The EU General Data Protection Regulation (GDPR), which comes into force on May 25th 2018, aims to empower EU consumers with greater rights, control and visibility over the data companies hold about them.
Crucially, the GDPR doesn’t just affect companies operating in EU member states, but any company (inside or outside the EU) that holds the data of EU citizens.
So how do financial services companies comply with the GDPR? And what are the implications for marketing to EU consumers?
Here’s what you need to know…
Oversight of GDPR will be carried out by each EU member states’ relevant Data Protection Authority (DPA). For example, the Information Commissioner’s Office (IC) will be responsible for ensuring compliance in the UK.
The GDPR provides additional rights and safeguards for EU citizens over the personal data companies hold on them.
Firms must gain explicit consent from consumers or clients to gather any personal data such as name, email, phone, income, social media profile, ip address or social security number. Automatic opt-in or the use of pre-checked tick boxes will no longer be accepted. Additional explicit consent must be obtained if firms want to share the data with 3rd parties.
Under the GDPR, EU citizens have the right to data privacy. This includes the automatic right to view personal data held about them. Upon request, companies must provide the data in a clear, easily readable format within 1 month.
EU citizens are also free to port their personal data from one financial services company to another, should they wish.
Whilst there is no requirement to provide the data to an industry standard, it must be presented in an easily understood, clear format no later than one month after the port request.
An EU citizen has the right to be forgotten, by having their data deleted from your database. However, if the data is needed to fulfil legal or regulatory requirements, the request can be denied. The decision to refuse deletion must be justifiable and the reasons behind it clearly explained to the individual.
Once discovered, data breaches need to be reported within 72 hours to the relevant Data Protection Authority (DPA). They’ll want to know the full details of the data breach, why it happened, how many individuals are affected, and the likely consequences for them.
The individual(s) affected may also need to be notified if the breach could lead to identity theft, financial loss, fraud etc.
All firms need to have procedures in place to prevent breaches, and to handle and report them effectively if they do. Ensuring compliance will be the role of the Data Protection Officer (DPO) within your organisation, which is a requirement of GDPR . However the DPO can be an internal or external appointment.
You can find out more about DPO’s here.
Bear in mind the penalties for breaches can be severe. A major breach can result in a fine of up to 4% of a businesses global turnover or 20 million euros, whichever is greater. With fines up to a maximum of 2% of global turnover for smaller violations, such as poor record keeping.
To comply with GDPR, all firms need to check client data is maintained accurately across the various software platforms it uses.
Personal information must be transferred securely and synchronised between both internal IT systems and external 3rd party vendors (a.k.a Data Processors) your business uses. Your DPO will have an important role in monitoring this.
Consider whether old data needs to be kept or can be deleted. If it’s unlikely to be used again, delete it.
If you want to re-engage your legacy clients, makes sure you contact them to gain their consent before GDPR comes into effect. After May 25th 2018, the mere act of contacting a legacy client to request their consent would constitute a breach, as you won’t have their consent to do so.
The DPA will want to see evidence of compliance with GDPR across the organisation. For example, standard operating procedures and staff training must ensure there is GDPR awareness and focus on compliance amongst employees.
The above information is solely intended to provide you with an overview of GDPR. As ever, do your own research and due diligence to see the specific implications for your business. Here's some further reading resources to help: