GDPR and financial services: What does it mean?


Cloud Pro

17 Jul, 2019

Whether your business is in marketing, IT, retail, the services industry or another sector, and whether it’s small or large, GDPR will have made life just that little bit harder. Since coming into force in May 2018, the new rules have hit every company and industry that deals in data, in other words, everyone.

Designed to give data subjects far greater control over how their data is collected and processed, and to provide regulatory alignment across the EU, companies now need to be far more careful when it comes to data.

GDPR dictates what, how and when data can be collected and processed. It requires companies to be far more transparent about the ways they use customer data for their services, and imposes far stricter rules about the disclosure of data breaches.

One of the sectors most affected by the changes is the financial services industry, particularly as it already has to comply with a number of existing regulations that may not always complement responsibilities under GDPR.

Below we look at the various responsibilities a company now has as part of GDPR, and how they pertain to the financial services industry.

Complying with GDPR and other financial regulations

The Information Commissioner’s Office (ICO) has advised that GDPR does not contradict any existing regulatory requirements that financial services firms need to adhere to. There are exceptions to the new regulations that allow data processing specifically where it is necessary to comply with other legal obligations. Regulators such as the Financial Conduct Authority also work closely with the ICO and account for data protection rules when releasing their own guidance.

Consent

Consent is one of a number of legal justifications for processing data, however, outside of marketing industries, it is arguably the weakest legal basis. Organisations should consider carefully what legal basis fits best for their processing needs, a list of which is detailed on the ICO’s website. Provided you are able to justify the processing of data in other ways, explicit consent is not always needed.

Right to be forgotten

The ‘right to be forgotten‘, as set out under article 17 of GDPR, gives data subjects the right to have their data removed from a company’s systems and excluded from marketing material and data collection.

This is not an absolute right, however, as the article stipulates criteria on what data can be removed, and the defences a company can use to reject a request. For example, data must be removed if consent is withdrawn, unless the business has an alternative legal basis for collecting it.

Each request needs to be considered carefully and judged in isolation. If any company refuses a data deletion request, it must be prepared to justify this decision.

The need for a data protection officer (DPO)

Some companies are unsure whether they need to appoint a DPO or not, but the ICO guidance on the subject is quite clear and offers a checklist to assist businesses in meeting their GDPR obligations in this respect. 

“The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities,” the ICO states. 

“DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.”

A DPO can be an existing or newly appointed employee and can also work in this role across multiple organisations, according to the ICO. However, they must be an absolute expert in data protection, have the resources available to them to help them do their job – of monitoring compliance, informing and advising of obligations and providing the necessary advice – and report directly to the highest level of management in the organisation. 

Data breaches

GDPR regulations stipulate that organisations report any data breach to the supervisory authority of personal data within 72 hours. This should contain details about the breach, the categories and estimated number of people impacted, and contact details of the DPO. 

ICO guidance states: “From 25 May 2018, if you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. You do not need to report every breach to the ICO.

It’s important to also reassure customers, partners and employees that you are following the necessary procedures and certain certifications to ensure continued GDPR compliance in order to avoid a data breach occurring in the first place or at the very least minimising its impact. The information security standard ISO 27001 is one such certification. 

The ICO states: “You must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. You should remember that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organisational security measures.

“You need to consider the security principle alongside Article 32 of the GDPR, which provides more specifics on the security of your processing. Article 32(1) states:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’

“Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals lives may even be endangered in some extreme cases.”

Managing vendors

Financial firms will have client data passing through several applications. GDPR means that firms will need to understand how data flows through these. Personal client data can also be exposed to external vendors, such as outsourcing partners. GDPR enforces accountability right across the data flow to ensure that personal data stays protected.