Were you perplexed by the recent bombardment of emails concerning privacy policies? Since you’re reading this, you likely know that it was due to the European Union’s General Data Protection Regulation (GDPR) going into effect on 25 May of this year. Its purpose is to protect data subjects’ control of and access to their personal information. The regulation applies to any organisation processing the personal data of EU citizens, regardless of where the company itself is located.
How Does GDPR Affect Financial Institutions?
While GDPR affects all businesses, financial institutions are particularly impacted due to the sheer quantity of sensitive personal data they collect and process. The specific areas below of the legislation will require special attention.
The GDPR endeavours to give individuals more transparency and control over their personal information. Firms must obtain consent from their customers to collect any data. They must also be able to explain the purpose of the data collection. Additional consent may be necessary if the organisation intends to share the information or transfer the data outside of the EU.
Right to Data Erasure and Right to Be Forgotten
Individuals may request access to review their information and in some cases to have their personal information removed.
If there is a breach of data privacy, the data controller must report it to regulators within 72 hours.
The data controller’s vendors or other data processing entities engaged to process customer data must also abide by GDPR rules. Keep in mind that while a data controller might not have caused a breach suffered by their sub-contractor, under GDPR the data controller is still held responsible and needs to promptly report the breach. This arrangement will, no doubt, require well defined contractual obligations to ensure that vendors notify their data controllers in time to meet the reporting obligations.
Privacy by Design
To comply with GDPR, data controllers and processors must demonstrate that organisational and technical controls have been put in place to ensure compliance. All responsibility is on the data controlling company, and if there is a breach, regulators will examine the steps taken to safeguard data when determining fines.
What About PSD2?
As GDPR has just come into effect, it has garnered most of the attention of late. There are, however, additional directives with implementation deadlines approaching for banks. Central is the second version of the Payments Service Directive (PSD2). While PSD2 was transposed into local legislation in January 2018, the actual implementation deadline is 14 September 2019. PSD2 will enable bank customers to use third party providers (TPPs) to manage their finances.
To allow these TPPs access to information, banks will be required to open Application Programming Interfaces (APIs) that will allow these third parties to build financial services on top of the banks’ data and infrastructure. Hold one second! Haven’t we just enacted legislation to regulate sharing of personal information? And now banks also must follow a directive designed to increase seamless sharing between entities? Isn’t that a bit counter-intuitive?
Actually, it’s quite reasonable. The intention behind both GDPR and PSD2 is that individuals, as owners of their data, should have some control of that data. The regulations were also enacted to facilitate the safe and efficient flow of data globally. PSD2 is intended to improve competition and innovation, because the banks will no longer be able to monopolise access to their clients’ financial information.
How banks proceed under both GDPR and PSD2 remains to be seen. Penalties for failure to comply with the GDPR include hefty fines—€20 million or four percent of global annual turnover for the preceding year, whichever is higher. Given that fact, banks will likely err on the side of caution and follow GDPR more strictly if ever the two rules come into direct opposition.
One thing is certain—while it does seem that GDPR and PSD2 were created in silos, banks should avoid a siloed response. It would be wise to have a single point of contact for both initiatives involving experts from as many divisions as possible—security, IT, HR, marketing, legal, etc. Banks ought also to consider compliance with GDPR and PSD2 as an opportune time to address their API security. High profile data breaches linked to API vulnerabilities are growing at an alarming rate. At this point, Brexit is immaterial; laws and directives surrounding data privacy are an inevitable component of doing business globally in the twenty-first century. Banks must take the opportunity to address necessary changes and decisions, transforming their operations not only for basic compliance, but also for efficiency and optimum customer satisfaction.
Katabat is PCI DSS and SOC 2 certified and we have solutions to assist with data transparency, customer consent and data security & privacy. To learn more about how we can help your organisation comply with GDPR, contact us at firstname.lastname@example.org.