The reaction to GDPR: Financial Services 

Gerrish Legal Intern, Marie Mortreux attended the GDPR Essentials: Financial Services Webinar hosted by DataGuidance on 31st October 2018.

Marie shares with us the key takeaways and provides insight into the GDPR in the financial services sector.

The reaction to GDPR in Financial Services 

Whereas some organisations had anticipated and planned for the GDPR with internal GDPR programs already put in place, it came as a surprise that a fair number of other organisations woke up late to it. 

Some of the challenges organisations faced at the time of implementation involved the time-consuming process of speaking to their service providers and vendors, determining who acts as the processor and the controller. However, this process also allowed some organisations to develop a much more comprehensive privacy framework. Organisations also came to the realisation that GDPR is not a fly by night point but an enduring issue. 

Key data privacy priorities for Financial Services over the next few months 

After 25th May there is a continuing need to embrace GDPR and retain the work that has been started. Many organisations that are less involved in privacy have seen GDPR as a mere deadline, however there is a real need for privacy to be embedded into business practices and procedures. This could occur for example through targeted training for high risk activities in respect to private data handling, in addition to the general training already dispensed during the implementation phase of the GDPR. 

There is also a globalisation of privacy regulation with new laws enacted in the US, India and Brazil which raises the question of where the next privacy legislation will come from. The E-Privacy regulation appearing on the horizon will also certainly have an impact. In this context, the GDPR might also help set some precedent and influence other legislations. 

National variations in interpretation of the GDPR 

There are national variations within the GDPR legislation mostly due to a difference in interpretation and derogations. As a result, implementing privacy is challenging and there is a need to maintain a flexible approach as new guidance continues to be issued. This also means that it is key for organisations to be aware of the different countries’ requirements. 

On the other hand, although the GDPR involves many challenges, those are not new in the privacy sphere. There is a misconception all around the world that the GDPR represents a single piece of harmonized legislation and that it is the be all and end all of legislations in the EU. Although, the previous legislations’ internal differences have not yet fallen away since the implementation of GDPR, the GDPR is helping to go towards harmonization. 

Criminal offences and sanctions including anti money laundering 

In Germany and in the UK, preventing money laundering falls under the ground of the processing being necessary for compliance with the legal obligation to which the controller is subject. However, in France it may not be possible to rely on the legal ground as a basis for processing such data based on guidance provided in the French Financial and Monetary Code. It may then be necessary to rely on an alternative ground which is legitimate interest. 

Territorial scope of GDPR 

One important issue which remains unanswered by GDPR is the question of territorial scope and whether organisations which are external to the E-U can be caught by the GDPR on the basis that they are doing business in the EU. For these countries which are not part of the EU it is even harder to anticipate the variations in national laws. Furthermore, there is still no clear guidance on the extra-territorial application of GDPR. 

Dealing with the privacy by design, privacy by default and the DPIA obligations in practice 

Those types of activities for international organisations are not necessarily new even if they were not previously called the same. However, the escalation to mandatory requirements undeniably changes the situation. There has been a lot of efforts from organisations to ensure that DPIA frameworks are well implemented and that privacy continues to be built in. This falls under the accountability of GDPR and being able to evidence that certain activities are carried out in compliance. 

Building an industry understanding 

The general feeling is that it will take time to build an industry understanding of GDPR. Although we built a framework, questions remain such as 

When does it become necessary to reach certain triggers? 

When does one need to engage its DPO? 

What constitutes medium or high risk in border line cases? 

For example, private and public sectors take different approaches as to what activities would require a DPIA. Overall, there is still a lack of guidance from regulators and grey areas will remain in the years ahead. 

Picking up new activities 

Organisations need to ensure that they pick up new activities. During GDPR implementation, there was a huge focus on data processing activities, which were already on the way for many years. However, the GDPR’s approach is different in that it is forward looking. It is about understanding where the new activities come from and linking with the key stakeholders in the market (IT, AI, analytics). A DPIA is conducted even before the activity actually commences. Organisations have done a lot of work to build a framework and now it is time to implement it. 

AI and Big Data in Financial Services 

In Financial Services, AI and Big data take various forms (evaluating credit, algorithm rating, portfolio management) but it is essentially processing large data from multiple sources. 

In relation with Big data and profiling, there has been a growing vein of distrust. Financial Services need to pay attention to: 

  • Transparency as to how Big Data is actually processed and allowing people to have access to their information. It is really about determining what can be reasonably expected from the customer/individual standpoint and touching increasingly to ethics concepts; 

  • Quality and reliability of data. Because of the high volume of data processed, there is an increasing risk of inaccuracy especially in relation to partially identified data. There are also negative consequences coming from inaccurate profiling for concerned individuals; 

  • Purpose limitation. The processing cannot be carried out with a purpose incompatible with the original purpose. The new purpose must be fair with the original purpose and there is a need to consider how the new purpose affects the privacy of the individual concerned. 

Financial Services need to make sure that privacy policies are accurate on the consequences for individuals with meaningful information provided about the logic involved (detail of the rational or criteria). There is a need to strike the right balance by explaining this logic in the most practical way possible. 

Any queries, please do not hesitate to get in touch!

Author: Marie Mortreux, October 2018.