Blog article
See all stories »

Two years to comply: how to meet incoming EU Data Protection Regulation

There are now less than two years until the General Data Protection Regulation (GDPR) comes into force. It will fundamentally change the way that companies capture, manage and store information.

 Three significant reforms within the legislation will force institutions to overhaul their existing systems and processes:


  1. Informed consent
  2. Data portability
  3. The right to be forgotten


Under the new regulation, every financial institution that collects, processes or shares an individual’s personal data will need to gain their 'freely given, specific, informed and unambiguous' consent. 

Institutions have to consider the need to capture gained consent in an auditable workflow. Undertaking this with anything other than an automated, secure, digital communication link with the customer would be a huge administration and compliance burden.

New rights beyond consent

The legislation’s interpretation of ‘Right to be Forgotten’ stipulates that consent should not be regarded as freely-given if the consumer or entity has no genuine and free choice and is unable to refuse or withdraw consent without detriment. 

The final significant component of GDPR – Data Portability - enables the customer to both share and rescind data on a case by case basis. In two years’ time with the GDPR comes into force, customers will be able to request copies of their personal data in a useable format that they can transmit electronically to another processing system

A ‘customer-driven’ approach to information sharing is becoming increasingly attractive to financial institutions grappling with this new privacy agenda. Firms are exploring digital rights management services that create a digital ‘vault’ for customers to store their personal data. 

The cost of non-compliance

The GDPR will impose a significant financial penalty of 4 percent of annual global turnover or €20 million, whichever is greater. 

In today’s climate of increased legal scrutiny and reputational vulnerability, it is unthinkable for an organisation not to take all efforts to reduce corporate risk and eliminate liability, especially in relation to global data protection challenges. 

The need for effective digital user experiences is clear: technology can improve efficiency for the bank; provide an auditable trail and clear proof of consent for regulators; and build loyalty and trust for customers.

Consent governed by the EU General Data Protection Regulation will be enforced in just 24 months. The clock is ticking. While 2018 may seem a long way away, legacy processes aren’t overhauled overnight.

We've written more on GDPR at



Comments: (0)

Stuart Lacey

Stuart Lacey



Member since

20 Nov 2014



Blog posts


This post is from a series of posts in the group:

Financial Services Regulation

This network is for financial professionals interested in staying up to date on financial services regulation happening anywhere in the world. CFOs, bankers, fund managers, treasurers welcome.

See all

Now hiring