Ensuring GDPR compliance within the financial sector
Financial institutions collect and process high volumes of personal data, including special category data. On May 25, 2018, the General Data Protection Regulation (GDPR) was implemented throughout Europe. The GDPR imposes stricter requirements on the organizational and technical measures financial institutions must have in place to ensure the security of personal data.
The financial sector is accustomed to changing legislation, compliance and regulations, and it understands the importance of sound operational management in meeting requirements. With the new GDPR requirements, institutions are looking more closely at topics such as data minimization, the retention period, data portability, and the appropriate legal basis for data processing activities.
With GDPR, the risks of non-compliance for financial services companies are more than regulatory: They are financial and reputational as well. If data privacy is breached because a financial services company did not take the right organizational and technical measures, that could be disastrous for its business.
The challenges of GDPR compliance
Many organizations faced with GDPR compliance are struggling with the way they manage data in their legacy IT systems. In addition, many norms remain subject to the interpretation of institutions, pending further clarification of these norms by the European Data Protection Board (‘EDPB’).
For instance, how should companies handle data that is partly recorded on paper, such as client advisory files? This raises questions about data legacy and retention periods. And how should an organization transfer data to a competitor, if that data also contains intellectual property? This is a matter of competitive advantage vs. data portability. Another example: In which cases should a financial institution obtain explicit consent, or could one of the other five lawful bases, such as a contractual necessity or legal obligation, be used for the lawful processing of personal data?
The way to adequately address these challenges depends on the risks a financial institution is exposed to and the measures in place to mitigate the effects of those risks for the institution and its clients. Even though not all norms have been clarified by the EDPB, financial institutions should show regulators they have thought about and addressed the norms by providing so-called “comply or explain” documentation.
What are you looking for?
BDO has a multidisciplinary team of experts on GDPR that is dedicated to the financial sector and can support you with continuous compliance with GDPR requirements. Our team members are experts in law, compliance, (operational) risk management, and IT/cybersecurity. We offer a wide variety of GDPR-related services. Among them, we can support you with GDPR compliance by:
- Interpreting and transposing legal texts into operational action plans
- Implementing adequate data security requirements
- Conducting data protection impact assessments
- Embedding an automated monitoring system to ensure continuous GDPR compliance
- Outsourcing the role of the Data Protection Officer
- Providing training for your staff on GDPR requirements.