Unless you’ve been away for quite some time, you’ll be aware that the General Data Protection Regulation (GDPR) is due to come into force on 25 May 2018 and all businesses need to be aware of changes that will affect them.
Companies should be checking their data protection procedures now and starting to prepare for a far-reaching framework. Businesses now rely on technology and the transfer of data online more than ever before and technological change has increased the risk of data breaches occurring. The GDPR will represent the most significant change to data protection law in the last 20 years and seek to enhance the protection of individuals’ personal data.
Banks and other funders will need to be more aware of the GDPR requirements than most as personal data flows throughout financial institutions and the GDPR will, therefore, touch almost all aspects of a lender’s internal operations. Banks and funders also face an increased risk of litigation should a data breach occur due to the nature of the data they hold on customers and the adverse effect it can have on the individual. It is therefore likely that if you work for a bank or large financial institution processes are well underway to address the implementation of the GDPR.
What about boutique funders? The GDPR requirements apply here too and they need to ensure that they are prepared despite having fewer resources available to deal with large scale regulatory change.
In this blog post we’ll provide an overview of the key elements of the GDPR and next week we’ll be looking at some considerations to bear in mind when it comes to dealing with the GDPR and your customers.
So what are the key changes?
- Enforcement: fines for data protection breaches will increase to €20million or 4% of total worldwide annual turnover.
- Data Processors: data processors will now be directly liable for some matters that were previously just the data controller’s responsibility. This could impact businesses that hold and process data for their customers.
- Accountability: organisations will not just have to comply with the GDPR but will also have to do so in a demonstrable manner. Policies and procedures will need to be documented, updated and in some cases impact assessments must be undertaken. Organisations will also need to consider privacy implications when designing new processes, products or services (known as ‘privacy by design’ and ‘privacy by default’).
- Territorial reach: the GDPR will apply to organisations that process personal data to offer goods or services to individuals in the EU (irrespective of payment) or the monitoring of those individuals’ behaviours in the EU, even if the organisation does not have an ‘establishment’ within the EU.
- Rights of individuals: rights of data subjects will be extended and new rights granted such as rights to data portability and right to “erasure”. Consent to use an individual’s personal data must be given positively and individuals will be entitled to know the legal basis for holding their information. More detailed information must be provided to individuals about the processing of their data and subject access requests will now need to be completed for free and within one month.
- Data Protection Officer: some organisations will need to appoint a Data Protection Officer.
- Breach notification: data controllers will need to notify enforcement agencies within 72 hours of any breach of security relating to personal data which is likely to result in a risk to the rights and freedoms of individuals and, depending on severity, they may be required to notify the individual of the breach.
Specific risks for financial institutions
Large retail banks are likely to be familiar with the current data protection requirements when handling large amounts of personal data. They are particularly sensitive to the damage to reputation that could be caused by a data breach within one of their consumer facing services. But this does not mean they can carry on as they are and they will still need to review their procedures and processes to ensure they comply with the new requirements.
Under the GDPR, more onerous requirements will be introduced that will require investment by banks and funders in new IT systems and processes. These should be designed in a way that allows for the classification, tracking and removal of personal data instantly.
The GDPR also raises questions about just how funders will be permitted to use the data they hold on customers. Personal data is used to provide a customer focused service and developments in banking and financial technology have made it even more important for financial institutions to demonstrate that they are highly differentiated and can provide a more personal service to their customers.
However, the GDPR will require funders to notify individuals exactly how their personal data is being used and for what purposes. Furthermore, customers will be able to dictate what their information is used for much more easily than has previously been possible. It remains to be seen how much this will restrict larger financial institutions and their ability to provide a more personal service to customers. In a sector that relies heavily on this data to, for example, upsell products, automate loan decisions and cross-sell similar products based on a customer’s circumstances, it is no wonder some are concerned about meeting the implementation date of May 2018.
Next week’s post will look at some of the issues arising from the GDPR that a lender may need to bear in mind when dealing with a customer on a loan transaction.