Smart data, Anne-Tania Desmettre,
Press articles exposing banks' non-compliance with the RGPD are numerous. It is difficult to understand why so many banks are not in compliance with the RGPD three years after its implementation. Especially since this sector is well versed in regulations: laws, reforms, ordinances, standards; TRACFIN, IFRS 9, MIFID II, DSP 2, KYC, Sapin 2 law, Eckert law, decree of April 18, 2018... The RGPD is one more of them. Yet the stakes are considerable. The banking field is indeed one of the environments where the volume of sensitive data is really substantial, which should mechanically push financial institutions to comply with the regulation, as the latter allows them to protect their most valuable asset: their customers.
Customer confidence in question
As we all know, it is easier to retain customers than to acquire them. Loyalty requires trust. Over the last few years, this trust has been regularly undermined. Some will point to the level of trust the French have in their banks, but do we have a choice? No. It is not possible to do without banks. This unbalanced balance of power should be taken into account by these banking institutions, so that the difficulty they encounter in being in compliance with RGPD, cannot be perceived as a haughty attitude.
Why such difficulty? It would seem that many of them considered, as soon as the RGPD came out, that this regulation was just another compliance exercise. This perception is, in fact, wrong. While a number of banking regulations cover very specific subjects and thus allow to delimit their impact in terms of their deployment, the RGPD affects a wide range of companies. The RGPD, on the other hand, covers a large number of subjects, making it difficult to define its application. The challenge of a RGPD compliance is consequent, time consuming, costly and therefore ambitious. It is a company project in itself, which must be treated as such.
"The challenge of an RGPD compliance is consequential, time-consuming, expensive and therefore ambitious. It is a business project in itself, and should be treated as such."
Moreover, through the data exploited by a bank, the privacy of citizens is totally exposed. If financial institutions believe that they are in control of their security, they are far from being in compliance with the regulation as to the duration of the retention of their customer's data: for example, their update and exploitation. Article 5.1.d of the GDPR illustrates what is at stake for a bank: "personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)." For example, in the case of a rectified bank ban, the deadline for banks to update the correction should be in real time. This is far from being the case, which has a considerable impact on the life of the person concerned.
"For example, in a case of a rectified bank ban, the banks' deadline to update the correction should be in real time. This is far from being the case, which has a considerable impact on the life of the person concerned."
Are the banks convinced that they can handle this type of project on their own, since they are so used to regulatory compliance exercises? Would they need help? Have they understood that to be compliant, the deployment of an "RGPD as code" technology is necessary?