26 October 2018

GDPR: who's not playing by the rules?

Rory Cardwell

By Rory Cardwell

As we wait for the first GDPR fines to start rolling in, we ask: are financial services at risk?

GDPR was first implemented in May of this year and the evidence suggests some companies are still struggling to adapt. Just last month Facebook revealed a massive security breach in which hackers gained access to nearly 50 million accounts. Under GDPR, Facebook could face a fine of up to $1.6 billion.

What is GDPR?

Companies that store personal data must make sure it’s properly protected - this is where Facebook had a problem - but GDPR is much wider than that. It requires companies to tell people what type of data is being collected about them and why. It makes them obtain consent from someone before collecting and using their data. And, crucially, the individual has to ‘opt-in’ to allow their data to be collected. They can no longer be opted in automatically – even if they’re then given the choice of opting out. Individuals also have the right to have all personal information held about them deleted on request - but it’s auto opt-ins that have grabbed our attention recently.

Has anything actually changed?

As part of our Customer Experience Ratings, we look at whether providers automatically opt customers into data consent. Our new Autumn 2018 ratings are the first we’ve conducted since GDPR was introduced, so we expected a massive decrease in this area. Surprisingly, this wasn’t the case.

Our research found that almost 40% of general insurance providers still automatically opt-in customers for data consent. This is down from the previous set of ratings - where it was around 60% - but still surprisingly high considering GDPR specifically prohibits it. On top of this, around 24% of companies that auto opt-in don’t even provide an opt-out option. Even more alarmingly, there’s a small number of providers that have introduced auto opt-in for data consent since GDPR was implemented! We found several examples of this when we compared the data from our previous set of – pre GDPR – ratings to the latest ones.

A serious compliance issue

As we’ve seen from the Facebook case, the penalties for not complying with GDPR are potentially huge. Perhaps providers just think they can get away with it, although this seems unlikely. Maybe it’s down to a lack of understanding of the regulations or internal compliance failings. Whatever the reason, it’s something companies need to get on top of, and quickly, if they want to avoid potentially disastrous fines running into the millions or even billions.