After several negotiations und multiple drafts of the General Data Protection Regulation (GDPR), its final text was adopted in April 2016. The GDPR updates the current EU Data Protection Directive according to the technological developments that have taking place during the last 20 years. The GDPR applies to all member states in the same way and also does not make a distinction between industries or sectors; however, the new provisions may have a higher impact in certain sectors or industries, as they will be subject to stricter requirements regarding the processing of personal data.

The finance industry, including comprises banks, investment funds, foreign exchange services, etc., is one of the sectors that will be subject to stricter requirements:

  • Especially the fact that the data processed might relate to bank accounts, the financial situation of customers or their financial and patrimonial solvency leads to a stricter data protection regime under the GDPR as it requires that the undertaken data protection measures must reflect the quality of data appropriately, which evidently is considered to be of highest nature. In other words: Finance Industry by Law is supposed to be a Leader in Data Protection and any potential breach would mean a higher sanction than in other businesses that might follow similar e.g. illicit procedures (fines go up to 4 % of annual turnover of a group or up to 20.000.000,00 EUR)
  • The GDPR acknowledges the according risk as well, therefore, data breaches occuring at financial institutions may be subject to the obligation to inform customers if the breach is likely to cause them a significant damage, so that they can take adequate precautions. Data breaches in this business field need to be reported to Data Protection Authorities within 72 hours.
  • Generally, the appointment of a Data Protection Officer is mandatory for any institution belonging either to the public sector or if core activities involve large scale processing of sensitive data. This usually should be the case for any company in the financial sector. However, under the GDPR, financial information is not explicitly considered sensitive data but considered to be a risk to the rights and freedoms of data subjects, for example in cases of identity theft or fraud. Therefore, Privacy Impact Assessments will be also mandatory for financial institutions in order to identify risks and minimize potential damages or data breaches and implement accordingly a tailored data protection strategy (privacy by design).

One of the main assets for financial institutions is its customers, this is why prior information and consent will play even a more important role than before in order to reach compliance. Consent must be unambiguous and explicitly referred to each processing purpose. The use of general contractual terms will not be sufficient for the proof of consent.

The GDPR will become effective in May 2018 and by this date, organizations and businesses should be compliant with its provisions.