Sebastian Allerelli, Partner at Safe Online ApS shares his thoughts ahead of his speech at Mobey Member Event in Paris.
What are the challenges banks face when having to deliver customers information they have requested under GDPR?
The challenges lie in that the banks, like all others face two types of requests, “The right to access” and “The right to data portability”.
- Right to Access means that “individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.”
- Right to Data portability means that “Individuals have a right to transfer their data from one service provider to another, or for the data to be delivered from their service provider to themselves. And it must happen in a commonly used and machine-readable format.”
The main challenge lies in collecting all this data and ensuring that it is the right data for the right Individual and it includes all the necessary data that lies within the legal boundaries. Automating this data-extraction process can be tedious and cumbersome and costly at best. Done manually it can place a strain on resources. The main risk in this process, Automatic or manual, means that there can be a risk in the data-validity and data-purity when sending: Sending data that includes other persons private data or internal notes that display non-flattering descriptions. Another challenge that currently exists it “the amount of data” that needs to be delivered under data portability. As it stands now Banks and other financial organizations have been more use to collecting data then giving them back to the individual, being a customer or employee.
Are banks ready for requests for information from customers?
Our experience shows us that they are not. Not automatically at least. Currently extracting data from multiple source systems, collecting them and analyzing them are mostly done manually. Banks face the challenge that they usually have 100+ solutions where data reside about the individual. This process will take time to automate.
How often will banks face such requests?
Currently there are not many requests for data from individuals. The status is that not many individuals know what to do with the data. Most of the data requests we see currently are done by legal individuals or trolls. This will however change! There are two major sources of interest in the long run for data from an individual. 1. Companies that have consent from the individual to retrieve the data from a current service provider. 2. Users that will sell their data to make a personal profit. The main driver in the beginning will be companies requesting data during an onboarding process. This will help A. ensure a smooth onboarding process where the user only gives consent to retrieve his/her data, B. minimizing Risk by retrieving data from a validated source, C Better customer understanding when giving an offer, D proper consent and transparency between bank and customer.