How does GDPR affect Financial Services?

Not long ago, before smartphones, bank transactions were made face to face. People did not have to think too much about passwords, data theft, hackers and cyber criminals were not in the category of risk that people should consider. With the technology advancements this risk for data theft has significantly increased, so did the need for a regulation and protection from such activities.

Moreover, financial institutions operate high volumes of personal data on a daily basis.

Every financial institution that processes personal data will need a legal basis to proceed with data processing. Processing shall be lawful only if and to the extent that at least one of the following applies:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• Processing is necessary for compliance with a legal obligation to which the controller is subject;
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overwhelmed by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Generally, financial institutions will process personal data to fulfil their obligations by contracting with the data subject, such as an account contract, a credit contract or an insurance policy, or they will act as a legal obligation. Provided that the processing is necessary for this purpose, no further legitimating is needed.

For processing operations that are not required for the performance of an agreement, institutions need another legitimate basis, such as the data subject’s consent, which must be “freely given, specific, informed and clear”. This requires, in particular, the provision of adequate information on the right to consent. For this reason, institutions may not rely on broad terms and conditions or general permit statements, but they will have to ask the individual for each specific type of financial operations.

Most of the data that the financial institutions are processing is confidential and sensitive. This means there is a potential high risk for the rights and freedoms of individuals, therefore this sector is under the radar of the supervisory authorities, who are authorised to perform an audit and introduce administrative fines on a timely basis.

So, how can you as a financial institution ensure compliance with the GDPR?

1. Streamline your data infrastructure and governance

2. Hire a Data Protection Officer (DPO)

3. Be transparent

4. Understand your privacy risk and your level of data security

5. Reduce the amount of data

6. Understand how third parties use your data

7. Know where your data is stored

What Key Technologies Can Help Financial Organizations Handle the Requirements of GDPR?

Electronic discovery tools – they comb through diverse information sources and perform keyword matches to discover hidden troves of information locked away on a desktop or server, in an email account or uploaded to a cloud service. These tools can also be used for GDPR tasks, helping an organisation identify stores of personally identifiable information (PII) as it builds a data inventory.

Advanced threat monitoring and protection tools also help to enhance financial instututions’ security posture by building profiles of normal activity and then detecting deviations from those behaviors.

GDPR compliance frameworks, designed for the specific purpose of
storing and tracking compliance.

Subject access request portals also provide a boost to GDPR compliance efforts by offering a single interface to receive, track and respond to requests for information, as well as the exercise of a consumer’s rights over personal information.