Never before have issues of data privacy and security been more top of mind. In the United States this attention was on full display a few weeks ago when every media outlet was glued to Facebook’s CEO Mark Zuckerberg as he fielded questions from Congress on how his company handles, and has mishandled, user data.
Europe begins a new era for data protection today as the General Data Protection Regulation (GDPR) goes into effect, following its passage roughly two years ago. The law is being celebrated widely for its robust customer-centricity. The degree to which it succeeds, in Europe and globally, in enforcing a business environment that provides adequate safeguards for consumer data management remains to be seen. One thing is certain, however: it has the potential to change the way we all interact with businesses, from internet platforms to banks.
First, a quick overview of the law.
The regulation tightens rules on what companies can and can’t do with customers’ personal data. Data qualifies as “personal” if it can identify the user, which includes names, phone numbers, usernames, and even GPS data and IP addresses.
The law strives to put customers in control of their data. It requires providers to attain explicit consent from users on data that will be gathered and how it will be used. Instead of users automatically opting in to data sharing, providers must configure their systems with no pre-checked boxes. Users must actively opt in. Providers are compelled to use simple, accessible language communicating what’s in their user data agreements.
The regulation significantly strengthens individuals’ abilities to access their data, and even to erase it. An individual can ask a company for the data in their personal file and the company must comply within a month. If the user believes that a company should correct data, or delete data altogether, the company must comply in most cases.
Punishment for noncompliance is steep, with delinquent companies facing fines up to €20 million or 4 percent of the company’s total revenues, whichever is higher. It’s reported that Microsoft has had more than 1,600 engineers working on GDPR-related projects.
Even though the regulation only pertains to citizens of the European Union and companies operating there, in today’s global business landscape, where there is no shortage of cross-border business, we’re likely to see providers all over the world adopting stricter data practices to ensure compliance with the GDPR.
What does the new regulation mean for financial services?
We’re likely to see providers throughout the financial services ecosystem reconfiguring their digital products and the related data systems to align with the new standards. For example, a bank might only do 2 percent of its total global business in the EU, but if it fails to comply with the GDPR, it could still be subject to penalties – a strong incentive, indeed. Not all financial services providers will be affected equally. Larger institutions that have had the resources over the past two years to allot product designers, compliance lawyers, and the like to GDPR are better positioned than startups and small providers to take these regulatory changes in stride. Moreover, not all financial services providers use data in the same way. Institutions that use “alternative” data sources to underwrite credit decisions might be faced with a bigger barrier than financers whose business models aren’t contingent on customers opting to share personal information.
Of course, there’s a difference between the letter of the law and business practices. As Richard Waters of The Financial Times put it, “The principles behind the regulation are laudable, but it is likely to take an onslaught of official complaints from privacy activists to test the parameters of this new regime.”
We’ll be curious to see the degree to which the new law improves users’ engagement with their data. When many of us are faced with a new user agreement, we just click and carry on. Would the requirement to click opt in boxes make a difference in whether we actually read the agreements? Will we take the time to sort out what data we are willing to share and with whom? Perhaps not, but the GDPR works to offer every opportunity for us to do so.
Have you read?