The Accelerated Growth blog

PPC, CRO, Marketing Automation and more

Delivered straight to your inbox. Unsubscribe with one click.
Thank you! Check your inbox to verify your subscription!
Oops! Something went wrong while submitting the form

GDPR For Financial Services - What You Need To Know

April 11, 2018

The EU General Data Protection Regulation (GDPR), which comes into force on May 25th 2018, aims to empower EU consumers with greater rights, control and visibility over the data companies hold about them.

Crucially, the GDPR doesn’t just affect companies operating in EU member states, but any company (inside or outside the EU) that holds the data of EU citizens.

So how do financial services companies comply with the GDPR? And what are the implications for marketing to EU consumers?  

Here’s what you need to know…

Under the GDPR, EU citizens have the right to privacy, by having their data deleted from your database.

GDPR Oversight

Oversight of GDPR will be carried out by each EU member states’ relevant Data Protection Authority (DPA).   For example, the Information Commissioner’s Office (IC) will be responsible for ensuring compliance in the UK.

New Rights For EU Citizens

The GDPR provides additional rights and safeguards for EU citizens over the personal data companies hold on them.

Firms must gain explicit consent from consumers or clients to gather any personal data such as name, email, phone, income, social media profile, ip address or social security number. Automatic opt-in or the use of pre-checked tick boxes will no longer be accepted. Additional explicit consent must be obtained if firms want to share the data with 3rd parties.

Viewing Personal Data

Under the GDPR, EU citizens have the right to data privacy. This includes the automatic right to view personal data held about them. Upon request, companies must provide the data in a clear, easily readable format within 1 month.

Porting Data Between Financial Services Companies

EU citizens are also free to port their personal data from one financial services company to another, should they wish.  

Whilst there is no requirement to provide the data to an industry standard, it must be presented in an easily understood, clear format no later than one month after the port request.

The Right To Be Forgotten

An EU citizen has the right to be forgotten, by having their data deleted from your database.  However, if the data is needed to fulfil legal or regulatory requirements, the request can be denied.  The decision to refuse deletion must be justifiable and the reasons behind it clearly explained to the individual.

Data Breaches

Once discovered, data breaches need to be reported within 72 hours to the relevant Data Protection Authority (DPA).  They’ll want to know the full details of the data breach, why it happened, how many individuals are affected, and the likely consequences for them.

The individual(s) affected may also need to be notified if the breach could lead to identity theft, financial loss, fraud etc.

All firms need to have procedures in place to prevent breaches, and to handle and report them effectively if they do.   Ensuring compliance  will be the role of the Data Protection Officer (DPO) within your organisation, which is a requirement of GDPR . However the DPO can be an internal or external appointment.

You can find out more about DPO’s here.

Bear in mind the penalties for breaches can be severe.  A major breach can result in a fine of up to 4% of a businesses global turnover or 20 million euros, whichever is greater.  With fines up to a maximum of 2% of global turnover for smaller violations, such as poor record keeping.

IT and 3rd Party Vendors

To comply with GDPR, all firms need to check client data is maintained accurately across the various software platforms it uses.

Personal information must be transferred securely and synchronised between both internal IT systems and external 3rd party vendors (a.k.a Data Processors) your business uses.  Your DPO will have an important role in monitoring this.

Handling Legacy Data

Consider whether old data needs to be kept or can be deleted.  If it’s unlikely to be used again, delete it.

If you want to re-engage your legacy clients, makes sure you contact them to gain their consent before GDPR comes into effect. After May 25th 2018, the mere act of contacting a legacy client to request their consent would constitute a breach, as you won’t have their consent to do so.

Privacy By Design

The DPA will want to see evidence of compliance with GDPR across the organisation.  For example, standard operating procedures and staff training must ensure there is GDPR awareness and focus on compliance amongst employees.

GDPR Resources

The above information is solely intended to provide you with an overview of GDPR. As ever, do your own research and due diligence to see the specific implications for your business. Here's some further reading resources to help:

The Official EU GDPR Website

The Information Commissioner's Office GDPR Guide

A List of Free GDPR Resources

Written by
Graham Cox
CEO / Founder