GDPR aims to standardise data privacy laws and mechanisms across industries, regardless of the nature or type of operations.
Because of growing concerns regarding identity theft, cyberattacks, hacking, unethical use and safety of personal data, the new legislation due to come into force on 25th May 2018 in the EU is designed to safeguard the rights of EU citizens.
Importantly, GDPR is meant to empower EU citizens and make them aware of the kind of date held by institutions and their rights of protection of personal information.
For banks and other financial firms, they are no strangers to regulation, adhering to these guidelines requires the collection of large amount of customer data which is then collated and used for various activities, such as client or customer onboarding, relationship management, trade-booking and accounting. During these processes, customer data is exposed to a large number of different people at different stages – and this is where GDPR comes in.
There are five key areas where GDPR legislation will have its biggest impact.
Under the terms of GDPR, personal data refers to anything that could be used to identify an individual, such as a name, email address, IP address, social media profile or social security number. Firms will be required to gain consent from customers about the personal data that is gathered so that individuals know what information organisations are holding. There will no longer be automatic opt in.
Firms should clearly outline the purpose for which the data was collected and seek additional consent if firms want to share the information with third parties, in other words the GDPR will ensure customers retain rights over their own data.
2.Right to data erasure
GDPR empowers every EU citizen with the right to data privacy. Under the terms, individuals can request access to, or the removal of, their own personal data from banks without the need for any outside authorisation. This is known as data portability. Financial institutions may keep some data to ensure compliance with other regulations, but in all other circumstances where there is no valid justification, the individual’s right to be forgotten applies.
3.Consequences of a breach
Companies so far have been able to adopt their own protocols in the event of a data breach. We have seen this with some very large, well-known companies who have been hacked and data stolen. Sometimes it will take a long time for companies to admit they have had a data breach. GDPR will mandate so that data protection officers will report any data breach to the supervisory authority of personal data within 72 hours.
They will have to inform the authority of the details regarding the nature of the breach, also the categories and approximate number of individuals impacted along with the contact information of the data protection officer.
The customer must also be notified about the breach, how this may impact them and what the company will to do to remedy it, and this must be done without undue delays.
GDPR is also set to impose fines in the event of a significant breach. For serious violations, such as failing to gain consent to process data or a breach of privacy by design, companies will be fined up to €20m ($23m) or four percent of their global turnover – whichever is greater.
Lesser violations, such as records not being in order or failure to notify the supervisory authorities, will incur fines of two percent of global turnover. in addition to potential reputational damage and loss of future business.
IT systems form the backbone of every financial firm, with client data continually passing through multiple IT applications. Since GDPR is associated with client personal data, firms need to understand all data flows across their various systems. Similarly, non-EU organisations working in collaboration with EU banks or serving EU citizens need to ensure vigilance while sharing data across borders.
In effect, GDPR gives end-to-end accountability to make sure client data stays well protected; it does this by compelling not only the bank but also its support functions to embrace compliance.
5.GDPR encourages “pseudonymization” of personal data
The concept of personally identifying information lies at the core of the GDPR. Any “personal data,” which is defined as “information relating to an identified or identifiable natural person ‘data subject’,” falls within the scope of the Regulation. The Regulation does not apply, however, to data that “does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.”
The GDPR introduces a new concept in European data protection law – “pseudonymization” – for a process rendering data neither anonymous nor directly identifying. Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Pseudonymization, therefore, may significantly reduce the risks associated with data processing, while also maintaining the data’s utility. For this reason, the GDPR creates incentives for controllers to pseudonymize the data that they collect. Although pseudonymous data is not exempt from the Regulation altogether, the GDPR relaxes several requirements on controllers that use the technique.
GDPR is a wide-reaching legislation and many firms will need to act now to ensure their compliance.
A study published earlier this year by Close Brothers UK found that as many as 82% percent of the UK’s small and medium businesses were unaware of GDPR.