GDPR: what fintech companies should do during the countdown

Posted by media on April 12, 2018 at 9:00 AM


The approval of the General Data Protection Regulation (GDPR) has created some opportunities and many challenges for banks and fintech companies alike. The idea behind this new legislation is that companies adopt a “safety from design” approach when developing their protection strategies and are more responsible with their customers.

So it doesn’t matter if you are a bank or a fintech company, preparation is the key to success. In this post, we offer some steps to follow before it is fully applied on 25 May.

This post is also available in Spanish.

  Table of contents

1. Understand the GDPR’s legal framework

2. Data audit

3. Record of activities

4. Modify privacy warnings and any other information

5. Prepare your team

6. Update consent obtained up until now

7. Review and repeat


Stay ahead of the change; the key to facing the GDPR

In fewer than two months, one of the biggest changes in the Europe Union regarding personal data protection will take place: the General Data Protection Regulation (GDPR).

Therefore, data protection is one of the main priorities of companies and freelancers that collect and process the personal data of EU citizens, but how can companies comply with this regulation? What steps should they follow?

The large number of data violations that appear in newspaper headlines should be a wake-up call that companies need to organise their data. However, despite the fact that the deadline is imminent, preparations for the GDPR are still irregular.

It is time to act quickly, organise data and implement measures that demonstrate compliance and, in doing so, avoid significant fines. With this objective on the table, we offer seven steps to start your journey to compliance from today.

Related post > GDPR: What implications does it have for FinTech companies?

First steps to prepare for the GDPR


1. Understand the GDPR’s legal framework

Although it sounds obvious, the first step is to understand the regulation and research its legal framework, which will help the data protection officer (DPO) you hire.

The EU encourages all organisations that process data to voluntarily name a DPO, although not all companies are obligated to do so. It will only be obligatory for public institutions and any organisation that processes confidential data as their main activity or does so on a large scale.
If you need one or finally decide to have one through your own initiative, act quickly.

Appropriate candidates with legal and technical experience are in short supply, given the high demand and concern from companies. 

2. Data audit

Now that you are informed and have the right staff, the next step will be to carry out a data audit. Understand what personal data from EU residents you have, where you store them and what kind of data processing you are carrying out.

The following are three key questions you should ask yourself:

1. What type of personal data do you process?
2. Where do you store them?
3. How are they accessed?

Once you have answered these questions, one piece of advice would be to delete any personal data that you don’t necessarily need for an ongoing process.

Companies that do not know what data they have or where they now store them will find it difficult to comply with the important requirements in time. You first need to know what data you have to then be able to protect them.

Once the data are identified, it is important to assess them to conclude which method is best to protect them, for example with encryption.


3. Record of activities

Article 30 of the GDPR requires a record of the processing activities performed. In other words, describe the data collected, why they are processed, who they are communicated to, whether they are transferred to third countries, what technical and organisational measures you will take to preserve their safety and when you will be able to delete them.

This data record will show your efforts towards compliance and avoid a fine of up to four percent of your business volume if there is an infraction.

      Related post > GDPR: what accountability measures does the EU Regulation require?

4. Modify privacy warnings and any other information 

Another of the measures that companies should perform will be to review and almost certainly modify their privacy warnings or any other information they use to communicate with their users about how they use personal data.

Under the GDPR, companies cannot have complicated and illegible terms and conditions. Users should be able to access these documents without any difficulties and they should be written in simple language that everyone can understand.

Given the changes required by the GDPR, is it very unlikely that the existing information is appropriate for the new legislation.

5. Prepare your team

Communication is key for any significant change and this is true here as well. It is essential to inform all members of your team, not just those whose jobs are directly affected.

It is very likely that the IT, marketing and legal professionals in your company already know about the GDPR but the team as a whole must understand the importance of maintaining data safety.

An open mentality in the culture of a fintech company or bank will certainly help to boost the adoption of new tools to comply with the new regulation.

GDPR_ Prepare_your_team_Fintech


6. Update consent obtained up until now

One of the fundamental bases for processing personal data is consent. The GDPR requires consent to generally be free, informed, specific and unambiguous.

To be able to understand whether consent is unambiguous, the regulation indicates that there must be a positive action that indicates the agreement of the interested party. Consent can no longer be deduced from silence or inaction.

Companies must review the way in which they obtain and record consent. Practices that are encompassed in so-called tacit consent and are accepted under the current regulation will no longer be accepted when the new regulation is applied.

In addition, the GDPR anticipates that in some cases consent must be explicit, such as for authorising the processing of biometric data. It is a stricter requirement and it will be necessary for the declaration to explicitly refer to the consent and processing in question when accepting an advanced electronic signature, for example.

It is worth taking into account that the consent must be verifiable and those that collect personal data must be capable of demonstrating that the person affected gave their consent.

7. Review and repeat

Finally, it would be a mistake to tackle these steps in a linear way. You can progress in each of these areas simultaneously. In fact, with the countdown towards the application of the GDPR in full swing, this would definitively be the best approach.

Therefore, the last step consists of reviewing the result from the previous steps and remedying any possible mistake when necessary through adjustments and updates. Ally kinds of precaution are needed in such a sensitive topic.



The sooner changes are implemented in fintech companies and traditional banks, the more time they will have to adapt their policies and use solutions from third parties that cover their needs.

Following these steps as of today not only reduces the risk of a data violation, but can also protect organisations from incurring fines and considerable damage to their reputation.

Finally, it is worth adding that once you have complete confidence in your systems and procedures, organisations will be able to request a data protection stamp from the EU, which will be a five-year certification of their processes.

This post is also available in Spanish.

New Call-to-action

Topics: GDPR

Blog Subscription

Recent Posts