Today’s world is witnessing an explosion of data, including personal data: your civil status, what you do and don’t like, your holidays, your favourite leisure activities. The exploitation of all this data is multiplying through the use of innovative IT tools.
“A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” Sir Winston Churchill
Big Data, combined with the almost limitless capabilities of companies such as Amazon or Google to exploit data, means it is becoming a powerful commercial weapon used to target us in our most private lives.
In response to these developments, the European Union has introduced some safeguards and obstacles with its General Data Protection Regulation (GDPR).
Banks, in particular, are among businesses the most affected by the GDPR, this being a sector with particularly extensive knowledge of its clients – buying patterns, withdrawal locations, family circumstances, number of children, etc.
In brief, the idea of the GDPR is to enable private individuals to maintain at least partial con-trol of their data, and to force businesses to establish procedures enabling them to do so. As a result, every enterprise engaged in the regular, systematic and large-scale processing of the per-sonal information of staff, customers, etc. must appoint a Data Protection Officer (DPO).
While many view the appointment of a DPO as a constraint; it can also be viewed as an oppor-tunity to demonstrate that a business can live up to its role as a trusted third party by establish-ing a proper policy for the management and control of personal data, notifying customers of the use made of these data and enabling them to exercise their rights under the GDPR.
This is particularly important for banks, whose ultra-competitive sector is regularly challenged by the arrival of new players (online banks, telephone banking) and for which the quality of customer relationships is now a key asset.
Added to this, non-compliance can bring heavy financial penalties. The European Union has adopted the means to enforce the GDPR: for example, a bank that fails to appoint a DPO risks an administrative fine of as much as €20 million or 4% of its global turnover in the preceding financial year.
But it’s important to bear in mind that the DPO’s role goes well beyond that of the earlier data protection and compliance agent, whose appointment was in any event optional. The DPO ad-vises and informs the company of its obligations, monitors compliance with the GDPR, ensures that the processing register is maintained and manages compliance audits.
The role also involves advising the enterprise as to the necessity of conducting a data protec-tion impact study and will be the point of contact for customers who file a complaint about the use of their personal information.
Importantly, it is preferable not to appoint a DPO internally from among company personnel, for obvious reasons: if too senior, he could be suspected of a conflict of interests; if too junior, he will lack the authority and powers to act.
For this reason, a number of law firms have embraced this line of business, which requires in-dependence, the capacity to listen and to persuade decision-makers, and real legal expertise.
Going forward, banks that seize the opportunity to establish a proper policy on appointing a DPO will be better equipped to cope with the increasing complexities of the data environment as well as demonstrating commitment to their customers.