The General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) will be in full effect on 25 May and, although it is a European initiative, it may affect companies all over the world.
In this next post, we analyse the direct consequences that this Regulation will have on FinTech companies.
This post is also available in Spanish.
Table of contents
European institutions have designed this Regulation with the aim of adapting data protection legislation to the way in which data is currently used in the digital setting. They have granted EU residents more control over how their personal information is accessed, communicated and stored, which is good news for all consumers.
Be that as it may, from a commercial point of view, things are not so ideal. Although this regulation will be useful for creating a simpler and clearer legal environment for companies to operate in and it allows customers feel more secure when entrusting their data, GDPR may have serious consequences for companies.
Many FinTech companies working specifically within the lucrative economic space of the EU may find it particularly challenging to comply with the GDPR, when it comes to obtaining their customers’ consent for processing their personal data, for example.
Furthermore, one should bear in mind that it won’t matter whether a FinTech company has its headquarters in the U.S. or in China, if its services are aimed at consumers residing in the EU, it will be required to comply with the GDPR. Even FinTech companies whose services are only aimed at residents of the United Kingdom will be affected, as the GDPR will be in full effect before the United Kingdom leaves the European Union. It is also highly likely that this country will adopt the GDPR’s rules of engagement so as to equalise the data protection of its citizens to that of other European residents.
We analyse 7 key areas of the GDPR legislation that will impact the FinTech sector:
Article 4 of the GDPR refers to personal data as any information that may be used to identify a natural person, which it calls a ‘data subject’. For example, we are talking about the name, email address, IP address, location data or factors specific to the genetic, psychological, economic, cultural or social identity of that person.
By explicitly requiring companies to obtain its customers’ consent (the tacit consent option will disappear) for the personal data to be collected, companies must clearly describe the purpose for which the data was collected and seek additional consent if they want to share the information with third parties.
The GDPR’s objective is thus to ensure that customers retain rights over their own data, which is why FinTech companies have to carry out a comprehensive analysis on how they collect natural persons’ personal data – including that which was obtained before the date that the GDPR comes into effect – 25 May 2018 - and to verify whether they fully comply with the Data Protection Regulation.
Financial services are currently adopting biometrics, such as fingerprints and eye scans, more and more frequently to identify their customers. In fact, it is estimated that by 2020, this biometric data will be one of the main forms of recognition used in financial transactions, if not the main form.
In this context, in addition to obtaining the data subject’s explicit consent when obtaining this biometric data, FinTech companies wanting to comply with the GDPR must also have controls in place that protect them.
These controls must ensure that the data controllers take the technical and organisational measures necessary to prevent this special data from being exposed, as a consequence their systems being poorly managed.
GDPR permits all EU citizens the right to request that financial institutes delete their personal data. This is known as the “Right to be forgotten”. Financial institutes may keep any data to ensure that other legal obligations are complied with, but in all other circumstances where there is no valid justification for doing so, the individual’s right to be forgotten will prevail.
Up until now, when it came to a data breach, companies were able to adopt their own protocols. However, the GDPR now demands that data protection controllers report any data breach to the supervisory authority within 72 hours.
The breach must be notified with details on the nature of the breach, the categories and the approximate number of people affected and the Data Protection Officer’s (DPO) contact information. The affected user must also be notified of the breach “without undue delay”.
IT systems make up the back bonce of all financial firms, and customers’ data is continuously passed through multiple IT applications, despite the increasing trend in outsourcing development and support departments.
This formula means that the data is significantly more exposed as different suppliers have access to it. The GDPR therefore demands that these suppliers not be extricated from the data access obligations. Similarly, organisations that do not belong to the EU, but which work in collaboration with EU banks, or which provide services to EU citizens, must guarantee vigilance when sharing data across borders.
On balance, the GDPR imposes end-to-end responsibility for data processing so as to ensure that it remains protected.
Pseudonymised data is that which cannot be used in and of itself to directly identify an individual but can do so in association with additional information (Art. 4.5 GDPR).
Well then, the GDPR establishes that this additional information must be protected by technical and organisational means that prevent the data subject affected from intervening. However, even when it is personal information, there are certain comforts to be enjoyed when processing pseudonymised information.
For this reason, the GDPR creates incentives so that companies can pseudonymise the data it collects by separating the data from identifiers. Consequently, pseudonymisation may significantly reduce the risks associated with data processing, while maintaining their utility.
Those who do not comply with the regulation will be met with much higher sanctions than those laid out by the former regulation. In the event of non-compliance, those guilty will be considered guilty of a serious offence, such as not obtaining consent for processing data or not complying with privacy by design; companies will be served a fine of €20 million, or 4 per cent of their overall turnover. Fines for minor offences, such as not keeping records in order or failing to notify the supervisory authorities, will be set at 2 per cent of the overall turnover.
One should also bear in mind that these economic sanctions are in addition to the potential damage to reputation and loss of future business.
Given the broad scope of the GDPR legislation, there is no doubt that traditional financial institutes and FinTech companies need to re-model their existing systems or create formulas more attuned with the concept of 'Privacy by design' and integrate them into their operational ideologies.
The deadline for preparing for the GDPR to come into effect is 25 May 2018 as we have mentioned above, so companies need to make changes as soon as possible, as introducing them will require a considerable cultural change, not only in managing the technology, but also in the way in which people operate, as well as the processes implemented.
This post is also available in Spanish.