Chasing the GDPR ambulance

6 March 2018

“Have I got PPI?” that particular earworm is thankfully going to die out soon with the deadline for claims defined and most of the market tapped out. However, brace yourself for another annoying jingle along the lines of “Get a new car with GDPR”. What am I talking about? The weaponization of the General Data Protection Regulation into an ambulance chaser’s dream.

Anyone for a ride on the Ambulance?

I never actually tried to do a data access request through the current DPA legal process as it looked tricky and frankly cost me money for but I will admit I did look at PPI, unsuccessfully, as that process was painful. In comparison, GDPR Data subject Access requests look like no-brainers. Firstly, it will cost me nothing to play, that’s part of the regulation, and I’m likely to have a lot of easy to access resources to help me. As a colleague recently said, it only takes a well-placed article and a pro-forma letter from Martin Lewis or other money-saving experts and the party really starts for my customers, the banks and financial services companies that have been mobilising resources to respond by 25th May this year.

Just as a reminder here are some relevant facts about the GDPR:

  • You can request your personal data from any organisation you think might hold information about you.
  • That’s your bank, building society, insurance provider, utility providers, companies you’ve shopped with, or any of the above who you have had any contact with.
  • The request costs you nothing.
  • The firm has 30 days to respond with all the data they hold about you (that’s not just database records but includes scanned paper formats, CCTV footage, and other non-structured data) its use and justification, all in a machine-readable format.
  • If they can’t respond – they must provide compensation in the form of a payment of an unspecified amount, but it’s likely to be non-trivial given the profile of the regulation and the companies concerned.
  • If you disagree with the company’s records you can ask for remediation.
  • There is nothing stopping you repeating this process with other companies, or the same company, although they may start charging if they have complied and it could be deemed as “excessive”.

If your brain works like mine – you’ll see the words 30 days and compensation as a route to quite a nice holiday next year, or the deposit on a new car – and I’m sure less scrupulous individuals are probably making their first mover plans already.

Front line services under attack

This all sounds really positive to me, as an individual, but for my clients, this amounts to an enterprise wide Denial of Service attack. Given the timeframes it’s likely they can implement something to register, track and reply to Access Requests. They can probably hold off the storm for a bit with identity verification challenges for their non-customers, but they will have to tie up a large part of the operational capability of the firm to get close to the 30 day time limit on a response That’s all assuming they know where the data is and who the customer is in that data, which are both non-trivial questions. Single view of Customer programmes have been implemented in recent years with varying degrees of success, but the downside of not completing those programmes fully have been some dissatisfied customers and poor PR rather than an actual financial or regulatory hit.

Some repurposed Data lineage tools and e-discovery platforms may offer some hope of automation, but they are unlikely to be able to cover the entirety of the problem and will still need a significant amount of human hand-holding and data manipulation/redaction to fully satisfy the regulation.

Now this might hurt a little, or a lot

So, the most practical option right now seems to be a war-chest, a temporary army of manual low-cost workers (by increasing the number of people with access to sensitive data) and a prioritised plan to fix the problems and to size, the war-chest making sure it doesn’t run empty. If not, then the regulator will be knocking on the door to examine the books. It’s going to be painful, it’s not going to be over quickly and it’s going to slow down the pace of innovation in the Financial Services sector, for example, the impact of PSD2 and the increasing openness of Banking.

There is however, a positive side to the whole painful experience. If the firm can use the investment to remediate the issues and to stabilise, simplify and reduce the TCO across their estate, this might actually pay off in the longer run. In the interim, it’s going to be best practice to understand, manage and defend your quick and dirty fixes to the regulator and other interested parties while the longer terms permanent fixes are applied in a controlled way. That’s a whole other topic I may defer to a later blog.

What’s the emergency?

Thankfully there are tools available in the marketplace that will take away pain points. Icon have collaborated with Digital Control Room, to create the GDPR Integrator, the only tailored solution designed exclusively for the financial sector to demonstrate compliance, data optimisation and streamlined system processes.

Contact us

If you would like to know more about the GDPR Integrator that will pacify the GDPR regulators, please contact email


Don’t miss a thing! To receive future blogs and insight updates from Icon Solutions, simply register your details below:

You can unsubscribe at any point by clicking the link in our emails. Read our Privacy Policy.

* indicates required

Mady Dyson