Commentary

Ever since the General Data Protection Regulation (GDPR) came into force on 25th May 2018, data privacy laws in the European Union (EU) have undergone a quantum jump. Under the new rules, organizations across industries are now accountable for protection of personal data of customers and employees.GDPR empowers the customer and puts them in control of their personal information. It applies to all EU citizens and EU organizations. It also encompasses institutions outside the EU serving individuals within the EU.When it comes to banks and financial entities, clients’ data go through various levels during customer onboarding, accounting, relationship management and other banking processes. At each of these stages, sensitive data is handled by numerous people and computing systems. This necessitates a structured plan to safeguard customer data against possible breaches. Hence, the GDPR.Today we are going to take a look at the challenges faced by financial institutions while implementing GDPR. But first, a few definitions. Data subject: A data subject is a customer or employee who shares their personal data with a bank. Data controller: A data controller is a bank or financial entity which collects, holds and manages the personal information of its clients and employees. Data processor: A data processor is an organization that processes and analyzes customer data. It can be a bank or a third party service provider.Now let us get to the challenges which are the excerpt from the webinar conducted by Payjo, a leading conversational AI banking software provider. Customer consent The first thing banks need to ensure under GDPR is customer consent. Personal data of clients have to be strictly processed under the 6 lawful bases enshrined in the GDPR. Personal data is anything that can be used to identify a client. Name, age, sex, email address, residential address, phone number, social security number and information shared on social media, all come within the ambit of personal data. Under the new regulations, it is now mandatory for data controllers to seek the customers’ consent before collecting their personal information. They also need to explain why they are gathering the said data and how they are going to use it. Sharing the data with a third party also requires approval, and customers can hold the data controller accountable for any unauthorized use of their data. In short, banks need to be fully prepared to lawfully handle customer data. Right to data erasure Under GDPR, data subjects can request data controllers to permanently erase and remove their personal data from their records without any external authorization. The data subject has full right to data erasure. The bank might retain some data for complying with other laws, but apart from that, the customer has the right to be forgotten. For this, data controllers need to overhaul their data management system to execute the new rules.Breach of data GDPR mandates every bank to employ a Data Protection Officer to ensure adherence to the new laws. In case of a data violation, the GDPR governing authority needs to be notified within 72 hours. The data controller has to furnish all the details of the breach including nature, extent and criticality. Impacted data subjects must also be intimated without undue delay. In this regard, financial institutions need to gear up and put in place an efficient data breach reporting system. A rethinking in their approach towards customer data is imperative. They need to redefine how they, and the service providers they outsource the processing to, handle customer data. Data sharing GDPR requires data controllers to take responsibility for data shared across platforms. Due to the nature of operations, banks often have to outsource to third party service providers jobs beyond their core competency, like human resources and IT. In doing so, a lot of sensitive data moves across borders and get exposed to external agencies. Under the new regulations, data controllers need to ensure the information is safe and ethically handled by data processors. In other words, GDPR imposes end-to-end accountability on banks for total protection of personal data.Privacy by design One of the pillars of GDPR is the ‘privacy by design’ tenet. It calls on data controllers to list all the possible risks to privacy before a project involving personal data commences. It also requires them to set up organizational and technical checks and balances to preempt violations and implement data protection rules. This is where Psudonymisation comes in. It is defined as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’. To this end, data controllers need to revamp their data security measures to ensure GDPR compliance.