Financial institutions and the General Data Protection Regulation
November 2016 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
The European Union’s General Data Protection Regulation (GDPR) is one of the most lobbied EU regulations. It required four years of negotiation and about 4000 amendments before the negotiators finally reached a consensus. The GDPR will apply from 25 May 2018 and it will replace both the current EU Directive which dates back to 1995, as well as the national data protection laws implementing that Directive. However, modified versions of national laws are likely to continue to exist, leaving room for national specifics.
Financial institutions and service providers to the financial industry process a vast amount of personal data on a daily basis. Much of the data processed is confidential and sensitive. This means there are increased risks and a likelihood of a focus on this sector by supervisory authorities, which will have new rights to audit and to impose administrative fines. Indeed, the GDPR allows for administrative fines which can amount to a maximum of €20m or 4 percent of the global annual turnover of a company.
In a poll carried out by software solutions provider Varonis in March 2015 at the CeBit fair, the respondents, many of whom were from the financial sector, were convinced that banks will be first in the line of fire under the GDPR. But at the same time, surprisingly, less than 50 percent of respondents thought that their institution was ready for the GDPR. More than two-thirds said they did not know what to do in order to comply with the GDPR.
So what steps can financial institutions take to try and avoid the risks?
Each financial institution that processes personal data will still need a legitimate basis for processing. Article 6 of the GDPR provides that processing shall be lawful only if and to the extent that: (i) the data subject has given consent; (ii) the processing is necessary for the performance of a contract with the data subject; (iii) it is necessary for the compliance with a legal obligation or a task carried out in the public interest; (iv) it is necessary to protect vital interests of an individual; or (v) it is necessary for the purposes of legitimate interests of the controller or another third party, as long as they do not contradict the fundamental rights of the data subject.
Often, financial institutions will process personal data in order to fulfil their duties under a contract with the data subject, such as an account agreement, loan contract or insurance policy or because they have a legal obligation to do so. Provided that the processing is necessary for this purpose, no further legitimating is needed.
For processing operations that are not required for the performance of an agreement, institutions need another legitimate basis, such as the data subject’s consent. Such consent must be “freely given, specific, informed and unambiguous”. This requires that adequate information must be provided, in particular regarding the right to withdraw consent. Consent must also be specific to each processing operation. Therefore, institutions may not rely on broad terms and conditions or blanket consent declarations, but will have to request the individual’s consent for each specific type of financial operation. In addition, services must not be made conditional to consent, unless the processing of the data is essential for the service.
For financial institutions, this means evaluating the legitimate basis for their data processing operations, involving a verification of existing contracts, terms and conditions, notices and template agreements. For instance, if consent has previously been given, this consent may no longer suffice under the GDPR and may have to be obtained again.
Accountability and transparency
One of the main principles of the GDPR is that controllers are accountable. They are responsible for compliance, and must be able to demonstrate compliance. This involves, for example, new obligations to keep records of processing operations. Financial institutions are already subject to similar requirements under various national and European banking laws, but it needs to be verified whether these correspond with the GDPR obligations.
Organisations will also have to make sure that their contracts and notices contain the information that needs be communicated to individuals under the GDPR, and that this information is presented in a clear and concise manner (transparency).
Where the core activities of an organisation involve large scale processing or monitoring activities, which will be the case for most financial institutions, they will have to appoint a data protection officer (DPO). The tasks, profile and rights of the DPO are set forth in the GDPR, and may be different from those of existing privacy officers.
New rights of data subjects
Financial institutions must also put in place technical and organisational measures necessary to respond in an adequate and timely fashion to requests by data subjects, based on their extended rights under the GDPR. The ‘right to be forgotten’ allows an individual to request erasure of their data, where data is no longer necessary for the processing purposes for which it was collected, or where the processing lacks a legitimate basis – due to the withdrawal of previously given consent, for example.
The right to ‘data portability’ will allow individuals to request a machine-readable copy of their personal data stored by a service provider, provided that the processing is based on consent or on the performance of a contract. Where technically feasible, individuals can even request a direct transfer of the data from one provider to the other. However, the request may not impose disproportionate efforts on the controller or raise confidentiality issues.
Data Protection Impact Assessment and data breach notifications
Data Protection Impact Assessments, foreseen for potential ‘high risk’ processing, will become essential for financial institutions, as they work with high amounts of confidential customer data. Where processing is likely to result in a high risk, the supervisory authority must be consulted prior to the processing.
Data breach notifications to the supervisory authority “without undue delay” will become mandatory, unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”. Individuals have to be notified, when the breach is likely to result in a “high risk to the rights and freedoms” of natural persons. Financial institutions will have to streamline these obligations with other data breach notification duties (under national laws or under the recently adopted NIS Directive).
Having the appropriate technical and organisational measures in place in order to detect, handle and report a breach will therefore be crucial.
Profiling, or more precisely, automated decision-making based solely on profiling activities, is subject to strict rules under the GDPR. It will, however, be allowed where expressly authorised by Union or Member State law, when the data subject explicitly consents, or when necessary for entering into or performing a contract.
When based on the data subject’s consent or when necessary for the entering into or performance of a contract, the GDPR will require financial institutions to implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Data transfers outside of the European Economic Area will generally remain prohibited, unless legitimised by an adequacy decision for the destination country or other individual legitimation. In the absence of such legitimation, organisations can continue to rely on standard contractual clauses (EU Model Clauses), binding corporate rules or approved ad-hoc contracts.
The newly established EU-US Privacy Shield does not cover financial institutions. It might therefore only become relevant with regard to third-party service providers that work from or with the US.
A new possibility under the GDPR is to have codes of conduct and certifications approved, which might be developed for the financial sector. Such codes of conduct and certifications may serve to prove compliance both with the GDPR in general, as well as with regard to international data transfers.
Frederik Van Remoortel is senior counsel at Crowell & Moring. He can be contacted on +32 2 282 18 44 or by email: firstname.lastname@example.org.
© Financier Worldwide
Frederik Van Remoortel
Crowell & Moring