This paper, through examining the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – short GDPR), aims to demonstrate its significance in financial sector along with the impact on complex management of marketing activities inside specific financial institutions. In the theoretical part of this contribution brief history of data protection and evolution of concept of GDPR will be explained. Main principles and innovations that are of key importance for future positive developments in the field will be discussed with emphasis on relationship between banks and direct marketing. Additionally, selected results of the primary research oriented on personal data protection from consumers’ point of view in Slovakia will be presented (online questionnaire was fulfilled by 355 respondents). Further we will try to identify the challenges bank have to meet while adhering towards the new directive.
Research and methodology
To gain attitudes and knowledge of the Slovak public on the issue of personal data protection, we carried out a primary quantitative survey by querying using an online questionnaire that were distributed through a shared link, via e-mail, social networks, as well as internal networks in organizations. The research was conducted between May and June of 2018, two critical months considering the adaption of the new directive in May 25. 355 respondents fulfilled the questionnaire which consisted of mix of controlled variables and series of questions focused on issue of personal data protection. Out of this number 304 records were considered as completely filled and had all questions answered. Additionally there are more limitations within the frame of the sample size selection and the results are presented in the descriptive manner as the research conducted in 2018 cannot be considered as a representative one. But this research can be used as a pilot survey. To present a comprehensive view, we selected 10 questions oriented solely on personal data and banking sector in Slovakia. Moreover, few of the questions were compared with the research conducted in 2009 by the Institute for Public Opinion Research at the Statistical Office of the Slovak Republic for Personal Data Protection Office of Slovak Republic. In comparison with this research, the technique has changed slightly and switched towards digital environment (meaning that the questionnaires were distributed primarily electronically). Controlled variables remained the same: gender, age, nationality, education, home size and region as well as monitored basic set of Slovak population aged 18 and more remained preserved.
Findings
Firstly, 5 criteria concerning the demographic characteristics were examined: the age of the respondents, the region in which they live, the size of the commune in which they lives, education and gender.
Graph 1: Age of the respondents
Source: Authors
As might be seen from the Graph 1 above, many respondents are in working age, which is a group of citizens directly affected by the Directive.
The second demographic question we stated is concerning regions of Slovakia in which the respondents live. The distribution of respondents by region is shown in Graph 2 bellow.
Graph 2: Region of the respondents
Source: Authors
From the graph above we can observe that up to 49% of respondents live in the Bratislava region. We noticed uneven distribution of respondents according to the different parts of Slovakia they live in.
The third question was the size of the commune. The aim was to find out in which large municipality the respondent lives and whether the size of the commune influences the respondents´ knowledge and attitudes towards the protection of personal data.
Graph 3: Size of the commune
Source: Authors
Again, we can see the dominance of the capital city, which was already evident in the previous question. However, other municipalities are relatively evenly represented. We need to point out that the capital Bratislava was excluded from group of county towns.
The fourth demographic question was focused on education of respondents.
Graph 4: Education of the respondents
Source: Authors
It is clear from the graph that the survey included mainly residents with secondary education with A-levels and with university education. The last demographic question was the respondents’ gender.
Graph 5: Gender of the respondents
Source: Authors
From the graph we clearly see that 69% of respondents were women. The next question was to find out which personal data respondents consider to be the most vulnerable in terms of abuse.
Graph 6: Which personal data respondents consider to be most vunerable in terms of abuse?
Source: Authors
It is clear from the above graph that respondents perceive their personal identification number as the most sensitive personal data, followed by property and financial information, together with biometric data and the name and surname, and up to fifth place data on health status. Compared with the survey conducted by the Institute for Public Opinion Research at the Statistical Office of the Slovak Republic for the Office for Personal Data Protection Office of Slovak Republic in 2009, there was a slight shift in the preferences of respondents. In the 2009 survey, on the third place respondents reported that they perceived data on health status and biometrics as the most sensitive personal data.
Graph 7: Six most sensitive personal data from the perspective of the respondents education (in %)
Source: Institute for Public Opinion Research at the Statistical Office of the Slovak Republic 4/2009
Graph 8: To whom have you already provided some of your personal information?
Source: Authors
Respondents could choose more options because we assumed that they have encountered with this situation of providing their personal data repeatedly. The result is that respondents most often provide their personal data to banking institutions and insurance companies, which is the expected outcome, as these institutions need that kind of personal information to provide their service and to communicate and trade with the customer. On the third place respondents reported social networks, which is a surprising result since social network account is not necessary for existence unlike the bank account. Fourthly, respondents state government and public authorities. We assume that respondents do not realize that government and public administration have all the personal data of the citizens, because they need them for effective communication, and in particular for collection of taxes and local fees, for example, for communal services. Furthermore, respondents provide their personal data to retailers that use them for their loyalty programs, other financial institutions, such as leasing companies, marketing companies along with non-bank companies as well.
Graph 9: How do you trust named companies to protect your data?
Source: Authors
Responses were predictable. Banks and insurance companies have trust of approximately 90% of respondents that they will protect the personal data of their clients. Government and public administration are followed by over 70% of support. Other types of subjects have more mistrust than the confidence of respondents to protect their personal data. the greatest mistrust is laid on the non-bank lenders and social network operators. In the 2009 survey, citizens least trust the marketing companies, then leasing companies and insurance companies. On the contrary, citizens have the greatest trust in state administration bodies and subsequently in banks. It can be said that, as compared to 2009, banks have gained trust in the population by almost six percent, on the contrary, marketing companies have lost ten percent. It may be attributed to the fact that in the 2009 survey, consumer clubs and marketing companies were not divided, but they were in one group. In spite of this, the decline in reliance is approximately three percent. Interestingly, there is also confidence in insurance companies, when respondents expressed their mistrust of only ten percent in their survey and 29% in the 2009 survey, as seen in graph below.
Graph 10: To which information system operator do you trust the least?
Source: Institute for Public Opinion Research at the Statistical Office of the Slovak Republic 4/2009
Graph 11: Where do you think there is the greatest chance of misusing your personal data?
Source: Authors
The results have shown that consumers perceive financial institutions as safe. Secondly state and public authorities are viewed as equally safe. Network operators such as telecommunications or energy suppliers or others are also relatively safely perceived. The level of safety below 40% is achieved by the consumer clubs and 30% belongs to online shops. As the least safe are perceived by respondents´ personal data on social networks.
Again, it is interesting that the preference of the toward danger of social networks, online shops and consumer clubs does not change depending on whether the respondent is a member of a consumer club, has a social networking account, or purchases online via an online store.
Regarding the issue of personal data security, we investigated further whether the respondents had experienced the misuse of personal data.
Graph 12: Has anyone misused your personal data?
Source: Authors
Graph 13: If you answered yes, would you indicate how?
Source: Authors
Just a minor group of respondents said they had somehow misused their personal data. The most frequent answer of respondents was that they were victims of unsolicited telemarketing, 6 respondents said they had been victims of fraud/crime in connection with the misuse of personal data, and finally one respondent stated that his account on social network had been stolen.
On the next question, we checked the knowledge of respondents about who they are supposed to contact if they suspect a misuse of personal data.
Graph 14: Who can you contact if you think your personal information has been misused?
Source: Authors
It is alarming that up to 40% of respondents said they did not know whom to contact if they suspected the misuse of personal data. Only 14% of respondents would contact the Office for Personal Data Protection of the Slovak Republic. Other respondents would contact the police.
We have also focused on the attitudes of respondents to the protection of personal data. The next question was whether respondents met with the requirement to copy the papers. When respondents met with the requirement to copy the papers, we identified the document.
Graph 15: Did you meet the requirement to copy your papers?
Source: Authors
Graph 16: If you answered yes to the previous question, which one?
Source: Authors
Up to 86 percent of respondents said they met with the requirement to copy the papers. Most often this was ID card, then a health insurance card, followed closely by a birth certificate. 76 respondents said they were asked to produce a copy of the driving license, and little less responded that they had met with a copy of a passport. It follows from this that copying personal documents in Slovakia is a common practice. Compared to the 2009 survey of the Institute for Public Opinion Research at the Statistical Office of the Slovak Republic, an interesting shift can be observed. In this survey, as in our survey, most respondents said that most often the operator copied ID card, closely followed by evidence of education, birth certificate, health insurance card, driving license, marriage certificate and passport. Overall, in the survey in 2009 61% of respondents have met with practice of photocopying of the papers, which is 17% less than in our survey conducted in 2018.
Graph 17: Have you met with the fact that the IT system operator wanted to make a photocopy of one of the following official documents? (in %)
Source: Institute for Public Opinion Research at the Statistical Office of the Slovak Republic 4/2009
In the last question, we investigated whether the respondents are satisfied with the legal protection of personal data.
The survey shows that only 23% of respondents think that personal data are adequately protected by law. On the contrary, 35% of respondents think that personal data is not sufficiently protected by law. 42% of respondents were not able to comment on this particular issue.
Graph 18: Do you think that your personal data are adequately protected by law?
Source: Authors
Conclusion
In connection with GDPR and due to newly adopted Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Laws, published in the Collection of Laws of the Slovak Republic, financial institutions are very much aware of the need to obtain approval from their clients for the needs of their marketing departments if there is no other legal basis (e.g. contractual relationship, legitimate interest). Due to the complicated acquisition of public acceptance for marketing potential customers, banks are looking for new ways to segment and create an addressable message for effective marketing communications. This contribution at least partially present results of research where we compared the attitudes and views of the public about the current data protection regulation in Slovakia in connection with the introduction of a new European Parliament and Council Directive on the protection of personal data. We compared the chosen results with the historical survey of 2009 and we also looked at changes in selected attitudes of the Slovak public in the last decade.
During the process of conduction of research we were surprised by the willingness of the Slovak public to pass on their personal data to social network operators despite the fact that they do not trust them to protect the data against data leak or abuse and at the same time consider social network operators to be dangerous in case of misuse of their personal data. At the same time, the Slovak public is unfamiliar with the issue of personal data, does not know who to contact in case of leakage or misuse of personal data and is mostly unaware of the supervising authority. However, it must be added that confidence in individual information system operators, also in commercial banking, is gradually increasing, as demonstrated by public attitudes in comparison with the year of 2009.
In conclusion, consumers are more increasingly aware of their privacy rights. Following the implementation of the European Directive into the Slovak legal order, they are confronted with the rules on the protection of personal data at every step. It is already a standard that every organization, including commercial bank, informs the consumer that it processes its personal data and asks for consent to work with this kind of information. Current legislation allows us to retract our current consent in the future and even force the operator of information system to forgo our personal data. This option has been almost unattainable in the recent past. On the other hand, information system operators will have evidence and assurance that the client of a bank has given his consent and can be segmented, analysed and attracted by personalized proposal ready only for him. General rule in direct marketing field is that the more personalized message is, the higher effectiveness it brings.
End of Part II.
Poznámky/Notes
This contribution is the partial result of the research project VEGA 1/0876/17.
Literatúra/List of References
[1] BankingHub, 2017. General data protection regulation, BankingHub, 2017. [online]. [cit. 2018-05-19]. Available at: <https://www.bankinghub.eu/banking/finance-risk/general-data-protection-regulation>
[2] Datalan, 2018. General data protection regulation. Kybernetická bezpečnosť pre finančné inštitúcie. Datalan, 2018. [online]. [cit. 2018-05-19]. Available at: <https://www.datalan.sk/tmp/asset_cache/link/0000030888/Bezpecnost%20Financne%20institucie_brozura_web.pdf>
[3] European Commission, 2018a. 2018 reform of EU data protection rules. European Commission, 2018. [online]. [cit. 2018-05-19]. Available at: <https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en>
[4] European Commission, 2018b. Data protection. European Commission, 2018b. [online]. [cit. 2018-05-19]. Available at: <https://ec.europa.eu/info/law/law-topic/data-protection_en>
[5] European Union law, 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General data protection regulation) (Text with EEA relevance). European Union Law, 2016. [online]. [cit. 2018-05-19]. Available at: <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC>
[6] i-Scoop, 2018. Data processing principles: the 9 GDPR principles relating to processing personal data. i-Scoop, 2018. [online]. [cit. 2018-05-19]. Available at: <https://www.i-scoop.eu/gdpr/gdpr-personal-data-processing-principles/>
[7] Joyn, 2017. Data protection – impacts of GDPR in the banking & financial sectors. Joyn, 2018. [online]. [cit. 2018-05-19]. Available at: <https://www.joynlegal.be/images/actualite/Newsletter%20GDPR%20-%20JOYN%20Legal.PDF>
[8] eugdpr.org, 2018. Key changes of GDPR. eugdpr.org, 2018. [online]. [cit. 2018-05-19]. Available at: <https://www.eugdpr.org/the-regulation.html>
[9] Office For Personal Data Protection, 2018. Directive of European Parliament. Office For Personal Data Protection, 2018. [online]. [cit. 2018-05-19]. Available at: <https://dataprotection.gov.sk/uoou/sk/main-content/nariadenie-gdpr>
[10] Piwik PRO, 2017. GDPR in banking. Piwik PRO, 2017. [online]. [cit. 2018-05-19]. Available at: <https://piwik.pro/blog/gdpr-in-banking-web-analytics/>
[11] Scanlan, A., Is your bank ready for GDPR? 2018. [online]. [cit. 2018-05-19]. Available at: <http://m.bankingexchange.com/news-feed/item/7503-is-your-bank-ready-for-gdpr>
[12] SmartInsights, 2017. A long road ahead for direct & digital marketing under the general data protection regulation (GDPR). SmartInsights, 2017. [online]. [cit. 2018-05-19]. Available at: <https://www.smartinsights.com/marketplace-analysis/digital-marketing-laws/long-road-ahead-direct-digital-marketing-general-data-protection-regulation-gdpr/>
[13] SmartInsights, 2018. Implications of the GDPR for marketing in UK and Europe. SmartInsights, 2018. [online]. [cit. 2018-05-19]. Available at: <https://www.smartinsights.com/tag/gdpr/>
[14] Stratégie, 2018. GDPR a digital. Stratégie, 2018. [online]. [cit. 2018-05-19]. Available at: <https://strategie.hnonline.sk/marketing/1761916-gdpr-a-digital-najviac-suhlasov-davame-pre-e-mail-newslettre>
[15] Štarchoň, P., Faltys, J. and Dzugasová, J., 2004. Priamy marketing alebo Priama cesta ako si získať a udržať zákazníka. Bratislava: Direct Marketing Beta, 2004. ISBN 80-969078-5-9.
[16] Štarchoň, P., 2017. Bankový marketing. Princípy a špecifiká. Praha: Wolters Kluwer, 2017. ISBN 978-80-7552-948-0.
[17] Tapp, A., Whitten, I. and Housden, M., 2014. Principles of direct, database and digital marketing. London: Pearson, 2014. ISBN 978-0-273-75650-7.
Kľúčové slová/Key Words
GDPR, data protection, direct marketing, banks, financial sector
GDPR, ochrana údajov, priamy marketing, banky, finančný sektor
JEL klasifikácia/JEL classification
M31, K10
Résumé
Dopad GDPR na banky na Slovensku – marketingový prístup. Časť II.
Príspevok prostredníctvom rozboru Nariadenia Európskeho parlamentu a Rady Európy (EÚ) č. 2016/679 z 27. apríla 2016 o ochrane fyzických osôb pri spracovaní osobných údajov a voľnom pohybe takýchto údajov a o zrušení Smernice 95/46/EC (GDPR) má za cieľ demonštrovať svoj význam vo finančnom sektore spolu s dopadom na komplexné riadenie marketingových aktivít v rámci špecifických finančných inštitúcií. V teoretickej časti tohto príspevku bude vysvetlená stručná história ochrany údajov a vývoj koncepcie GDPR. Hlavné princípy a inovácie, ktoré majú kľúčový význam pre budúci pozitívny vývoj v danej oblasti, budú diskutované s dôrazom na vzťahy medzi bankami a priamym marketingom. Okrem toho budú prezentované vybrané výsledky primárneho výskumu zameraného na ochranu osobných údajov z pohľadu spotrebiteľov na Slovensku (online dotazník bol vyplnený 355 respondentmi). Ďalej sa budeme snažiť identifikovať výzvy, ktoré musí banka splniť pri dodržiavaní novej smernice.
Recenzované/Reviewed
6. jún 2018 / 11. jún 2018