A Challenge for Each Business Department – GDPR for Financial Services

The General Data Protection Regulation (GDPR) is expected to have a significant impact on the financial sector, however, investments in GDPR compliance could drive strategic and operational benefits. Financial services firms handle billions of financial records and personal data transactions. To protect customers’ interests while complying with GDPR requirements, businesses must develop and store more detailed records on data processing. The financial services industry will need to rationalize and improve their legacy IT infrastructure to meet the standards required.

areas of concern when taclking the gdpr by Taran Saini

The GDPR is viewed as a pure IT problem by some and a ring-fenced compliance issue by others. Both camps are wrong – like spilling a pint of milk on the kitchen floor, the GDPR reaches all corners. Every department, business unit or branch within a financial services organization is impacted by the Regulation.

The new data protection rules cover three main areas: transparency, control, and accountability. As data controllers, organizations will need to tell people what they do with their data, stick to what they have promised, and be prepared to account for their actions.

Technology can undoubtedly provide some of the solutions, but as UK Information Commissioner Elizabeth Denham pointed out recently, the GDPR mandates organizations “to put into place comprehensive but proportionate governance measures…it means a change to the culture of an organization.” Will GDPR affect your business? Yes, it puts the emphasis on people and business processes, with multi-departmental ownership necessary for the compliance journey. So how will GDPR affect your financial institution? Well, using practical examples, this article takes a look at what that will mean for different parts of a financial firm.

Administration and HR

The need to update employment contracts has been well publicized, but administrators also have the responsibility of training staff on GDPR and updating induction plans and welcome packs. They will also need to keep records of all training and provide refresher courses as GDPR evolves over time. An obvious practical question comes to mind – who is going to carry out the training?

In addition to updating all current policies to reflect GDPR requirements, administrators will need to create new policies, such as a Data Subject Access Rights Procedure, Data Retention Policy, Data Breach Escalation, and Checklist etc.

Sales and Marketing

Financial services organizations that use direct email marketing tools need to consider a number of factors: where did they get their data from? Has the data been collected over many years (therefore containing many unresponsive contacts)? Either way, do they have consent to contact the data subjects on the database?

Consent is now required before any B2C marketing contact can be made while B2B is allowable if a previous relationship exists. Contact has to be specific to the interests expressed by the data subject – that is, if a data subject enquires about Product A, you have to careful about sending them marketing about Service C. A similar thing applies to business cards – they should be used for the purposes requested/discussed on receipt of the card.


When dealing with suppliers with whom personal data is exchanged, operations teams have to become familiar with the concept of ‘controllers’, ‘processors’ and ‘sub-processors’ within a given supply chain. This is important because GDPR had introduced the concept of joint liability – that is if a data breach takes place, anywhere along the supply chain, each ‘link’ in the chain may be liable. This is why organizations should only work with those that are GDPR compliant.

The way of ensuring this is to have strict contract clauses between any two parties that exchange personal data. Additional rules apply if data is to be transferred outside of the EEA into so-called ‘third countries’.


Different IT teams will have different responsibilities regarding GDPR; the network team will need to ensure the security of data is paramount; the development team may need to carry out a DPIA for ongoing projects; the applications team will have to deliver on ‘right to information’ or ‘right to be forgotten’ requests from data subjects. An audit of all your systems should be undertaken (cloud or onsite, office software, CRM, marketing tools, social media platforms, back-office systems, payrolls, etc) and understand the flow of personal data.

All members of Staff – Transfer of Files

It is common to email contracts, guest lists, employee reports and the like to third parties as attachments. However, standard email systems like Outlook and Gmail do not send files securely (i.e., encrypted) and can be read like a postcard! While it’s fine to transfer large graphics and photos via tools such as Dropbox and WeTransfer, these tools do not require the control and audit tracking mandated in the transfer of personal data under GDPR. As a result, businesses should look for a GDPR encryption secure file transfer system if they send personal data via email on a regular basis.

Think of preparation and compliance as an opportunity to gain a competitive advantage. To identify how GDPR will affect your business, start with a full GDPR audit of your personal data (client, customer, employee, associate, etc.) and ask yourself where it comes from and what you do with it.

To harness GDPR for business advantage, financial institutions should seek professional support from experts such as FileOM.