Rich Vibert, co-founder and CEO of Metomic, takes a look at the changes the UK financial sector will soon see and how banks can best prepare for them.

With headlines focused on the UK's plans to breach parts of the Brexit agreement, many key business discussions have fallen by the wayside. But, this begs the question: how are banks going to be protecting customer data? And, what data protection regulation is in place to govern this process as GDPR becomes inapplicable?

These are difficult questions to answer and require banks to unpick complex regulation and governmental disputes, before they can even start to implement the tools that will protect their customers.

Securing data privacy

Recent reports show that there’s room for improvement when it comes to the banks’ ability to secure data privacy. According to a Bitglass study, 62% of the data breached last year came from financial services, and with the increased risk brought by COVID-19, the prospect of what could happen to data collected and managed by banks is worrying. Furthermore, back in March, a report by Accenture showed that one-third of financial services organisations didn’t have the technical or personal resources to address privacy risks related to customer data. If these firms haven’t addressed this gap yet, they will simply not be prepared for Brexit and the risk that a potential last-minute change in regulations will pose.

Post-Brexit data protection: what is at stake

After investing two years of work to become compliant with the General Data Protection Regulation (GDPR), banks are understandably unwilling to start again. At present, once we are out of the EU, UK organisations will need to comply with regulation that is yet to exist. Thankfully, there is a large chance that the UK will incorporate GDPR principles into its own law, but uncertainty and confusion still remains. And should new local measures be implemented, banks will need to move quickly to become compliant.

After investing two years of work to become compliant with the General Data Protection Regulation (GDPR), banks are understandably unwilling to start again.

When it comes to data transfers with other European countries the rules will become stricter, adding extra layers of complexity for financial institutions.

As we stand, the UK government has already declared its willingness to reach an adequacy agreement, to maintain a free flow of data between the two regions. However, given the turbulent relationship with the EU, the agreement on such a deal is by no means a given.

Financial organisations also need to prepare for the possibility of a no-deal Brexit, with speculation that this could see companies sending their data to the EU next year and simply not getting it back. For businesses which heavily rely on constant transfers of sensitive data such as bank accounts and income, this is simply not acceptable. Unpicking the mess will require the investment of time and funds that many businesses can ill-afford.

The biggest loser: your customers' data privacy

While a potential headache for financial institutions, the UK’s lack of reassurance when it comes to post-Brexit data protection is even more detrimental to its own citizens. The government’s current track record for safeguarding people’s data leaves much to be desired. The recent admission that the UK track and trace system wasn’t GDPR compliant is just one example that has eroded citizens’ trust. The systematic disregard for data privacy has not gone unnoticed either. 75% of consumers report being concerned with the safety of the information they share with organisations, according to IDEX Biometrics. This has to be addressed if banks are going to survive and ensure that that customer trust is maintained.

A change in mindset

While the future of data regulation in this country remains in flux, we know that privacy and data protection is top of mind for consumers. To maintain the trust and loyalty of their customers, financial services organisations must think ahead and be prepared for any outcome, specifically at a technical level. But many organisations will be concerned about where to begin and how to navigate this journey.

[ymal]

Thankfully, financial institutions can tackle this challenge without exorbitant costs but they will need a change of mindset. They must put customer data at the centre of their strategy and embrace technology that will help them put privacy first.

But this means having a clear understanding of what is happening to customer data at all times. There are simple mechanisms that can be put in place to deliver this level of control and visibility. These include automating compliance and embedding data protection rules into the IT infrastructure. Solutions such as these can be cost effective and have the potential to save thousands of hours in auditing and developing data management processes. What’s more, they will give businesses the right foundation for protecting data, whatever the regulatory outcome of Brexit.

While the future of data protection rules in the UK are still being negotiated, the financial services firms that embrace a privacy-first approach starting now will be better prepared for any outcome in the Brexit negotiations.

Going forward, collaboration with the EU is vital to prevent a scenario where data transfers are blocked. We need to work closely with our European counterparts to create a data privacy framework that's protective of UK citizens without being restrictive to our businesses. Only time will tell, but with the respect and protection of our data is in the hands of governments and businesses, data privacy can no longer be treated as an afterthought. If banks act now, and protect against the inevitable, the ultimate benefit will be earning their most important asset: their customers’ trust.