The impact of the EU General Data Protection Regulation on the Financial Services Industry in relation to Customer Consent

Posted 23rd July 2015 by in Whitepaper Topics: , , , ,

ILL_Trunomi_Icons_scales

The Impact of the EU General Data Protection Regulation on the Financial Services Industry in relation to Customer Consent

The European Union (EU) General Data Protection Regulation (GDPR) has been the most lobbied regulation in the history of the European Parliament1, to the tune of 4,000 amendments. The reason is the monumental impact it will have on companies doing business in the EU and even non-EU businesses targeting European data subjects. It is expected to have the most significant effect on the financial sector, where billions of financial records and personal data transactions are handled annually. Broadly speaking, financial service providers are woefully unaware and unprepared for the mandate, rendering them exposed to serious risk and severe sanctions. Despite being first announced in 2012 and being formally approved by the European Parliament on April 14th 2016, as of April 2016 20% of IT decision-makers in the UK are still unaware of the new regulation2.

The protection of personal data from breach, leak or attack is one of the biggest issues facing the financial sector today. In response, what the EU General Data Protection Regulation seeks to do is unify data protection procedures within the European to place EU citizens in control of their personal data by providing a minimum set of standards on the use of data. In the past ten years, the spread of globalization, rapid advances in technology, and the subsequent avalanche of data privacy concerns, have rendered the EU Data Protection Directive 95/46/EC (1995) insufficient and in 2012 the European Commission proposed the first draft EU General Data Protection Regulation to replace it.  In March 2014 the European Parliament approved its own version, and on June 15, the Minister of Justice of all 28 European Union member states, sitting as the Council of the European Union, adopted its own version – known as the ‘General Approach’.

In January 2016 the EU General Data Protection Regulation passed the final stage of the EU legislative process known as the ‘Trilogue’. This is a negotiation between representatives of the three institutions – the Council, the Commission and the Parliament, at the end of which the final text of the draft regulation was agreed. On April 14th 2016 the GDPR was approved by the European Parliament in a decisive vote which was called A great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age” by Jan Phillip Albrecht, who steered the legislation through Parliament. Albrecht also commented that as a result of this approval “Citizens will be able to decide for themselves which personal information they want to share3. As a regulation rather than a directive, it will be immediately imposed on all 29 EU Member states after the two-year transition period and will not require any enabling legislation to be passed by member governments. This means that these laws will be enforced and fines will start in May 2018.

Here is a topline summary of some of the new rules in the General Data Protection Regulation (GDPR):4,5

  • Territorial scope: The GDPR extends regulations from EU companies to include those organizations outside of the EU processing data relating to EU citizens
  • Security: Tightened and broadened security where data protection and privacy is by design and default
  • Data Protection Officers: to be appointed to ensure data protection compliance within organizations where over 5000 records are processed or there are 250+ employees (mandated appointment of a Data Protection Officer is not required in Council’s draft)
  • Data breaches & right to know: Data breaches need to be reported within 72 hours and a notification to the affected individuals sent ‘without undue delay’
  • Data portability (right to easy access to one’s own data): where individuals are able to request copies of personal data being processed in a format usable by the person, and so they are able to transmit electronically to another processing system
  • Data erasure (or the ‘right to be forgotten’): When an individual asks for their data to be deleted (i.e. they withdraw consent), provided there is no legitimate grounds for retaining it, the processors or controllers must comply. NB: this article is intended to empower individuals, not erase past events or restrict freedom of the press
  • Stronger enforcement & fines: Higher fines and sanctions introduced for noncompliance – up to 4% of global turnover

Perhaps the most significant change the GDPR proposes is the concept of obtaining customer consent and it is arguably this change that will have the most significant impact on the financial industry. In short, the General Data Protection Regulation states that in order for personal data to be processed by a controller or processor they must have proof of freely-given, informed, clear and affirmative data subject consent. To fully understand the impact on financial service providers within the EU, it is important to define the terms as laid out in the GDPR9

  • Personal data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
  • Data Controller: The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law
  • Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller
  • Processing: Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination restriction, erasure or destruction
  • Data Subjects’ Consent: Any freely-given, specific and informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.

The conditions for consent are further defined in Article 7

What does this mean for Financial Institutions? Put simply, before a bank collects, processes, digitizes, or shares any customer data it must first receive auditable customer consent for each operation, or where consent is not the legal basis of processing, the specific legal basis must be captured. It means that the broad blanket terms of agreement or conditions will no longer be valid and financial service providers’ current standard of implied authorization will be insufficient. Explicit consent will become mandatory and separate from terms and conditions – requiring banks to fundamentally rethink the way in which they collect and handle customer data.

Trunomi believes in empowering individuals to be in control of their own data.  The company strongly advocates that citizens should be aware of why and how their personal data is being collected and processed and be afforded the right of refusal to share. In turn, financial service providers should be able to operate with confidence, safe in the knowledge that regulations are met and that the service experienced by their customers is a seamless one.

Trunomi’s consent capture and data rights management platform complies with the EU General Data Protection Regulation consent requirements and generates customer and counterparty authenticated, regulatory-compliant, auditable certificates in real-time. In today’s climate of increased legal scrutiny and reputational vulnerability, it is unthinkable for an organization within this sector not to take all efforts to reduce corporate risk and eliminate liability, especially in relation to global data protection challenges. Regardless, explicit consent governed by the EU General Data Protection Regulation will soon become a necessity, rather than a choice. But, predictably, it will be those that move first and proactively, that will win out.

For more information on EU GDPR see www.eugdpr.org

References

  1. http://www.globalbankingandfinance.com/significant-impact-of-new-eu-data-protection-regulation-on-financial-services/
  2. http://www.compliancy-services.co.uk/news/article/4576/uk-businesses-unaware-of-eu-data-laws
  3. http://www.europarl.europa.eu/news/en/news-room/20160407IPR21776/Data-protection-reform-Parliament-approves-new-rules-fit-for-the-digital-era
  4. https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-EU-data-protection.htm
  5. http://www.eppgroup.eu/news/data-protection-reform-timetable
  6. https://privacyassociation.org/media/pdf/resource_center/GODPO_GDPR_impact_UK_05-15.pdf
  7. http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2012/0011/COM_COM(2012)0011_EN.pdf
  8. http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf
  9. http://www.haerting.de/sites/default/files/pdfs/proposal-eudatap-regulation-final-compromise-151216.pdf