Financial Services face controls on marketing under GDPR


_DSC8306Photograph by David Graeme-Baker

Earlier this week, the Worshipful Company of Marketors, the livery company representing the interests of marketing professionals in the City and the Financial Services Forum held a joint seminar on the subject of the EU General Data Protection Regulation (GDPR) at Cass Business School, London. This was the first time that both organisations had collaborated on an issue that impacts the financial services sector more than any other sector.

Those taking part (left to right) were Martin Hickley, data governance, protection and privacy expert; Hazel Grant, partner and head of privacy and information law at Fieldfisher; Ardi Kolah, director of Go DPO and seminar chairman; Jenny Moseley, co-founder and director of Opt-4, a leading data marketing agency and Chris Wood, head of business compliance in the UK for HSBC.

The journey to EU Regulation

The journey of the GDPR to the present day has been a long and at times controversial one. In January 2012, the European Commission (EC) issued a proposal for a European-wide data protection reform.

In March 2014, an amended proposal was approved by the European Parliament   – in effect creating two drafts of the same Regulation (the Commission draft and the Parliament draft) with significant differences between them.  Now we have a review of the proposals by the Council of Ministers who have declared that nothing is agreed until everything is agreed.

To date these drafts have had more amendments than any previous body of EU regulation and given the priority to gain consent on this landmark regulation by EC President Jean-Claude Juncker, many believe that the GDPR will be agreed by all parties by the middle of 2015.

Although differences remain, as reported on this website, the feelings among the panel is that the financial services sector can’t adopt a ‘wait and see’ approach in the vain hope it will go away. It won’t.

Data security and the protection of data is perhaps the biggest issue facing the sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five percent of global turnover or €100m.

To underlie the vulnerability that large organisations have to becoming a victim of a data breach on grand scale, just 30 minutes before the seminar begun, both Facebook and Instagram were hacked by Lizard Squad, resulting in a ‘denial of service attack’ – denied by Facebook.

Either way, 1.6bn users of the social network couldn’t access their accounts for over half an hour. Lizard Squad and others like them represent a continuing threat to the data that financial services firms hold on servers that can be infiltrated by those who are determined to carry out such attacks.

Under the new GDPR, data protection authorities (DPAs) will ‘hold hands’ and in doing so provide a so-called one-stop shop for complainants of financial services firms irrespective where the issue took place within the EU. Other changes impacting the financial services sector can be seen in the table below.

Changes brought about by the GDPR










The GDPR will effectively replace the former Data Protection Directive 95/46/EC as well as make the existing Data Protection Act 1998 redundant by bringing in a European-wide approach to data protection and security that moves away from the patchwork approach that exists at present. It also places data processors and data controllers with equal legal responsibilities with respect to the transfer and use of data.

A proposed ‘data protection seal’ will notify consumers that the financial services firm complies with the supervisory authority and can transfer data to third parties on a lawful basis in the hope that consumers will be reassured about the higher standards of data protection that such a firm complies with.

The obligation to report breaches – however small – will be the responsibility of the Data Protection Officer (DPO) who will work independently within a large financial services organisation and the reporting of such breaches is likely to be done within 24 hours. The definition of personal data will be extended under the GDPR to include cookies and IP addresses. Weirdly, such data breaches could extend to the identification of household objects such as fridges that now come with their own IP address!

The issue of customer consent was also widely discussed at the seminar and it’s clear that banks such as HSBC are re-wiring their approach from the position of protecting the customer as the paramount principle in how they manage their business.

Financial services firms must obtain consent and this must be freely given for a specific purpose rather than for some blanket purpose.

There is still some argument between lawyers as to whether implied consent is a dead duck – and some lawyers feel that implied consent in certain circumstances will still be lawful under the GDPR.

Major causes of data breach

According to the panel, a major cause for a data breach can be identified as human error and clearly the issue of education and training will be core to the way in which this risk within financial services can be reduced. However, there was a recognition, particularly with junior staff, that such a risk could never be 100% eradicated, leaving open the possibility of fines and sanctions as a real possibility under the GDPR.

Typical human error includes the failure to encrypt data, a lack of privacy policies and even mis-directed communications, whether post, fax or email.

Chris Wood told the story of one incident where the sender had accidentally clicked ‘Reply all’ that had sent the private email beneath the message to be read by over 55m other people before the matter was brought under control. And of course by then it was too late and a significant data breach had occurred.

Negative PR can damage brand values

As well as fines, DPAs like to ‘name and shame’ those firms that have fallen below the standards expected of them and the reputation damage to the brand in such cases could easily outstrip the financial penalties imposed, according to Hazel Grant.

For example, the French authorities recently forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.

FCA Conduct of Business Source Book

Jenny Moseley made the point that the Financial Conduct Authority’s Conduct of Business Source book (COBS) that governs sales and marketing within the financial services sector will need to be revised in light of the GDPR.

For example, terms and conditions in contracts will need to be fair, clear and not misleading and an audit done by her firm on the websites of many of the delegates attending the seminar showed massive failings in this area.

The language in privacy policies can no longer read like gobbledygook and must be clear for those who are intended to read it, particularly with regard to asking for their consent.

And the gap between how the rules apply to B2C and B2B will narrow as to become invisible altogether.

Timetable for the GDPR

Chris Wood also commented on the problem of the slippage in the timetable to introduce the GDPR and was concerned that the delays have created a false sense of comfort for senior executives who may not appreciate the threat to business continuity that the GDPR actually represents. He was also concerned that good data controllers were being punished as they were more likely to report breaches.

On the other hand he thought the GDPR would give more clarity to sales and marketing activities within the financials services sector and that this was in the best interest of its customers.

Top Ten tips

The panel gave some practical tips in how marketing professionals within the financial services sector could prepare themselves in order to avoid a data breach.

  1. Write down a set of data protection policies and procedures and ensure that these are compliant with the GDPR. Such policies and procedures should include what actions need to happen in the event of a data breach.
  2. Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud, so marketing professionals should pay particular attention to passport details and other personal information stored on their servers.
  3. All financial services firms need to invest in education and training all employees involved in collection and processing of data with a view to reducing the risk of human error and as far as possible try and automate as many processes as possible in order to reduce the risk of human error.
  4. All financial services firms need to set very clear, fair and transparent rules for obtaining customer consent.
  5. All financial services firms shouldn’t keep data forever – unless of course it’s to ensure that they don’t contact someone who has expressly said that they don’t want to be contacted in the future and not having such information could lead to them being contacted again by accident.
  6. All financial services firms should have a policy for destroying out-of-date data.
  7. All financial services firms need to recognise the risk of consumer activism where one aggrieved customer can very quickly galvanise a mass campaign against the brand on Twitter and social network sites.
  8. Marketing professionals need to integrate data protection fully into all business processes and not treat this as an add-on or side issue.
  9. Marketers should consider the GDPR as a marketing opportunity and potentially a source of competitive advantage by performing data processing tasks more efficiently and accurately.
  10. Customers should be treated as a source of business rather than a piece of data and need to be treated fairly, with respect to their rights to privacy and without cynicism.


Leave a reply