GDPR in Digital Banking

What is GDPR?

GDPR stands for General Data Protection Legislation. It is a European Union (EU) law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person). The GDPR defines an array of legal terms at length. Below are some of the most important ones that we refer to in this article:

Personal Identity Information (PII) —?PII is any information that relates to an individual who can be directly or indirectly identified or contacted. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

Data processing —?Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing… so basically anything.

Data subject —?The person whose data is processed. These are your customers or site visitors.

Data controller —?The person who decides why and how personal data will be processed. If you’re an owner or employee in your organization who handles data, this is you.

Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations. They could include cloud servers like Tresorit or email service providers like Proton Mail.

If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
4. Accuracy — You must keep personal data accurate and up to date.
5. Storage period limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

When can you use the data?

Article 6 lists the instances in which it’s legal to process person data. Don’t even think about touching somebody’s personal data — don’t collect it, don’t store it, don’t sell it to advertisers — unless you can justify it with one of the following:

1. The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted in to your marketing email list.)
2. Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)
3. You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
4. You need to process the data to save somebody’s life. (e.g. Well, you’ll probably know when this one applies.)
5. Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)
6. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data. (It’s difficult to give an example here because there are a variety of factors you’ll need to consider for your case. The UK Information Commissioner’s Office provides helpful guidance here.)

Once you’ve determined the lawful basis for your data processing, you need to document this basis and notify the data subject (transparency!). And if you decide later to change your justification, you need to have a good reason, document this reason, and notify the data subject.

Consent

There are strict new rules about what constitutes consent from a data subject to process their information.

• Consent must be “freely given, specific, informed and unambiguous.”
• Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
• Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
• Children under 13 can only give consent with permission from their parent.
• You need to keep documentary evidence of consent.

People’s privacy rights

You are a data controller and/or a data processor. But as a person who uses the Internet, you’re also a data subject. The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. As an organization, it’s important to understand these rights to ensure you are GDPR compliant.

Below is a rundown of data subjects’ privacy rights:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

The regulation itself (not including the accompanying directives) is 88 pages.

GDPR challenges in Digital Banking

The most common challenges that occur during project execution are the lack of cooperation between Data Protection Officers, Legal Service, IT, and Marketing. This is understandable given the complexity of Regulation and the variety of functions of different organizational units. With the GDPR, along came privacy software (just like Data Privacy Manager or Privitar or Protegrity) linking the Regulation and data, providing DPO with an easy way to manage compliance at the Bank level and link them to Bank’s IT systems and data.

Each organizational unit must have clearly defined responsibilities that are realistic and consistent with the competencies of the department. Experience shows that the GDPR compliance project is carried out the most efficiently by banks that implement a "decentralized data privacy management model". The decentralized model means that the DPO remains in the supervisory and advisory role, while IT, Marketing, HR, and other involved units assume their part of the responsibility for compliance, or a shared-responsibility model.

The Records of processing activities (ROPA) should represent documentation of all activities around personal data processing within your organization. Through data integration, Data Privacy Manager takes into account different business processes of the Bank and IT systems where data are processed and creates and propagates the archiving schedule and data removal with technical information about data location. This way, it is possible to automate the entire personal data lifecycle, which is the only way for the Bank to engage in the compliance process successfully, given the amount of data and the number of IT systems in which data is processed.

GDPR Benefits for Digital Banking

Retail Digital banks typically keep personal data for long periods in case it is needed in the future. GDPR stipulates that businesses must not keep personal data for longer than they need it, after which it should be erased or anonymised. So to comply with GDPR’s principles of data minimisation, storage limitation and data retention, banks have had to change their mind-sets and review their customer records retention and disposal policies.

The cost savings from a GDPR endeavor could be substantial. For example, according to People Data Labs, approximately 18 percent of data in people databases such as a CRM or ATS system is duplicated. With the insights gleaned from your GDPR compliance project, your IT organization can identify areas of duplication to eliminate or consolidate. The result could be decreases in systems cost, capacity waste, IT time, maintenance expenses, slower backups, and data centre costs. Better data management will also reduce staff time when customers invoke the “right to be forgotten” principle of GDPR and ask you to delete all their digital data.

Complying with GDPR will enable you to pinpoint where sensitive information is being stored as well as determine the supporting processes and technologies against a defined control framework. This knowledge will help you plan and execute remediation strategies, such as deciding whether to encrypt, archive or delete the data to prevent misuse or duplication of data elsewhere. Better securing your highly regulated and sensitive data can help prevent data breaches – whether from hackers or insiders. In addition, you can prove to auditors that controls exist for identifying and reporting on all sensitive data.

Preparing for GDPR gives you a better understanding of your customer-facing processes and applications as well as their purpose within the organization. This will help you create and deliver digital solutions that customers want, in the way they want them, while ensuring data privacy controls are in place. Having superlative security and privacy processes can improve your reputation and competitiveness as well – increasing customer acquisition and retention.

The savviest banks will capitalize on GDPR to offer new services to customers. As Chris McMillan, a partner at?management consulting firm Oliver Wyman, told the Financial Times: “A bank could see you have a direct debit to a telco and ask you for permission to request the data from the telco to check you are getting the best deal. That would be a compelling proposition for a customer, knowing their bank is trying to save them money.”, I refer to this as empathic banking.

The GDPR pushed compliance to strengthen data handling practices and security procedures. In doing so, it also emphasized customer control of personal data, shifting power towards consumers. Open banking had just come into effect at the time of the GDPR’s implementation, which paved the way for a host of new digital banking products and services from non-traditional providers. As more open banking products and services are launched and the benefits of data sharing become ever more apparent, the control and protection from the GDPR could help further drive consumer adoption of open banking services. Creating opportunities for innovation.

Public discussion about the GDPR has helped reinforce data protection as a central issue in financial services. Indeed, boards and executives understand the value of data to businesses and consumers, and the extent to which data protection is a prominent issue in society. With data privacy and security now often identified as a leading concern for boards, business leaders have become increasingly sophisticated in how they think about data. For many firms working in financial services, the GDPR is more than simply an addition to the regulatory toolkit: it is a genuine strategic advantage. Integrating data protection into core development strategies means that bolder and more innovative decisions can be made. Any observer of the financial services sector can see that banks are innovating more than ever – a testament to their increasing technological and data expertise.

Technology, increased competition and consumer protection laws have empowered customers, and many of them – especially Millennials – now take ethics into consideration when looking to purchase new goods and services. This focus on ethics has also been reflected in the business community, with firms committing to corporate social responsibility and taking a closer look at environmental, social and governance issues in their supply chains and investments.

In this environment, maintaining an ethical approach to data is a significant advantage. Given how financial institutions are the gatekeepers to sensitive customer data, they have rigorously complied with the GDPR and made the ethical handling of data a priority, as evidenced in the publication of data ethics frameworks by numerous firms. The result is a succinct and easily comprehensible data policy that consumers can engage with – which is good for keeping customers happy, as well as boosting corporate reputation.

Leading organizations are looking beyond compliance, by extending the breadth of GDPR compliance programs to leverage additional benefits. Examples include: ?

• Fundraising and improving the investors relationship
• Consolidating activities into broader information governance programs ?
• Embedding information security into the design of business applications and technical infrastructure ?
• Improving data protection and privacy practices?
• Extending information security’s reach within the business?