GDPR Six Months Out – The View from Financial Services Industry

Editor’s Note:

We’re now less than six months away from the EU General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018. Continuing our series of blogs exploring GDPR’s impact on various industries and digital identity, Nick Caley, VP, Financial & Regulatory, provides his perspective on how the regulation will impact banking and financial services organizations.  

Financial Services organizations are often better prepared than most to step up to new regulation. Still, even the most seasoned risk and compliance veterans look ahead into 2018 with appropriate concern at the intersection of significant pieces of legislation. The year starts off with Open Banking and PSD2, mandated to both harmonize payments and foster innovation within the banking ecosystem. In May, the most comprehensive privacy law to hit the statute books in many years comes into enforcement: the GDPR. Its impact will be felt by every EU citizen and size of organization handling their personal data, and beyond the EU as well. At first glance these laws appear to be in opposition. On the one hand PSD2 and Open Banking enable approved Third-Party Access via APIs to sensitive bank account information. On the other hand, GDPR is a wide-reaching data protection law predicated on the protection of personal information, with swingeing penalties for non-compliance.

The Key is Consent

In reality, the regulators have made consent a key requirement of each of these laws, though it’s not mandated in all customer interactions. But given the distinct advantages consent brings, it’s always preferable to have it. Gaining and managing customer consent offers a bridge across the 2018 regulatory impact for banks and financial services more widely. Some institutions will rely on ‘Legitimate Interest’ for processing personal data. Those stepping in to a new model of shared data assets with full customer consent, however, will gain greater flexibility to work with personal data for the provision of new services and selling of new products. Managing dynamic consent captured in real-time interactions as a customer manages their account, then made visible in a Privacy Dashboard increases the level of trust as it delivers the choice, control and transparency that newly empowered consumers will start to expect.

Who Is Nick Caley?

Nick Caley is VP, Industries Financial & Regulatory, at ForgeRock. Nick speaks regularly at financial services and information security events in the EMEA region, and contributes regularly to publications including IT Pro Portal, ComputerworldUK and Payment Week.

Recent Posts:

Login Freedom: The Advantage of Giving Users Choice

How many headaches have you endured due to a forgotten password? Me? Too many to count. At the end of a busy week I just want to kick back and watch a movie online -- problem is I’ve been logged out and can’t remember my password.

eSIMs: The KYC Challenge & Self-Service Identity

In many countries around the world there is a regulatory requirement to capture and authenticate name and address data for every mobile phone subscription; be it contract or pay-as-you-go [PAYG], with or without a new device included in the deal (e.g. SIM only).

The IoT Opportunity: Schneider Electric

Schneider Electric is working towards making its customers more sustainable and efficient by leveraging the data collected from its smart devices.