GDPR Six Months Out – The View from Financial Services Industry

Editor’s Note:

We’re now less than six months away from the EU General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018. Continuing our series of blogs exploring GDPR’s impact on various industries and digital identity, Nick Caley, VP, Financial & Regulatory, provides his perspective on how the regulation will impact banking and financial services organizations.  

Financial Services organizations are often better prepared than most to step up to new regulation. Still, even the most seasoned risk and compliance veterans look ahead into 2018 with appropriate concern at the intersection of significant pieces of legislation. The year starts off with Open Banking and PSD2, mandated to both harmonize payments and foster innovation within the banking ecosystem. In May, the most comprehensive privacy law to hit the statute books in many years comes into enforcement: the GDPR. Its impact will be felt by every EU citizen and size of organization handling their personal data, and beyond the EU as well. At first glance these laws appear to be in opposition. On the one hand PSD2 and Open Banking enable approved Third-Party Access via APIs to sensitive bank account information. On the other hand, GDPR is a wide-reaching data protection law predicated on the protection of personal information, with swingeing penalties for non-compliance.

The Key is Consent

In reality, the regulators have made consent a key requirement of each of these laws, though it’s not mandated in all customer interactions. But given the distinct advantages consent brings, it’s always preferable to have it. Gaining and managing customer consent offers a bridge across the 2018 regulatory impact for banks and financial services more widely. Some institutions will rely on ‘Legitimate Interest’ for processing personal data. Those stepping in to a new model of shared data assets with full customer consent, however, will gain greater flexibility to work with personal data for the provision of new services and selling of new products. Managing dynamic consent captured in real-time interactions as a customer manages their account, then made visible in a Privacy Dashboard increases the level of trust as it delivers the choice, control and transparency that newly empowered consumers will start to expect.