The Impact of the EU General Data Protection Regulation on the Financial Services Industry in relation to Customer Consent
The European Union (EU) General Data Protection Regulation (GDPR) has been the most lobbied regulation in the history of the European Parliament1, to the tune of 4,000 amendments. The reason is the monumental impact it will have on companies doing business in the EU and even non-EU businesses targeting European data subjects. It is expected to have the most significant effect on the financial sector, where billions of financial records and personal data transactions are handled annually. Broadly speaking, financial service providers are woefully unaware and unprepared for the mandate, rendering them exposed to serious risk and severe sanctions. Despite being first announced in 2012 and being formally approved by the European Parliament on April 14th 2016, as of April 2016 20% of IT decision-makers in the UK are still unaware of the new regulation2.
The protection of personal data from breach, leak or attack is one of the biggest issues facing the financial sector today. In response, what the EU General Data Protection Regulation seeks to do is unify data protection procedures within the European to place EU citizens in control of their personal data by providing a minimum set of standards on the use of data. In the past ten years, the spread of globalization, rapid advances in technology, and the subsequent avalanche of data privacy concerns, have rendered the EU Data Protection Directive 95/46/EC (1995) insufficient and in 2012 the European Commission proposed the first draft EU General Data Protection Regulation to replace it. In March 2014 the European Parliament approved its own version, and on June 15, the Minister of Justice of all 28 European Union member states, sitting as the Council of the European Union, adopted its own version – known as the ‘General Approach’.
In January 2016 the EU General Data Protection Regulation passed the final stage of the EU legislative process known as the ‘Trilogue’. This is a negotiation between representatives of the three institutions – the Council, the Commission and the Parliament, at the end of which the final text of the draft regulation was agreed. On April 14th 2016 the GDPR was approved by the European Parliament in a decisive vote which was called “A great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age” by Jan Phillip Albrecht, who steered the legislation through Parliament. Albrecht also commented that as a result of this approval “Citizens will be able to decide for themselves which personal information they want to share” 3. As a regulation rather than a directive, it will be immediately imposed on all 29 EU Member states after the two-year transition period and will not require any enabling legislation to be passed by member governments. This means that these laws will be enforced and fines will start in May 2018.
Here is a topline summary of some of the new rules in the General Data Protection Regulation (GDPR):4,5 –
Perhaps the most significant change the GDPR proposes is the concept of obtaining customer consent and it is arguably this change that will have the most significant impact on the financial industry. In short, the General Data Protection Regulation states that in order for personal data to be processed by a controller or processor they must have proof of freely-given, informed, clear and affirmative data subject consent. To fully understand the impact on financial service providers within the EU, it is important to define the terms as laid out in the GDPR9 –
The conditions for consent are further defined in Article 7 –
What does this mean for Financial Institutions? Put simply, before a bank collects, processes, digitizes, or shares any customer data it must first receive auditable customer consent for each operation, or where consent is not the legal basis of processing, the specific legal basis must be captured. It means that the broad blanket terms of agreement or conditions will no longer be valid and financial service providers’ current standard of implied authorization will be insufficient. Explicit consent will become mandatory and separate from terms and conditions – requiring banks to fundamentally rethink the way in which they collect and handle customer data.
Trunomi believes in empowering individuals to be in control of their own data. The company strongly advocates that citizens should be aware of why and how their personal data is being collected and processed and be afforded the right of refusal to share. In turn, financial service providers should be able to operate with confidence, safe in the knowledge that regulations are met and that the service experienced by their customers is a seamless one.
Trunomi’s consent capture and data rights management platform complies with the EU General Data Protection Regulation consent requirements and generates customer and counterparty authenticated, regulatory-compliant, auditable certificates in real-time. In today’s climate of increased legal scrutiny and reputational vulnerability, it is unthinkable for an organization within this sector not to take all efforts to reduce corporate risk and eliminate liability, especially in relation to global data protection challenges. Regardless, explicit consent governed by the EU General Data Protection Regulation will soon become a necessity, rather than a choice. But, predictably, it will be those that move first and proactively, that will win out.
For more information on EU GDPR see www.eugdpr.org