, Europe

Top 5 GDPR Challenges for Financial Institutions

By Reuben Bernard

Ever since the General Data Protection Regulation (GDPR) came into force on 25th May 2018, data privacy laws in the European Union (EU) have undergone a quantum jump. Under the new rules, organizations across industries are now accountable for protection of personal data of customers and employees.GDPR empowers the customer and puts them in control of their personal information. It applies to all EU citizens and EU organizations. It also encompasses institutions outside the EU serving individuals within the EU.When it comes to banks and financial entities, clients’ data go through various levels during customer onboarding, accounting, relationship management and other banking processes. At each of these stages, sensitive data is handled by numerous people and computing systems. This necessitates a structured plan to safeguard customer data against possible breaches. Hence, the GDPR.Today we are going to take a look at the challenges faced by financial institutions while implementing GDPR. But first, a few definitions. Data subject: A data subject is a customer or employee who shares their personal data with a bank. Data controller: A data controller is a bank or financial entity which collects, holds and manages the personal information of its clients and employees. Data processor: A data processor is an organization that processes and analyzes customer data. It can be a bank or a third party service provider.Now let us get to the challenges which are the excerpt from the webinar conducted by Payjo, a leading conversational AI banking software provider. Customer consent The first thing banks need to ensure under GDPR is customer consent. Personal data of clients have to be strictly processed under the 6 lawful bases enshrined in the GDPR. Personal data is anything that can be used to identify a client. Name, age, sex, email address, residential address, phone number, social security number and information shared on social media, all come within the ambit of personal data. Under the new regulations, it is now mandatory for data controllers to seek the customers’ consent before collecting their personal information. They also need to explain why they are gathering the said data and how they are going to use it. Sharing the data with a third party also requires approval, and customers can hold the data controller accountable for any unauthorized use of their data. In short, banks need to be fully prepared to lawfully handle customer data. Right to data erasure Under GDPR, data subjects can request data controllers to permanently erase and remove their personal data from their records without any external authorization. The data subject has full right to data erasure. The bank might retain some data for complying with other laws, but apart from that, the customer has the right to be forgotten. For this, data controllers need to overhaul their data management system to execute the new rules.Breach of data GDPR mandates every bank to employ a Data Protection Officer to ensure adherence to the new laws. In case of a data violation, the GDPR governing authority needs to be notified within 72 hours. The data controller has to furnish all the details of the breach including nature, extent and criticality. Impacted data subjects must also be intimated without undue delay. In this regard, financial institutions need to gear up and put in place an efficient data breach reporting system. A rethinking in their approach towards customer data is imperative. They need to redefine how they, and the service providers they outsource the processing to, handle customer data. Data sharing GDPR requires data controllers to take responsibility for data shared across platforms. Due to the nature of operations, banks often have to outsource to third party service providers jobs beyond their core competency, like human resources and IT. In doing so, a lot of sensitive data moves across borders and get exposed to external agencies. Under the new regulations, data controllers need to ensure the information is safe and ethically handled by data processors. In other words, GDPR imposes end-to-end accountability on banks for total protection of personal data.Privacy by design One of the pillars of GDPR is the ‘privacy by design’ tenet. It calls on data controllers to list all the possible risks to privacy before a project involving personal data commences. It also requires them to set up organizational and technical checks and balances to preempt violations and implement data protection rules. This is where Psudonymisation comes in. It is defined as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’. To this end, data controllers need to revamp their data security measures to ensure GDPR compliance. 

Pembekuan pendanaan menghantam penyedia layanan BNPL

Investor semakin sedikit mengalirkan dana ke penyedia layanan BNPL yang sudah menghadapi keuntungan margin yang tipis.

HSBC: Aliansi bank-fintech merupakan win-win

Pemberi pinjaman dapat belajar dari teknologi disruptif sambil membantu mereka mematuhi regulasi.

Tokenisasi aset perdagangan untuk menjembatani kesenjangan pembiayaan

Teknologi blockchain dapat mendesentralisasikan operasi keuangan dan mempermudah akses kredit.

BCA menjalankan komitmen terhadap keuangan berkelanjutan

Bank asal Indonesia ini mempertimbangkan aspek lingkungan dan tata kelola dalam keputusan pemberian pinjaman.

Mengapa UNOBank mendorong embedded finance tumbuh di Filipina

Bagi UNOBank, banking interface terpadu adalah strategi pertumbuhan sekaligus upaya inklusi keuangan.

OCBC mencoba mengurangi kesenjangan manfaat bagi agen properti di Singapura

Produk terbarunya menawarkan manfaat finansial di bidang perbankan, asuransi, dan perdagangan.

Upaya Malaysia menjadi anggota BRICS untuk mendorong perombakan sistem perbankan

Namun, tantangan muncul ketika menjauh dari ketergantungan pada AS dan SWIFT.

Platform pembayaran PingPong memperoleh lisensi PJP di Indonesia

PingPong mengincar ekspansi ke pasar ekspor senilai $320 miliar di negara tersebut.

Merger dan penutupan mengancam 3.800 bank di area pedesaan Cina

Sekitar 70 bank di area tersebut telah merger sejak 2023.