Stringent GDPR requirements create an opportunity to build trust and transparency into the LP&I value proposition
As an industry, Life, Pensions and Investments (LP&I) is lagging behind in the customer engagement space. It’s something I talked about in my last blog series. But while the industry may still be taking a back seat where innovation is concerned, there’s one area – regulation – where we’re all in the same boat. And doing nothing about it is not an option.
As large-scale processors of data, financial service providers must become General Data Protection Regulation (GDPR)-compliant by May 25 2018. Because we’re (currently) members of the European Union, that’s a mandatory requirement. Where they do have a choice, however, is in how quickly they embark on this transformation journey – and whether they choose to make use of this legislation to kickstart customer-centric business practices.
First, what are the key objectives and impacts of this regulation? The GDPR is intended to strengthen and unify the protections for personal data that are already in place across the EU. The primary objective: once this regulatory framework is in place, our Personally Identifiable Information (PII) will be consistently protected. Which, for us as individuals, can only be a good thing – right?
But the impacts for large-scale processors of data, like LP&I providers, will be significant. That’s because becoming GDPR-compliant means driving through some pretty drastic organisational and cultural changes.
To focus on just one of these changes, the ICO and Article 29 Working Party guidance call out financial institutions as examples of large-scale data processors which are required to appoint a Data Protection Officer. Because LP&I organisations are also often data controllers as well as data processors, under the GDPR they’ll be expected to maintain records of all data-processing activities for ad hoc auditing by the ICO.
From this example alone, it’s clear that there’s a lot of work ahead for LP&I firms if they’re to achieve Day 1 GDPR compliance. But, once again, they’re a long way behind the curve. With the deadline looming, and most other financial services providers already midway through their GDPR change programmes, the time for them to take action is now.
Far from viewing it as a costly burden, LP&I firms should be viewing GDPR as an opportunity. Not just to increase customer loyalty in a landscape where data breaches are rife, but to entirely transform their data processing – and in doing so, increase its value ten-fold.
Before seeing how they can realise this opportunity, let’s take a look at the key themes and requirements in the regulation and the challenges these typically create for LP&I firms:
- Requirement: Data portability – provide, rectify, restrict and erase an individual’s personal data.
- Challenge: “We can’t be sure what information we have, how to stop using it or how to erase it, because it’s dispersed across the organisation”
- Requirement: Access and minimise data processing risk in the design of processes and systems.
- Challenge: “We don’t know how to develop new products or systems and integrate GDPR requirements throughout the product or system’s lifecycle”
- Requirement: Report an incident without undue delay to the Supervisory Authority, no more than 72 hours after finding it
- Challenge: “We have some processes in place, but in practice will be unlikely to be able to respond. Our ability to proactively detect incidents is limited.”
Leading organisations turn these challenges into opportunities to invest for revenue generation, cost reduction, and improved risk management. How? The new controls and processes they implement to facilitate increased data subject rights lead to more efficient data operations.
Cleansing records to incorporate Privacy by Design principles entails data minimisation. This means lower costs and less data noise. Clean, organised data is valuable data. And valuable data enables you to offer more tailored and personalised services to customers where, traditionally, relationships have been passive and lacking engagement.
More stringent requirements for breach reporting create an opportunity to build trust and transparency into your value proposition. Greater trust = greater customer retention. That’s essential in a data-driven world where the emerging consumer base would rather take investment advice from GAFA providers than traditional incumbents.
To realise these (and other) benefits, we propose four immediate steps that will transform GDPR challenges into opportunities:
1. Carry out a thorough readiness diagnostic
Evaluate your current-state readiness for GDPR in the context of broader business objectives. Identify compliance gaps for prioritised remediation.
2. Develop a remediation strategy
Determine a strategic approach to remediation, develop detailed project plans and budget, and establish a data protection office.
3. Create a personal data inventory
Carry out a data inventory for structured and unstructured data sets, and document visibility gaps for remediation.
4. Implement technology and process enhancements
Execute system changes to enable GDPR outcomes, and deploy specialised technology to provide single customer view, consent and request tracking, and risk management.
To find out how to get started, please get in touch.