Here Craig Naylor-Smith, Managing Director of Parseq, explains why financial services businesses cannot afford to stay complacent with the prospect of GDPR fines lurking over their shoulder.

In July, the Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39m following a cyber-attack that exposed the details of almost 500,000 customers – the first fine to be publicly announced under the GDPR. The very next day, the ICO announced a second prospective fine of £99.2m against Marriott International following its own hack.

For those in the financial services (FS) sector, the ICO’s actions will have been a reminder of the consequences GDPR non-compliance can bring. Under the legislation, businesses can be fined the equivalent of up to €20m, or four per cent of their global turnover, whichever is greater.

The wealth of personal data held by FS firms of course means that the sector will be under particular scrutiny from both the regulator and the wider public. Yet, our own research has shown that many in the sector have struggled to handle a rise in personal data access requests from their customers and employees in the year since GDPR came into force – a situation that could put them at risk of feeling the ICO’s sting.

Challenges ahead

Under the GDPR, individuals can submit data access requests to receive a copy of personal data organisations hold on them and information on factors such as why their data is being used. They can also request that their personal data be erased. In most cases, organisations must respond within just one month.

Our research – conducted just after the GDPR’s first anniversary – found that more than two thirds (68%) of UK FS companies have seen a rise in data access requests in the year since the GDPR’s introduction in May 2018.

Of these, almost nine in ten (85%) had faced challenges in effectively responding, citing cost (57%) and complexity (48%) as their primary barriers.

Alongside these factors, more than a third (35%) pointed to a reliance on paper documentation as an obstacle.

With this in mind, a potentially effective solution for the sector as it addresses its compliance challenges could be found in greater digitisation – ensuring that the paper documents they hold containing personal data are digitally accessible.

[ymal]

The FS sector has always been quick to adapt to consumer demand for digital solutions and capitalise on the opportunities that digital technologies can offer.  

Steps for success

The FS sector has always been quick to adapt to consumer demand for digital solutions and capitalise on the opportunities that digital technologies can offer.

Despite this, we found that only five per cent of financial services businesses had digitised all of the paper documentation they held in the year after GDPR’s introduction – a situation that hasn’t improved from the 12 months before. When asked why not, our respondents most commonly cited complexity (39%) and a lack of time (37%).

While these issues are understandable, they should be carefully considered in relation to the benefits that digitisation could offer.

Digitisation can help firms more quickly access personal data as and when it’s needed, helping to boost overall response time – an important factor given the GDPR’s time constraints. Meanwhile, investing in technologies such as automated scanning and data capture systems can help reduce time spent on administration, freeing-up valuable staff resources for other tasks.

And there are options to sidestep the issue of complexity. At Parseq, we deploy cutting-edge technologies such as optical character recognition and Robotic Process Automation (RPA) to digitise 25 million paper documents every year for our clients. This can help them build secure, searchable online archives of their documentation, enabling them to be on the front foot when it comes to quickly accessing and managing their documentation while offloading complexity to us, and offering savings in terms of cost and time.

GDPR is now firmly bedded-in, and the UK’s FS businesses must act to ensure that they are fully able to comply. Reducing a reliance on paper documentation through digitisation can help them more effectively respond to data access requests, ultimately reducing the risk of incurring the ICO’s wrath and being slapped with a heavy fine.