Final checks for financial institutions post-GDPR deadline

Across almost every sector of business and industry, the General Data Protection Regulation (GDPR) has been a hot topic of debate and discussion for the best part of a year. There have been countless questions around compliance, budgets and how exactly the regulation applies to individual firms. One thing we can say for sure is that GDPR is now here, and it is affecting every single person in financial services.

GDPR is the biggest change to data protection legislation in the past 20 years, and financial institutions – from banks and brokers to insurers and advisers – are holders of vast amounts of customer and client information, often gathered over many years. Under GDPR this data now needs to be managed carefully, and robust plans must be in place to ensure firms are compliant – thus avoiding fines of up to €20m or 4% of global annual turnover. 

The change might be challenging for many firms, but it is important to consider the opportunity that GDPR represents. The process of preparing for it has doubtless helped organisations take stock of their data, allowing them both to be better prepared for the digital economy, and to optimise communications so that only those who have given express permission are being contacted through their channels.

As research released by PwC in November 2017 shows, financial services firms across the UK and US have led the way with GDPR preparations from the start. But even for the firms that still do not feel fully GDPR ready, it is not all doom and gloom. It is, however, vital that – at a minimum – to-do lists have been made and actions are in motion now that GDPR is in effect. Here are three key areas to check:

1. Managing right-to-be-forgotten requests

This is one of the prime mandates under GDPR. If customers or clients request to be removed from a company’s system, how easily can the business comply? Financial services firms hold and process huge quantities of data on a daily basis, so they need to have thoroughly audited their internal data management processes and know how databases are used throughout their business. It is crucial, should a customer request for their data to be removed, that it is not only deleted from one database, but from everywhere the organisation is storing that data, especially if they work with third parties.  

These data removal processes have to be kept fully transparent, as GDPR mandates that customers are able to see what data a firm holds and where it resides at any given time. This has to be documented and made available to all parties.

2. Investing in compliance

It is important to keep a close eye on the costs of being GDPR compliant, both in terms of time and money. Our research, conducted across marketing professionals earlier in 2018, found that many companies have been dedicating resources towards readying themselves for GDPR since months before the implementation; there is a lot to consider, from staff training to new tools and systems.

Arguably the most significant challenge for financial services is how data is managed across different teams. While all of the protocols and systems may already be in place, ensuring all departments are up to speed on the regulations is often forgotten. Taking time to train the entire team is key, whether it is an e-mail, manual or physical training session, because GDPR has an impact upon everyone.

3. Support established processes with key systems

Finally, it is vital for financial services firms to check how they collect and maintain customer data on an ongoing basis, which is where tools such as marketing automation platforms come into their own. Data is likely to be spread across customer relationship management and other systems, and marketing automation can support processes by pulling everything into one place. Finding the right platform is critical, as not all will be both easy to use and comprehensive enough to ensure compliance.

To sum up, by having a clear view of where all data is stored and how it can be accessed and removed; investing in compliance training across the business; and continuously checking systems and processes, companies can ensure they are compliant with core elements of GDPR.

While this is by no means a comprehensive checklist for full compliance, the point remains that it is now more important than ever for companies to review if they are fully GDPR compliant and are ticking all the relevant boxes. May 25 has come and gone and it is now time to reap the benefits of GDPR, from better data hygiene to permission-based communication – and, of course, avoiding those fines.

Adam Mertz is vice-president for marketing and strategy at Act-On Software, a marketing automation provider.