The general data protection regulation came into force on 25 may 2018
The GDPR harmonises data management in the different EU countries. It allows for more transparency and therefore more trust in the digital world. It combines the protection of individuals’ rights with the free movement of data within the European Union.
Why is it important ?
Because the amount of sanctions has become very important for non-compliant companies and can rise up to 4% of the worldwide turnover of the company concerned.
First of all, let us remember that this European regulation is applicable to all companies processing personal data and not only to financial institutions.
What is personal data ?
Personal data is information that makes it possible to identify or recognize a person directly or indirectly, such as a date of birth, a postal address, an e-mail address, a computer’s IP address, a telephone number, a payment card number, a vehicle registration plate, a fingerprint, a social security number…
Financial institutions therefore process a significant amount of personal data.
What are the main points of this European regulation ?
1° first of all, the definition of the purpose of the processing operations
The definition of the purpose of processing personal data is very important because financial institutions will have to obtain the consent of the data subjects on the purpose of processing the data concerning them.
If the purpose changes, the consent of the persons concerned must be obtained for the new purpose. For example, if customer data is collected to manage their account, and customer consent has been collected only for that purpose, if the bank wishes to send customers marketing materials, their consent will need to be obtained for that new purpose.
This consent must be a positive act (no default consent).
2° The treatment of the rights of the persons concerned
New rights appear for the data subjects as well as the obligation to set up a mechanism for the exercise of these rights (right to information, rectification, opposition to data processing, etc.).
3° the need to inform the customer without delay in the event of a suspected violation of personal data
For example, following the intrusion on a computer system.
4° the transfer of data outside the EU
5° the consistency of archiving times with the purposes
It must be verified that the duration of the data archiving is consistent with the purpose for which the clients’ consent was obtained.
6° the verification that companies to which the financial institution outsource the processing of personal data comply with the GDPR
7° the establishment of records of processing activities
This provision replaces the previous obligations to declare to the “CNIL”.
8° finally, the appointment of a data protection officer
This DPO is the real conductor of the system. He must obviously be familiar with these regulations, train the teams, ensure the conformity of the devices and be the sole contact person for the CNIL.
Marie-Agnès Nicolet