Back to blog

Will EU’s new data reg hit your bank?

Banking & finance Data privacy & security GDPR

Written by

Published May 9, 2017 · Updated August 2, 2018

Will EU’s new data reg hit your bank?

This article originally was published on Banking Exchange.

Strict consumer data privacy and security regulations aren’t new to the financial services sector. However, the upcoming European Union General Data Protection Regulation (GDPR) and ePrivacy regulation add a new layer of complexity to existing practices, forcing financial service professionals to depart from business as usual when it comes to customer data. These regulations apply not only to banks and financial service companies in Europe, but also to U.S. banks that offer any services to EU residents and vice-versa.

For financial service marketers, GDPR’s tightening of data privacy rules seems at direct odds with a simultaneous mandate to innovate their digital strategy and deliver better customer experiences with data. On one hand, customers demand highly personalized marketing, yet are rightfully concerned about the security of their personal and financial data across channels, devices, and data owners.

GDPR creates new challenges for marketers that use data to target customers. Two factors compound this concern. First is the increased power granted to regulators to enforce these new rules—and impose significant fines for non-compliance. Second is the expansion of regulations to companies that control data of EU customers—regardless of the company’s location.

However, for financial services brands that prepare today, there are corresponding competitive advantages and opportunities to seize when GDPR goes into effect next year. Better privacy of personal data and better personalized marketing aren’t mutually exclusive.

Free Ebook: 15 KPIs to track for E-Banking and Mobile Banking

Learn about 15 KPIs accountable for customers’ engagement in your e-Banking and m-Banking platforms.

Download FREE Ebook

Here are three GDPR challenges and opportunities that financial service brands must tackle today to prepare for GDPR.

GDPR in Banking Industry


Post GDPR, financial service brands will no longer be able to fall back on implied consent or opt ins to collect, use, and share personal data. This is a challenge because behavioral data (e.g. general website browsing) and transaction-related data (e.g. logging into online banking to complete a transaction) are rich sources of information used to build customer profiles and segments.

Marketers can use profiles and segments to target customers with personalized offers for loans, accounts, credit cards, insurance plans, and other products. With GDPR, banks and financial service brands will need to obtain explicit consent (opt in) from customers before continuing to collect data for this purpose.

This challenge is increased by the fact that consumers may also at any time request the financial service brand to permanently delete their data across all systems.


While marketers have targeted customers with data for a long time, most customers are unaware how these practices work. GDPR provides an opportunity for financial service brands to increase transparency with customers. The opportunity goes well beyond compliance to avoid fines, and marketers can take a proactive stance with data protection and privacy communication as a true market differentiator.

GDPR mandates that companies redesign and change how they communicate privacy disclosures to customers. Doing so in clear and transparent ways will create more general trust. This will increase the probability customers opt in to have their data shared. It will also make customers more comfortable and trusting when transacting business and sharing data across multiple digital channels and devices, which in turn will provide better data for personalized marketing.


2. Mandates to minimize data


“Big data” has circulated the marketing world for years. More recently, “smart data” came to the fore, as companies realize that actionable data is most important.

Under GDPR, financial service brands will be required to get even “smarter” about their data. This is because they’ll only be allowed to collect and process the minimum amount of customer data that’s absolutely necessary for a specific purpose.

This is a challenge as it requires financial service brands to adopt a more lean and deliberate approach to all of their customer data. Companies will no longer be able to simply collect and hold data indefinitely to figure out if it’s useful at some point—but will need to specify objectives and uses ahead of time.

Financial service brands will need to communicate these uses to customers as part of normal disclosures—and also dispose of the data after the objective is achieved.


While this requires more proactive work, minimizing and disposing data after a project or campaign provides competitive opportunities too.

Financial service brands should start now to establish better internal communications between data privacy/compliance officers, data analysts, and the marketers who ultimately use the data—whether for marketing on the brand’s website, or through other digital channels like email or a mobile app.

Needing to define a specific purpose for collecting and using customer data is positive for marketing strategy—both for the brand and the customer.

There are many data sources that financial service brands can pull from in order to target customers with specific products. This includes web/app analytics, CRM, and even offline data.

This new framework will help make marketing campaigns more relevant and targeted because the brand must start with an objective and define the specific data required for that campaign instead of saying: “We have a massive data set, what can we do with it?”

Minimizing the data that’s used for specific campaigns will increase the probability that the message will provide relevant value to each individual customer. Disposing of data mitigates risks for that data from a security perspective, but also helps ensure that potentially stale or irrelevant data doesn’t make its way into a future marketing message.


3. Privacy by design


GDPR mandates the inclusion of data protection at the onset of any project or development of any system across the entire customer relationship. This includes when data is used internally or shared externally with third parties (e.g. a bank is making internal updates to its mobile app or shares customer data with a marketing automation technology vendor).

This requires financial service brands to have a handle on all of their data and understand who owns it, who can access it, and who uses it for what purpose. The challenge is increased by the fact that marketers use personal data in so many ways, such as IP addresses for geo-targeting; cookies for web personalization; and device identifiers for even more granular demographic targeting—all of which GDPR defines as personal data.


Again, the benefits of GDPR compliance transcend avoiding fines. Compliance gives marketers confidence to engage with customers across more digital channels. It can also protect against customer churn—a critical point when marketing investment to acquire new customers is much higher than it is to retain and upsell existing ones.

According to Capgemini Consulting: “Security concerns deter nearly half of consumers (47%) from using digital channels. It will also reduce churn and attract competitors’ customers— 74% of consumers would switch their bank or insurer in the event of a data breach.”

Regarding technology, financial service brands should start assessing their existing platforms. These include cloud platforms, data analytics platforms, data management platforms (DMPs), and the appropriate tools for compliance and general best data practices ahead of and after GDPR. This includes platforms for GRC (governance, risk & compliance) and CRM (customer relationship management).

In many cases, financial service brands will need to completely modernize or shift their data infrastructure to ensure GDPR compliance.

Many of these solutions are provided or hosted by large public marketing cloud vendors. With GDPR, companies need to weigh these solutions against other platforms, such as those that they build inhouse or in a private cloud environment. The latter provide greater control and flexible data management.

While technology may need to catch up to the law, in an entry on our company blog, Aurélie Pols, a data governance and privacy expert, makes the interesting observation that the opposite may be true: GDPR is about the law catching up with technology.

What does GDPR mean for marketing’s future?

Data is—and will continue to be—the lifeblood of marketing insights and digital campaigns for financial service brands. As GDPR gets closer and eventually goes into effect, these companies will need to find the best way to comply with all new regulations, but not sacrifice the best customer experience across all digital marketing channels.

The three examples above only touch on a few of the regulations banks and financial service brands must address to stay compliant.

The good news is that customers continue to show willingness to exchange personal data for more personalization. But the ability to protect that data is important to customers when deciding what bank, credit card, or insurance company to use. New data regulations like GDPR don’t need to hamper these efforts, and in fact, when planned for correctly, they provide many opportunities to sharpen and enhance those marketing efforts while gaining the long term trust of customers.

Free Ebook: 15 KPIs to track for E-Banking and Mobile Banking

Learn about 15 KPIs accountable for customers’ engagement in your e-Banking and m-Banking platforms.

Download FREE Ebook


Maciej Zawadziński

Advisory Board Member at Piwik PRO

A serial entrepreneur and angel investor with a background in AdTech, MarTech and online privacy. Over the last 15 years, Maciej has built and scaled several enterprise SaaS and services companies, including Piwik PRO. As the CEO of Piwik PRO, he grew the company from €0 to €10M ARR. He is currently focused on Next New Ventures, an operator-backed fund that invests in entrepreneurs and brings deep expertise in scaling global B2B SaaS products and IT services companies.

See more posts by this author