Five years on from the introduction of the General Data Protection Regulation (GDPR), financial institutions continue to face significant data privacy risks.
The challenges aren’t new — the key principles of GDPR still hold true — but they are growing in quantum and complexity, and at pace. Almost all leading European financial institutions have publicly announced strategies to become more data driven. They have seen the customer growth that big tech companies have gotten over the last decade using customer data to design new products, propositions, and experiences and have felt an urgency to invest in their customer data capabilities. But with more data about your customers comes greater data privacy risk, and data protection authorities are becoming more alert to the growing inherent privacy risk presented by the digital transformation of more consumer industries.
To assess how best practice has evolved and outline the challenges that are top of mind among leading data privacy risk managers today, Oliver Wyman interviewed subject matter experts from more than a dozen universal financial services institutions across Europe. Our analysis found five common characteristics of the institutions that we believe are best positioned to manage and mitigate the evolving data privacy risk landscape, while also ensuring their businesses capitalize on the opportunity presented by investing in their customer data.
Five key characteristics of institutions excelling in data privacy risk management
1. Leading institutions have built a holistic business architecture that defines a continuously evolving and improving target state
Data privacy is a complex risk. Customer data leaves a footprint in nearly every corner of a financial institution, and it requires a risk management operating model that transcends traditional organizational boundaries between the customer-facing business units and the enabling functions such as operations and technology.
To address this challenge, the most mature banks we spoke to recognize that managing data privacy risk is a team sport — one that requires a holistic overview of their business’s architecture to provide clarity on roles and responsibilities across the organization. Creating a model for how the bank operates that properly grapples with data privacy risk is analogous to building a house: It needs a blueprint for how the various floors (the organization’s governance regime, policy framework, control landscape, technology, and data architecture) connect. To further the analogy, such a blueprint allows you to collectively spot risks arising internally — for example, identifying a damp patch and mitigating it before it becomes a full-fledged (data) leak — as well as to efficiently react to new changes coming externally.
Understanding the interaction between these layers can be complicated, but it’s a crucial process. While inherently conceptual, by making the blueprint comprehensive and tangible for a senior audience, leading banks gain a shared clarity on how policies covering cyber risk, data management, and information security are interconnected, and how the controls imposed by these policies support, rather than challenge, each other. They know in advance exactly who owns which issues and who needs to act in scenarios where risk is arising. That saves untold amounts of time that might otherwise be spent in unproductive meetings allocating responsibilities when they need to respond to a complex Data Subject Access Request, or when a data breach occurs and the clock is ticking to notify the data protection authorities.
2. Leading institutions are taking a pragmatic approach to data privacy risk appetite
Having a solid business architecture in place also enables the organization to navigate the delicate trade-off between risk acceptance and mitigation through investment in controls. To put it another way: With scarce resources, where should we be investing in “fortifying our house”?
For example, many banks we spoke with have struggled to define the level of detail to document processes that use personal data. GDPR is not prescriptive on this issue, implying that organizations need to take a risk-based approach. In many cases, well-intentioned compliance programs in 2017-18 decreed that the organization needed to document to an incredibly granular level of individual personal data attributes. In reality, such detail is hard to get to, becomes costly to keep up to date, and isn’t in and of itself a mitigant of privacy risk. As such, helping senior management to navigate to the “goldilocks” level of depth when documenting their personal data processes can save tens of millions of dollars — freeing up budget and resources to invest in other areas of control uplift.
Institutions that already are more analytically mature are now also worrying about the pace at which their analytics teams are working with customer data, with new models cropping up all over the bank. Forward-looking privacy risk managers are trying to help those teams to build business cases for privacy-preserving customer data lakes where data is at the very least pseudonymized (and if possible, anonymized) to mitigate the privacy risk “on the way in,” or using privacy-preserving techniques such as differential privacy to avoid the risk of individuals being identified during analysis using complex algorithms and/or AI.
3. Leading institutions are framing GDPR compliance in a way that also achieves strategic objectives
Traditionally there has been a view that compliance with regulations such as GDPR is in tension with a business’s strategy and objective to deepen its relationship with its customers, creating a set of hurdles that need to be jumped before the business and technology teams can get on with innovating.
One example of where strategic goals and compliance objectives can be aligned, however, is in the investment in customer data architecture. Universal financial institutions that are organized by product line (such as current accounts, credit cards, mortgages, loans, and insurance) will have many individual customers who span multiple products and therefore leave a personal data footprint in multiple product ledgers and customer relationship management systems.
In many such instances, institutions are looking to strategically consolidate their customer and product data as a means of rationalizing and simplifying their application landscape. Doing so not only enables the institution to build a richer picture of its customers’ finances — and therefore identify ways in which it can better serve customers, such as by consolidating debts — but also can provide significant operational efficiencies to the delivery of Subject Access Requests when a customer wants to get some or all of their data, a key GDPR obligation that can become costly and incredibly manual if your landscape is fragmented.
4. Leading institutions are now thinking about the commercial opportunity presented by “data privacy as a service”
When GDPR first emerged, we spoke with many financial institutions about the medium-term commercial potential to turn the strongly verified and well-protected customer data that they store from a liability (encumbered with GDPR principles and therefore costly to protect), into an asset (of value to both the customer and the institution). In 2018 there was too much attention on the need to comply with GPDR to grapple with such a blue-sky proposition. Five years later though, the world has moved on — COVID-19 vaccine passports have awoken the everyday citizen to the benefits of having more control of their personal data, and talk of a digital euro raises the need for a strongly verified form of “digital identity” for customers’ deposits. As a result, leading banks are now assessing how they can parlay their custodial and risk management capabilities into an emerging asset class: customer data.
While many industries hold sensitive customer data, that stored within financial institutions is typically considered stronger than other industries thanks to stringent Know Your Customer and anti-money laundering identity proofing requirements. The many roles that banks can play in digital identity ecosystems is a topic that Oliver Wyman has explored previously in 2020, 2021, and 2022. Now though, the European Digital Identity Wallet Framework is accelerating the pace of innovation in this ecosystem, with the regulation due to come into force in 2024. The intent is to enable EU citizens to store their personal information in a digital wallet that can be used for anything from renting a car to filing tax returns.
Leading financial institutions are evaluating this opportunity by developing an institution-wide strategy that evaluates “where to play” in the digital identity ecosystem — for example, accepting digital identities of your customers provided by others as a relying party only, or providing customer attributes securely into the ecosystem for other institutions to verify your customers against. Leaders are evaluating how they can be an issuer of a “bank-grade” digital identity — akin to the “BankID” model in the Nordics where bank-issued digital credentials can be used to access and log in to other digital services — by mapping how this will look and feel for their customers in three to five years’ time. Any bank that isn’t thinking about how to monetize its customer data in this way needs to start, because there are competitors that surely are.
5. Leading institutions are connecting the dots between the requirements and capabilities needed to address multiple regulations
Our recent report on the European Banking Regulatory Framework with the European Banking Federation highlighted the complexities of regulation for European banks. Well-intended requirements set out by GDPR, the Basel Committee on Banking Supervision standard 239 (BCBS 239), and the Digital Operational Resilience Act (DORA), all of which aim to minimize customer harm, can inadvertently end up tying the regulated institutions in knots. That’s especially the case when implementing the regulation requires either an uplift in their technology and data environments, or when it requires managing across matrix organizations with vertical business units and horizontal group functions.
Leading institutions are starting to connect the dots across the requirements set by the regulators that, at their simplest, require documenting processes “end-to-end,” understanding where risks and vulnerabilities can manifest along those processes, and identifying ways in which they can be mitigated by investment in controls. So rather than having overlapping regulatory programs run in parallel silos, leaders are benefiting from distilling common requirements (such as having a clear overview of your critical business processes and important business services), and addressing them with a central team that avoids the redundant work of documenting the bank two or three times.
What’s ahead in the next stage of data privacy risk management
Data Privacy Risk managers are in a race on two fronts: internally to keep up with the pace of personal data generation and externally to keep up with the fast-evolving digital ecosystem that financial products and services now exist in, leading to a growing myriad of complex regulatory requirements. If the last five-year cycle saw banks trying to lay a foundation for compliance with their data privacy obligations, we believe the next one will require a shift in focus to delivering value for customers through the controlled storage, usage, and sharing of their personal data. It’s clear from our analysis that the leaders are well-positioned to capitalize on this opportunity, and so any institution that doesn’t see itself in the above conclusions needs to act promptly to avoid being left behind.
Contributing Oliver Wyman authors Mark James, partner; Simon Knudsen, consultant; and Johannes Thoma, engagement manager.