What is General Data Protection Regulation (GDPR) ?

Tom Hughes 11.08.2016

Data has always been an important part of the banking world and becoming ever more integral to day to day operations so it seems fitting they update the regulations accordingly to reflect this as we hurtle towards 2017.

Data has always been an important part of the banking world and becoming ever more integral to day to day operations so it seems fitting they update the regulations accordingly to reflect this as we hurtle towards 2017.  Most organisations are already starting to ramp up project teams to help them deliver the new and improved GDPR (General Data Protection Regulations)

So; what is it? Does it impact me? What to think about.  What skills are in demand right now to keep you best placed for a role in GDPR?

What is it?

The definition so far:

The Data Protection Directive is a European Union Directive, which was created to regulate the progression of personal data within the European Union. Officially known as the Directive 95/46/EC the legislation is part of the EU privacy and human rights law

GDPR is 3 years in the making. It builds on the now, 21 year old data protection directive, also known by the rather jazzy title of 'Directive 95/46/EC' and covers any companies based in the EU.

Timeline for delivery

The new regulations come into force on 25th May 2018 leaving most organisations less than 18 months to make the necessary (and often complex) changes to comply.


The biggest change to consent is the requirement for customers to “opt-in” (and proof collected that this was the case) for organisations to collect and hold data on individuals.  Another key change is the ability for customers to withdraw their consent (also known as “right to be forgotten”) creating challenges for storing data and associated evidence of consent and creating processes for removing data when requested.

Data Portability

At face value a seemingly simple requirement but operationally for organisations with complex systems or smaller firms who still hold lots of paper records (as crazy as it may sound there's still some out there) this will be a challenging requirement to deliver on and something many of the banks already have projects up and running helping provide data governance in order to create the building blocks for next year. GDPR requires data to be provided in a structured and commonly used format, something the banks have got used to with various regulations such as Current Account Switcher Service and the soon to be delivered PSD2.

Data Breaches / Data Loss

Often a worst case scenario but unfortunately all too common these days, GDPR adds a level of accountability in the worst case scenario of a data breach/loss.  There will be a legal requirement for the organisations’ appointed data protection officer to notify the authorities “without undue delay”.  Although negotiations continue on what “undue delay” will mean in all likelihood this will probably mean “as soon as they become aware of the breach” with a level of ambiguity attached.  For customers this will also mean that they will be notified if impacted. Great news for us all as customers but potentially challenging for PR departments around the country.


This can vary from a slap on the wrist (Non conformance letter) to very severe (4% of annual worldwide turnover). There is sufficient financial risk for non compliance to make it essential for companies to implement the regulations as best practice.

Does it impact me?  What do I need to think about?

In short yes!  If you are responsible for data in any organisation – it’ll impact you more than most! If you have provided your data to any companies you will be pretty interested too, especially the new found right to be forgotten.

What to think about as an organisation: Delivery 18th May 2018, getting explicit consent from customers for data to be held, providing the ability to delete customer data, implementing processes for data breaches (and strengthening the way data is held)

As an individual the major impacts will be having to provide consent to companies you engage with, ability to withdraw your consent at any time and being better informed if your data gets taken from any company you deal with.

Whether you are responsible for data within an organisation or just a customer, the data landscape is changing rapidly and will impact all of us and it’s going to be increasingly important to make informed decisions.

What skills are in demand right now?

There's a huge amount of change to deliver across all of our FS clients and there's demand for professionals who have change experience and GDPR exposure with work likely to be needed right up to the delivery deadline in 2018 skilled professionals are expected to be in short supply and at a premium so feel to contact me if you feel your skill set would suit these opportunities, or if you need help building out your change team on thughes@morganmckinley.com

Tom Hughes's picture
Senior Consultant


Business Analyst - EMIR
Financial Crime Product Manager - Real Time Payments
City of London24.02.2020
Product Manager - Real Time Payments
City of London24.02.2020