Data breaches and identity theft which have become very important in recent years, did not mean much before smartphones; for years when the phone was just used to call and message. Bank transactions were made face to face. People did not have to think too much about passwords, data theft, hackers and cyber criminals were not in the category of risk that people should consider.
Therefore, there is an increasing need for regulation of data and a unified data protection policy. The European Union observes this need and has created a new legislation, GDPR, that companies are hoping to fundamentally change the way they collect, manage and store information.
General Data Protection Regulation (GDPR) is a regulation which involves EU citizens to avoid leakage of personal information starting by May, 2018.
Financial institutions and service providers operate a large amount of personal data on a daily basis in the financial sector. Most of the processed data is confidential and sensitive. This means there is a growing risk, and this sector is likely to be focused by the supervisory authorities who will be authorized to issue new rights to audit and administrative fines on a timely basis. Therefore; GDPR allows a company’s global annual turnover to have a maximum of 20M € or as much as 4% administrative fines.
What can financial institutions take steps to avoid the risks?
Every financial institution that processes personal data will need a legal basis to proceed with data processing. Processing shall be lawful only if and to the extent that at least one of the following applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overwhelmed by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Generally, financial institutions will process personal data to fulfill their obligations by contracting with the data subject, such as an account contract, a credit contract or an insurance policy, or they will act as a legal obligation. Provided that the processing is necessary for this purpose, no further legitimating is needed.
For processing operations that are not required for the performance of an agreement, institutions need another legitimate basis, such as the data subject’s “consent”. This consent must be “freely given, specific, informed and clear”. This requires, in particular, the provision of adequate information on the right to consent. For this reason, institutions may not rely on broad terms and conditions or general permit statements, but they will have to ask the individual for each specific type of financial operations.
Addition to this, services must not be made conditional to consent, unless the processing of the data is essential for the service. This means evaluating the legitimate foundations of existing computing operations, verifying existing contracts, terms and conditions, notifications and template agreements for financial institutions. For example, if previously approved, this approval may no longer be sufficient for GDPR and may need to be obtained.
Principle of accountability and transparency
One of the main principles of the GDPR is that the controllers are accountable — they are responsible for compliance and should be able to demonstrate compliance. This includes new obligations to keep records of processing operations. Financial institutions are already subject to similar conditions under various national and European banking laws, but they should be verified whether they comply with GDPR obligations.
Organizations should also ensure that their contracts and warnings contain the information that must be communicated to the individual according to GDPR, and that this information is presented in a clear and transparent manner (transparency). A data protection officer (DPO) will have to be appointed where the core activities of an organization include large-scale processing or monitoring activities that would be applicable to large financial institutions.
Companies must hire a DPO if they do any of the following subjects;
- Employ over 250 people
- Process or store large amounts of EU citizen personal data
- Process or store special personal data
- Regularly monitor data subjects
- Are a public authority
Rights of data subjects
Financial institutions should also implement the necessary technical and organizational measures to provide timely and appropriate responses to requests for data, based on the expanding rights under the GDPR. The ‘right to be forgotten’ allows one to request the deletion of the data; Where the data are no longer necessary for the transactional purposes for which the data were collected, or where there is no legitimate basis for the transaction — for example, the withdrawal of a preliminary grant.
The “data portability” right will enable individuals to request a machine-readable copy of the personal data stored by a service provider, provided that the transactions are based on a contractor’s approval or performance. Even individuals may wish to transfer data directly from one provider to another where technically feasible.
Data protection impact assessment
The Data Protection Impact Assessments envisaged for the potential “high risk” transaction will become mandatory for financial institutions as they operate with high amounts of confidential customer data. In cases where the process is likely to result in a high risk, the supervisory authority should be consulted prior to processing.
Profiling with consent
Automatic decision making based on profile creation activities or, more precisely, profiling activities only, is strictly regulated under GDPR. However, when the data subject explicitly consents, or when necessary for entering into or performing a contract.
GDPR will require financial institutions to implement appropriate measures to protect the rights and freedoms of the data field, its legitimate interests, and at least the right to human intervention, when it is based on the disposition of the data issue or when it is necessary for a contract to be signed or fulfilled. On the controller side, he should be allowed to express his / her point of view and appeal to the court.
Data transfers outside the European Economic Area will generally be prohibited unless legitimated by a decision of competence for the target country or other individual legitimacy. In the absence of such a legitimacy, organizations can continue to ratify binding or transitional contracts by relying on the provisions of the standard contract (EU Model Clauses). The newly established EU-US Privacy Shield does not include financial institutions. Therefore, it is only a matter of working with the US or third party service providers in the United States.
According to the GDPR, a new possibility is to have an approved code for the behavior and approved certifications that may have been developed for the financial sector.
Such behaviors and certifications can serve to prove compliance with both GDPR and international data transfers.
Data breach notifications
As long as the violation is not possible “to expose a risk to the rights and freedoms of the individual” it will become mandatory to notify the inspection authority “without delay” of data breach. If the violation is likely to create a “high risk of rights and freedoms” for the real persons, then the individual must be informed. Financial institutions should implement these obligations with other data breach notification duties.
For this reason, it is very important to take appropriate technical and organizational measures to detect, handle and report a violation.
How Finance Companies can be Ready for GDPR?
We shared the important headings that will change in finance companies above with GDPR. How do you become ready for GDPR?
1. Streamline your data infrastructure and governance
How quickly can you identify all the data items for a particular person in your organization? Doing this not only ensures that you meet the relevant requirements under GDPR, but also allows you to open up the exact value of the data assets held by you.
2. Hire a Data Protection Officer (DPO)
A Data Protection Officer (DPO) must be assigned to influence the senior decision-making process to contact regulators, maintain adequate privacy awareness in your organization, monitor compliance with GDPR, and improve privacy and data protection.
3. Empower your customers
Data protection has become a market parser. Customers expect their personal data to be confidently managed by the organizations they share. Transparency between you and the customer is the key.
4. The key is the “Transparency”
In fact, this is one of the most important goals of the GDPR, transparency. Depending on how transparently you communicate and interact with your users, your relationships and shopping will also improve.
5. Encourage your customers to trust you
Not only transparency, but also emphasize the trust that is one of GDPR’s other key concepts, and pay attention to what you can do in this regard.
6. Understand your privacy risk and your level of data security
What are the risks of processing personal data? These may be organizational risks or technical risks. Which outside forces can move to disrupt your business and your cyber security strategy allows you to react to them?
7. Adopt an agile privacy and data protection strategy
You must protect your awareness of the legal developments at home and abroad in the constantly changing secrecy landscape and reflect your business plans with your strategies. They should cover all of the global organization that processes personal data from the EU.
8. Manage permissions and notifications
The individual is empowered to know all the ways in which you use your personal data, what purpose you should use it, and what you intend to mean under GDPR. The rules on ratification are becoming increasingly difficult and individuals can withdraw their approval at any time.
9. Reduce the amount of data
Are you using the data for your purpose for something else? Do you need to educate your staff about data limitations? How are you going to watch this? Organizations should only assemble and process personal data they need legitimately for the purposes they describe. You will see that you can mitigate the risk overall for your organization by carefully passing the data that you do not need or whose purpose has expired.
10. Understand how third parties use your data
Most financial institutions share data with third parties. These can be customers, suppliers, regulators or partners. You must understand and direct the risks involved in transferring the data to third parties and ensure that your data is adequately protected by the people you share.
11. Learn to control your data
Before attempting more action on your data, learn how to handle your data and create your own contextual background on this page.
12. Know where your data is
You should have a clear understanding of where you are and what you need to access what you need. What are the basic data sources? How do you manage the risk of repeating, erroneous, and erasing overdue data?
13. Understand what your privacy means to you
It is important to adopt an organizational-wide approach by factoring data protection and privacy management into your overall protection strategy. You should understand the inherent risks, opportunities and priorities for your establishment.
14. Remember that GDPR is a law
GDPR does not only consist of a few measures and elements coming from national regulations, it will come as a fully effective structure at the level of the union and partly at the national level. For this reason, be careful to remember that the GDPR is correct.
Financial institutions should take steps now to ensure that they are able to comply with the new requirements of the GDPR. This should help such organizations to build and maintain the trust and confidence of their customers, business partners other individuals whose personal data they collect and process and avoid breaches of relevant data protection rules.