The financial sector is one of the more highly regulated industries, but many banks have nonetheless been thrown off by the complexity of the EU General Data Protection Regulation (GDPR). The Regulation, which takes effect on 25 May 2018, overhauls the way organisations handle personal data. It includes countless requirements, but this blog outlines three essential steps banks should take as soon as possible.
1. Documenting a lawful basis for processing
Most organisations use consent to process personal data, but the GDPR discourages this practice by toughening the requirements for lawful consent. Organisations should instead use one of the five other lawful bases wherever possible:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
In most cases, banks will be able to use a contract with the individual or legitimate interests. Whichever basis an organisation uses, the data subject needs to be told what data the organisation is collecting, what it’s being used for, how long it’ll be retained and whether it’ll be shared with any third parties. Data subjects also need to be informed of their rights, including the right to access any data that the organisation holds on them and to rectify or erase any incorrect or unnecessary data.
This information needs to be readily available to data subjects and written in a way that’s easy to understand.
2. Hire a DPO
Most banks will employ someone to oversee the organisation’s regulatory compliance – but the GDPR makes this mandatory. The data protection officer (DPO) has many obligations, including:
- Educating employees on the GDPR’s compliance requirements;
- Training staff who are involved in data processing;
- Conducting audits; and
- Serving as a point of contact between an organisation and its supervisory authority.
The DPO is required to report to the highest management level (i.e. board level), and the board should provide them with adequate resources to meet their obligations.
A comprehensive overview of the DPO’s tasks are outlined in Article 39 of the Regulation.
3. Prepare for the right to data portability
The right to data portability allows individuals to obtain any information that an organisation holds on them and to reuse it for their own purposes. Individuals are free to either store the data for personal use or transmit it to another data controller.
The data must be received “in a structured, commonly used and machine-readable format”.
As law firm Simont Braun explains: “The goal is thus to provide a data subject with the capacity to obtain, reuse and transfer its personal data from one data controller (e.g. Bank A) to another (e.g. a third party payment service provider such as an [account information service provider]).”
The right to data portability applies:
- To personal data that an individual has given to a data controller;
- When the processing is carried out by automated means; and
- Where the processing is based on the individual’s consent or for the performance or a contract.
The second and third conditions are relatively self-explanatory, but it’s less clear exactly what personal data is ‘given to’ a data controller. The Article 29 Data Protection Working Party clarifies that this refers to information that “relate[s] to the data subject activity or result[s] from the observation of an individual’s behaviour”.
This includes “[d]ata actively and knowingly provided by the data subject […] (for example, mailing address, user name, age, etc.)” and “observed data [such as] a person’s search history, traffic data and location data [or] other raw data such as the heartbeat tracked by fitness or health trackers”.
However, inferred or “subsequent analysis of that data”, such as the outcome of a health assessment, is out of scope.
Are you prepared for the GDPR?
Preparing for the GPDR isn’t only about specialists meeting compliance requirements. Everyone in your organisation who handles personal data needs to be aware of their obligations, which is why the Regulation emphasises the need for staff training.
Our GDPR Staff Awareness E-learning Course introduces employees to the Regulation, explaining:
- The key data protection roles;
- The scope of the GDPR;
- The six principles for collecting and processing personal data; and
- How to comply with the GDPR.