Pinch Points for Finance Sector Data Protection Compliance
16 May 2017
Changes to data protection in the EU General Data Protection Regulation (GDPR), which comes into force on 25 May 2018 will have a significant impact on financial institutions and will require a review of existing methods of handling and use of personal data. To give a flavour of the changes and how they may impact on financial institutions or businesses operating in financial sectors we highlight below two potential compliance pinch-points:
- Procedural Changes
Financial institutions will need to document personal data held, its origins and who it is shared with. In addition, GDPR will create a requirement to include data protection in the creation of new products and services. This may require fundamental changes to current procedures, policies and systems. In addition, there will be an obligation to keep collection, processing, storage and accessibility of data to a minimum. Put simply, financial institutions should only collect and process personal data required for an intended purpose and personal data should not be retained longer than the purpose it is used for requires.
There are changes to how consent is viewed under the GDPR, any consent has to be “freely given, specific, informed and unambiguous”. In addition, consent will be specific to particular data processing operations. Financial Institutions collect significant amounts of personal data and will no longer be able to rely on silence, the use of pre-ticked boxes or inactivity to meet the consent requirement to process personal data. With more sensitive information ‘explicit’ consent will need to be obtained requiring an individual to ‘opt in’ (via a tick box, for example) or provide declaratory consent
Financial institutions have to process increasing amounts of personal data on customers for regulatory purposes including anti-money laundering, financial criminal, borrower affordability and reporting purposes and need to put in place the necessary steps to ensure compliance with GDPR.