and give it back to you.
GDPR will replace the Data Protection Act 1998 (DPA), which was precipitated by the European Union (EU) Data Protection Directive 1995. These rules are around 20 years old – in other words they come from a time before websites and mobile phones became ubiquitous.
Designed with the digital age in mind, GDPR will help regulators overcome many of the challenges they currently face in tackling data privacy issues.
What does it mean for me?
To be honest, you’re unlikely to notice GDPR’s benefits on May 25 next year when it comes into force. But that doesn’t mean things won’t have changed. In short, GDPR will give you control of your data. It recognises explicitly that you own information that relates to you. Any information that can be traced back to you – including your IP address when you’re surfing the web – will be protected. That means you’ll be able to request to see it and will have to give permission for it to be used.
GDPR affects all kinds of organisations that handle customers’ data, from high street stores to global internet retailers and village schools to public sector agencies that hold millions of individuals’ data. It also doesn’t only apply to European organisations. Any company that interacts with EU residents – from anywhere in the world – has to give you control over your data, for example.
What’s more, while GDPR is an EU initiative, we’ll still get its benefits after Brexit. The government has said it will continue to apply to the UK and has incorporated it into domestic law.
Will GDPR be tricky for companies?
Some observers describe GDPR as a monumental shift in data protection. But in reality it builds on the principles established by the DPA: it’s an evolution not a revolution. Implementation will still be challenging for some companies though.
One main point of difference in the new rules is an emphasis on accountability. Companies and other organisations will have to prove they are in compliance and show they are looking after your rights; in the past they only got in trouble if things went wrong and data was misused or poorly protected.
The other change is that the GDPR has teeth compared to the DPA when it comes to sanctions. Currently, companies can be fined up to £500,000 by the Information Commissioner’s Office (ICO) which enforces the DPA, though in practice, its highest fine to date is £400,000.
Under GDPR, the maximum penalty is €20 million or 4% of annual global turnover – whichever is higher. The risk of non-compliance should be sufficiently high to ensure all companies pay closer attention to your data than they might have done in the past.
What should my bank be doing?
Banks are just one of the types of organisations that must comply with GDPR. However, as a prolific generator of data, the banking sector is likely to be particularly affected.
For some traditional banks, the priority is simply discovering what data they hold, and where it is. They can’t keep your data up to date and establish whether they have a legal right to hold it if it can’t be located in the first place. It might sound unlikely that banks don’t know what information they look after. But just think about the number of occasions you’ve been transferred from one customer service adviser to another, only to have to answer the same security questions again, and explain your problem or request from the start.
Large banks often operate dozens or even hundreds of systems – some stitched together in an ad hoc way, others operating on a standalone basis – and use thousands of different file types. Often, this IT patchwork stems from past acquisitions; banks have taken the path of least resistance and maintained legacy systems rather than migrating them to a new system. GDPR may cause banks to regret not integrating them sooner.
Not all banks are like this. Starling had the luxury of creating systems from scratch at a time when the requirements of GDPR were emerging. Consequently, it hasn’t been necessary to re-think our approach to data collection, storage and use. The GDPR principles of privacy by design and default (which were not present in the DPA) are hardwired into all of our interactions with you and your personal data; full compliance will therefore be significantly more straightforward for Starling than for some other banks.
Why the geeky details matter
It’s not just the location of data that some banks will have problems with when addressing GDPR. Often there are ambiguities within banks about whether certain types of data should be encrypted or not. Similarly, it’s often unclear who in the organisation is permitted to access particular categories of data: GDPR will require these uncertainties to be clarified and codified so that compliance can be proved.
Another challenge for some banks will be their contracts with third parties such as other banks, fintech companies or data storage or processing firms.
Contracts with these partners should incorporate language that reflects the requirements of GDPR. In practice, this will prove impossible before May next year. Nevertheless, all banks will need to put in place a rolling programme of contractual updates. Overall, GDPR will create an enormous amount of work and comes at a time when the industry already faces numerous other regulatory costs relating to initiatives such as PSD2. What is PSD2?
If all this sounds a bit geeky – then it is. But it also matters to banks’ ability to look after your data properly. Some banks have the benefit of having been created in the digital era. While Starling Bank was not structured specifically with GDPR in mind, giving customers control of their data has always been at the heart of our business model.
As a customer, you get to decide what you want to share, and with whom – and you can change your mind whenever you want. Our open banking approach and APIs have already allowed you to save and invest more easily by seamlessly linking you with Moneybox: you’re in complete control of how your data is used; we’re simply here to scour the world seeking the best opportunities and to facilitate your choice.
Watch this space
The debate around data is changing: media (and social media) coverage of internet heavyweights is notably less fawning than in the past. People are recognising that data has a value, that misuse has serious implications, and that personal information should remain private.
This trend is only likely to accelerate in the future: we think personal data is likely to be one of the pivotal issues of the next decade. We welcome the fact that people are starting to talk about data. And we’re working hard to explain what GDPR means for you and why we believe it’s fundamentally good news for everyone.