It has been five months since the European Union (EU) enacted the General Data Protection Regulation (GDPR) initiative, which provides new customer data and privacy protections. GDPR was introduced in 2016 and gave member countries two years to implement its regulations. It replaces the 1995 Data Protection Directive, which was adopted when the internet was in its infancy. This EU–driven legislation has had a worldwide impact because it affects any company that sells products or services in the EU, or that processes or holds the personal data of EU residents and citizens.

GDPR brings together two constituents with often opposing views concerning data – namely the business community and consumers. Businesses have been collecting ever more customer data in order to understand their behaviors, interests, and buying habits to offer more targeted products and services. Rapid technological change, particularly this decade, has driven companies to pursue larger deals to acquire such data quickly.

The Value of Customer Data

For their part, consumers have good reason to be concerned about the protection of their personal data. Data theft continues to make headlines – the top ten breaches in the financial services or “finserv” space (a term that includes banks, payment processors, loan providers, and credit bureaus) add up to more than 100 million customer accounts impacted. These companies possess a wealth of personally identifiable information (PII) and payment card industry (PCI) data, such as social security numbers, credit card numbers, email, birthdates, addresses, phone numbers, credit scores, and more. With this data, cybercriminals can open up bank and credit card accounts, file tax returns, and empty accounts.

Not surprisingly, these breaches have dampened consumer trust in companies. A recent IBM poll reveals that 78% of U.S. respondents say a company’s ability to keep their data private is “extremely important”, and only 20% “completely trust” organizations they interact with to maintain the privacy of their data. This has real implications for a company’s bottom line; the same poll discovered 75% will not buy a product from a company – no matter how great the products are – if they don’t trust the company to protect their data.  

GDPR Impact on the Financial Services Industry

GDPR requires finserv companies to examine – and potentially change – how they collect, store and process customer information. These businesses must ensure that they are compliant in the following summarized areas according to a LogicGate post:

  1. Consent – “Offering individuals genuine choice and control”
  2. Right to Data Erasure – “Right to be forgotten”
  3. Consequences of a Breach – “An organization has 72 hours to inform”
  4. Privacy by Design – “Approach that implements data protection and privacy from the beginning of any business policy, procedure, or project”
  5. Vendor Management – “Clear process and procedure in place for all external vendors handling their customer data”
  6. Data Protection Officer – “DPO will be required to monitor the company’s compliance with GDPR”

Financial Services Companies Respond

The finserv community worldwide has known for some time that GDPR was coming so how prepared are they? The healthcare and finance industries have been the slowest to act: 14% of U.S. healthcare companies have only completed 25% of the GDPR compliance process, and 21% of U.S. finance companies have only completed 25% of the process. Both sectors are known for having slow-moving cultures, processes, and technology adoption. This stems of course from the heavily regulated nature of their industries.

It is true that GDPR impacts businesses differently. Security experts expect the technology industry will be most affected by the legislation (53%), followed by online retailers (45%), software companies (44%), financial services (37%), online services/SaaS (34%), and retail/CPG (33%).

In response, some businesses are changing their service delivery in order to protect themselves from GDPR penalties. For a real-world example of this new reality, earlier this year Hilton Hotels was fined $700,000 for two data breaches. Under GDPR this would balloon to $420 million.

There are tough penalties for those companies and organizations who don’t comply with GDPR, with fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater. Imagine 4% of Citibank’s worldwide revenues.

Why the Slow Adoption of GDPR?

A GDPR analysis is far-reaching, and its conclusions can have a major impact on a company’s systems, processes, and resources. An “audit” involves the participation of staff across departments. Businesses must also understand how to dispose of outdated and irrelevant data, and how to safeguard critical information. A company-wide system for protecting personal data needs to be established and understood by every employee.

The cost of GDPR compliance can be high. A Business Insights article reported that 10% of companies expect GDPR compliance to cost their business more than $1 million. About two–thirds (66%) expect to spend between $50,000 and $100,000, and 24% anticipate costs between $100,000 and $1 million. GDPR affects nearly all companies so these charges can be significant for smaller organizations. Larger companies have less of an excuse for not completing their GDPR implementation.

GDPR’s Silver Lining

The EU’s legislation will be beneficial over the long term because it is forcing companies to implement processes and controls over customer data that they otherwise would not have performed. After years of collecting as much data as they could on their customers, 80% of companies plan on reducing the amount according to an IBM study. They recognize it is good practice to have better controls for privacy, security, and data management can even serve as an impetus for new business models. On the consumer side, expectations are high for a change. A Harris poll found that only 20% of U.S. consumers completely trust organizations they interact with to maintain the privacy of their data. Those companies that undertake the necessary GDPR implementation will, therefore, reap the reward of improved customer confidence and business.

Further Regulation is Inevitable

The trend towards more regulation and consumer data protection is evident. Although GDPR is EU legislation, The California Consumer Privacy Act, which shares many similarities with GDPR, was signed into law this summer and is set to take effect in 2020. In a Janrain poll of U.S. internet users this year, 68% of U.S. internet users say they support GDPR–style rules in the U.S. It may take a few more high-profile breaches though for a GDPR style law to get through the grid-locked political environment here in the U.S. given how transformative this legislation has been worldwide.

SparkPost and GDPR Compliance

At SparkPost we recognize that the treatment of data – where it is stored and how is it protected – is of utmost importance to our customers. We have invested in systems and processes to comply with GDPR requirements with a heavy focus on financial services businesses, and SparkPost achieved GDPR compliance in advance of the regulation’s effective date. Our GDPR compliance covers our role both as a data controller and data processor. SparkPost is already certified under the joint EU–U.S. Privacy Shield framework governing personal data transfer between the EU and U.S. SparkPost can provide guidance around how best to manage data and ensure that your organization is fully compliant for this new reality.

For customers who require the additional confidence of keeping all data within Europe, we established the SparkPost EU service earlier this year where our API service and all email processing and delivery originates from European–hosted infrastructure versus some of our competitors’ offerings.

Learn More?

Ready to learn more about GDPR? Here are a few resources:

As always, give us a shout on Twitter with any questions.

– Casey