Businesses across the globe, including those in the financial industry, will have to change the way they handle and protect consumer data to meet the requirements of the General Data Protection Regulation (GDPR), EU legislation that was enacted in May 2018.
GDPR covers data protection and privacy for individuals within the EU. It aims to give EU residents more control over their personal data and serve as a guideline for organizations operating within the Union, including those that offer goods or services to EU residents. Organizations who breach the legislation can be fined up to 4% of their total global turnover, or an equivalent of 20 million euros.
This is why GDPR could have a far-reaching impact, especially on the financial industry. According to Signaturit — a service provider offering e-signature solutions — the regulation will impact FinTech companies in seven key areas.
1. Customer consent
GDPR explicitly requires companies to obtain customers’ consent for their data to be collected as well as clearly specifying how the data will be used. In addition to obtaining prior consent from customers, FinTech companies are required to consider any data collected prior to GDPR’s enactment and notify the customers thereof.
2. Biometric application for transaction approval
Biometrics, such as fingerprints and eye scans, have become widely adopted for identity verification. Companies must obtain explicit consent from data subjects and implement appropriate measures to protect their biometric data.
3. Right to be forgotten
GDPR grants all EU residents the right to be forgotten, meaning that they are entitled to request companies to delete their personal data. In the case of financial institutes, customer data may be kept to the extent required by law. Meanwhile, for any other circumstances, the data must be deleted upon request.
4. Data breach notification
Companies were previously able to adopt their own protocols when it came to data breaches. GDPR now requires companies notify the supervisory authority of any data breach within 72 hours and report the breach to affected users without undue delay. The notification of breach must include details such as the nature and type of the breach, the approximate number of people affected, and the contact information of data protection officers.
5. Supplier management
IT systems of financial institutes typically consist of applications and solutions offered by many suppliers, which means customer data could be susceptible to leaks and breaches. These suppliers must also comply with GDPR. Similarly, financial institutes must be vigilant and ensure that data are sufficiently protected when sharing them across multiple systems.
GDPR promotes companies to protect the identity of data subjects by means of “pseudonymization” — a process which makes any linkage to the data subject impossible without additional information. Pseudonymization supports data protection by reducing risks associated with data processing, while maintaining the data’s utility.
Companies in violation of GDPR will be subject to higher sanctions than those stipulated in former regulations. In addition to a maximum fine of 4% of the global turnover, or an equivalent of 20 million euros, companies found guilty of minor offences may be fined up to 2% of the total turnover.
Many experts believe GDPR will cause other regions around the world to follow suit. Needless to say, now is the perfect time for companies to gain a better understanding of privacy and data protection, and subsequently remodel their existing systems to satisfy the regulation. The implementation of privacy and data protection measures will further benefit companies as it enhances their credibility and provides extra assurance to customers who are becoming more privacy-conscious.