The clock is ticking on the commencement of the European Union’s General Data Protection Regulation (GDPR). After being approved by the European Parliament approximately two years ago, the new law is set to officially take effect in late May. Although the new GDPR will be in place only in the EU, expectations are that the new law will affect financial technology companies all over the world. Unfortunately, despite GDPR’s potential ramifications, many in the industry are still unaware of what the new GDPR is and how it’s going to impact Fintech companies themselves. A Dell and Dimension Research report discovered that 80 percent of businesses know of few or no details about GDPR.
So what is GDPR? Designed to strengthen the protection of personal data for all EU citizens, the new regulation aims to simplify the regulatory environment for business to enable both EU citizens and businesses to benefit from the digital economy, effectively creating a global data standard. Any company that conducts business in the EU must comply with the new GDPR.
Worried your Fintech company will be affected? Here are five areas your company may be impacted and how to prepare and navigate through these significant upcoming changes.
1. Consent Requirements
Consent is one of the biggest areas the new regulation addresses. Under the upcoming GDPR, companies must follow much stricter guidelines in order to obtain customers’ consent. Gone are the days of passive consent or opt-out for customers. Instead, customers will have to voluntarily opt-in in order for a company to collect personal data. Additionally, companies must clearly describe the purpose for which the data was collected, as well as seek additional consent should they want to share the information with a third-party. Not to mention, consent can also be withdrawn at anytime. It’s imperative companies proactively review their data collection processes now — before GDPR takes effect — and ensure that they are able to demonstrate that consent was freely given in order to avoid significant financial penalties. Even though these consent standards can be a little overbearing, they are actually a great opportunity for Fintech companies to build trust with their customers by providing reasons for collecting data.
2. Data Portability
All EU citizens are provided the right to request financial institutions delete their personal data under the new GDPR. Largely different from the U.S., this could be problematic for some Fintech companies where user information is spread out across disparate, legacy systems.
3. Security Breaches
In the past, Fintech companies were able to develop their own protocols for how they communicated and handled a data breach. Under the new GDPR, this will disappear as the regulation is now mandating companies identify and communicate any security breach to the supervisory authority within 72 hours of the incident. Included in the communication must be details on the breach, where the breach took place and an approximation of how many people were affected.
4. Data Protection Officer
A position created specifically under the new GDPR, a Data Protection Officer (DPO) is required for public Fintech companies, and companies processing large amounts of special categories of personal data. Since the main responsibilities of the DPO will be to educate the company and its employees on important compliance requirements, among many other tasks, the GDPR requires DPOs to have “expert knowledge of data protection law and practices.”
5. Privacy By Design & Privacy By Default
Although these aren’t new concepts entirely, privacy by design and privacy by default will be mandatory under the new GDPR. Privacy by design will require Fintech companies to have privacy in mind from the outset when designing new processes or products. Privacy by default will also require companies to have privacy defaults on the most stringent settings when a customer is prompted with how much data they would like to share. If executed properly by Fintech companies, this represents another prime opportunity to gain customers’ trust through greater transparency. Although the majority of companies are not knowledgeable regarding GDPR, there’s no choice when it comes to complying with the regulation. Failure to comply could result in fines as much as $20 million or four percent of total annual sales, whichever is higher.
Moving forward, accountability and collaboration will be the important first steps for Fintech companies as they prepare for GDPR. Review your own current data protection systems and evaluate them under stricter future standards. Proper GDPR preparation will also require legal and IT teams to come together to develop a compliant and detailed GDPR implementation plan. With only a little more than a month until GDPR takes effect, every minute counts for your company’s compliance strategy.