Rich Vibert, CEO and Co-founder, Metomic
UK banks are not as prepared as they should be for Brexit. This is unsurprising given the political wrangling, the challenges posed by COVID-19 and the daunting prospect of a double-dip recession. However, with under 3 months to go, banks and financial services businesses need to get a firm grip on the impact Brexit will have on their customer's data privacy, and fast.
We need to talk about data privacy in finance
Before diving into the nuances of post-Brexit data protection, the difficulties banks currently face with regards to data privacy must be addressed. A glaring 62 percent of the data breached last year came from the financial services sector, according to Bitglass. Even more worrying, an Accenture report from March revealed that one-third of financial organisations lacked a clear plan or resources to address privacy risks related to customer data. This can be a worrying starting point and Brexit will only bring more challenges as data protection regulation will evolve.
What's behind a post-Brexit data protection law
Data protection in the UK is currently subject to the EU's General Data Protection Regulation (GDPR)But once the Brexit transition period ends, organisations in Britain will fall under a UK data protection law that's still to be announced. Thankfully, there is a large chance that the UK will incorporate GDPR principles into its own law, but uncertainty and confusion still remains. And really should new local measures be implemented, banks will need to move quickly to become compliant.
However, despite a GDPR-based compliance framework in position, challenges will remain. One of these is ensuring banks can to transfer data to other Countries in europe; this is important as a quarter of the financial services sector's annual revenue currently originates from business related to the EU. Financial organisations should also consider the potential consequences of the no-deal Brexit. The UK government has declared it is willing to reach an adequacy agreement, maintaining a free flow of data between countries. However, because of the current stalemate, financial institutions should not take that without any consideration. In a worst case scenario, a no-deal can lead to UK businesses sending data towards the EU in 2021 and simply not getting it back. This is not appropriate for a sector that depends on constant transfers of sensitive information for example credit scores. Unpicking the mess will require the investment of time and funds that many businesses can ill-afford.
Customer data at risk, reputation at risk
UK citizens already are wary of the way their data is being treated. The government's acknowledgment that the UK track and trace system wasn't GDPR compliant and also the privacy concerns around the COVID contact tracing app are just a few of examples that have damaged citizen trust. As such, they need to be reassured that post-Brexit their data will be treated in the right way, not only by the federal government but by financial institutions. Especially as data breaches have been proven to compromise corporate reputation; 49% of customers would not sign up to a service which has suffered a data breach, based on Ping Identity. This has to be addressed if banks are likely to survive and ensure that that customer trust is maintained.
A privacy-first mindset for banks
While the way forward for data regulation in this country remains in flux, we all know that privacy and data protection is surface of mind for consumers. To keep the trust and loyalty of the customers, financial services organisations must think ahead and be prepared for any outcome. Fundamentally, this really is more about a change of mindset than about exorbitant costs. Your main goal should be to deploy a privacy-first approach over the business. This means putting the customer at the heart of your strategy and purchasing technology that will help you have clear and continuous visibility over what is happening to all customer data – from transactions to investments.
Fortunately, simple mechanisms can be put in place to help businesses achieve this. For example, there are solutions that allow businesses to embed data protection rules and protect sensitive data within their IT infrastructure. This puts compliance on auto-pilot, minimising risk. These are the types of investment that banks should be making now, as they will save them thousands of hours per year of auditing and developing data management processes.
Data privacy can no longer be treated as an afterthought. The financial services firms that embrace a privacy-first mindset starting now will be better prepared to protect their customers' data, and therefore preserve trust and their own reputations, whatever the Brexit outcome.