GDPR and Financial Services

GDPR FB picture

European Union introduced a new regulation on data protection, known as GDPR. It will take effect May 2018 for all the companies handling personal data of customers residing in EU or EEA countries. 

GDPR in a Nutshell

European Parliament approved GDPR in April 2016. It will take effect after a two-year transition period May 2018.

The basic principle behind the GDPR is to give citizens more control over their data. Companies also benefit from a level playing field when rules are the same for all.

GDPR in short

This is what GDPR requires:

  • User must give consent to data processing (purpose and how is handled…)
  • Data must be used for the purpose it was collected.
  • Protecting children: age limits for parental consent.
  • Profiling & marketing comms: user consent required and opt-out must always be possible
  • “Right to be forgotten”, user must be able to request data to be deleted.
  • Access & portability: there must be a way to access and download personal data from the service.
  • Users must be informed of data breaches.
  • Moving data outside of EU: legal arrangements must be in place to ensure GDPR compliancy.

What makes GDPR so important is the fact that it applies to all companies and organisations processing and holding the personal data or behaviour of individuals residing in the European Union (and EEA), regardless of the company’s own location. So, if you have customers in the EU region and you process their data you have to apply the rules.

It is not just the end-user service who has to apply but all the parties who are participating the data processing have to be compliant (subcontractors etc.). One cannot say “I am just a subcontractor, I don´t have to apply GDPR”. All the links in the service chain are responsible of the user personal data.

Impact on Digital Services?

Data protection has to be taken seriously in financial services development and services need to consider what GDPR requires from them. Companies can be fined up to 4% of annual global turnover for breaching GDPR, so there are significant financial incentives, as well. This means that also the biggest internet service companies have to take regulation seriously and comply the rules. PwC did a study on how US companies are preparing to GDPR, see the results here.

Services have to give user an option to truly delete the personal data from the service. I see this as a very good requirement and appreciated by most of the users. Currently, you cannot always know that a service really does with your personal data if you leave the service.

The requirement that user has be able to download the data from the service will force services to be more open. In practice, there will be many different technical implementations and I don´t think that true data portability will be achieved. Services don´t have an incentive to make it easy to start using a competitor service. But at least when you want to end using a service you can take the raw data with you (in some format or the other) and store it for yourself.

GDPR is a very user-oriented regulation and will truly empower users to control their personal data in the internet!

 

More about the subject:

Interactive guide to data protection regulation (EU website).

Click to open: One page infographics about regulation (IT Governance).

Miten valmistautua tietosuoja-asetukseen (Finnish Data Protection Ombudsman website)