Article

Understanding GDPR: How will the Financial Services sector be affected?

The answer is most definitely, yes. Below are some examples of how the GDPR will affect you if you operate in this industry.

Scope The GDPR covers instances where it is not obvious to whom data relates - location data or IP addresses – yet you are still able to identify an individual from that data. You need to be aware that location data, collected in car insurance telematics  boxes, Mobile Apps or IP addresses collected in website analytics will be caught by the GDPR.
Processors The application of the GDPR to data processors comes close to striking a fairer balance between data controllers and data processors. You must ensure that there are adequate contracts in place governing data processors.  You may find that data processors will request warranties from you.
Fair processing information The GDPR contains more prescriptive obligations than Directive 45/96/EC including that: (i) if data is obtained directly from the data subject, the notice must state whether replies to questions are obligatory, and arising consequences of failure to reply; and (ii) if the data is not obtained directly from the data subject, the notice must list the categories of data processed. You will need to review your privacy notices so these comply with the GDPR. Particularly challenging to you operating in the financial services industry is to specify:
(i) processing grounds relied upon; and (ii) data retention periods.
Processing conditions and exemptions Processing conditions for sensitive personal data were not expanded to include processing of sensitive personal data when necessary for the purposes of a contract.  The stricter requirements on obtaining consent under the GDPR means that it is difficult for you to obtain consent for ancillary purposes. Clearly there are cases where the performance of the contract must be conditional on the data subject giving their explicit consent to the processing of sensitive personal data – for example with regard to a health insurance policy.  You, however, cannot rely on that consent to process sensitive personal data for other reasons – say, profiling.
Profiling The GDPR introduces a new right: not to be subject to a decision based solely on profiling which produces a legal or other similarly significant effect.  In circumstances where profiling is permitted, you must implement suitable measures to safeguard the data subject’s rights and interests. This new right is likely to have a significant impact on you given that many activities in the financial services sector involve systematic profiling of individuals. Whilst profiling for mortgage eligibility are likely to remain permissible as they are necessary for a contract, big data projects with outputs including targeted marketing, fraud detection, favourable customer identification will all be affected.  Profiling for marketing purposes will always require explicit consent.
New right of data portability The GDPR introduces a new right for data subjects. On request, you must: (i) provide the data subject with a copy of their personal data provided by him or her to you (not data which you generated) in a structured, commonly used and machine readable format; and (ii) not hinder the data subject’s transmission of personal data to a new data controller. This right will apply to most personal data held by you as it will be held electronically, either because it is necessary for the purposes of a contract or on the basis of consent.  Problem areas for you are likely to be how the data is accessed and combined into a structured, commonly used and machine readable format.
Meeting this obligation may be complex as you may hold such personal data on different systems or on legacy systems which are not be compatible with newer software.
New right of erasure The GDPR provides data subjects with a new enhanced right to request erasure of their personal data. Data subjects do not need to prove substantial unwarranted damage or distress or inaccuracy. This change is likely to have a material impact on you given that you sought to retain personal data for as long as possible to maximise potential use.  Data subjects will have unrealistic expectations of their rights and you need a clear and documented reason why you are keeping personal data.
Data protection by design and default The GDPR introduces the concepts of data protection by design and by default which are much more specific than the current general obligation to have appropriate security in place under Directive 45/96EC. A culture of data protection by design and by default will need to be embedded across all business areas to ensure that data protection is considered at the very first step of any new business planning and at every stage thereafter.  This will require your taking up the matter with your information application providers’ to ensure that your applications are rendered compliant and that future versions meet the GDPR’s requirements.
Breach notification The GDPR demands that you report a data breach not later than 72 hours “after you first become aware of it.” If the notification is made after 72 hours you must state the reason for the delay. It is critical for you to have a data breach response plan in place to enable a quick reaction to identify and contain a breach and to notify the IDPC, ideally within the 72 hour period.
Anonymous and pseudonymous data The GDPR introduces definitions of anonymous and pseudonymous data. With the formal recognition of pseudonymisation as a security technique, it seems likely that the Information and Data Protection Commissioner (IDPC) may penalise you if you suffer a data breach where the data is in fully identifiable rather than pseudonymised form.
Enforcement The GDPR significantly increases the level of fine issued, widens the circumstances in which a fine is issued, and provides the IDPC with additional investigative and corrective powers. Fines can be issued against both you and data processors. We recommend that given the increase in fines and the range of circumstances in which they can be imposed GDPR compliance should regularly feature on the boardroom agenda. We advise that the GDPR is given the same scrutiny as that afforded to financial services regulation – AML, etc.
Did you find this useful?