Parts of this article were originally published as part of a GDPR Fintech piece in the Sunday Business Post on 30 April 2017 called “The Sting In The GDPR Tail”. You can subscribe to the Sunday Business Post here.
Data Protection Changes Affecting Fintech
The General Data Protection Regulation (GDPR) comes into legal force from 25 May 2018. It replaces a lot of the current European and national data protection laws. The GDPR is probably the biggest change to privacy and data protection legislation in over 20 years. While many important existing data principles are still going to apply, the GDPR extends the scope of data protection for data subjects and increase penalties for fintech businesses who do not comply with the new law.
GDPR Fintech Challenges
Fintech businesses, in particular, need to consider what they need to do as they strive to be compliant with the GDPR before May 2018. The Sunday Business Post spoke with Mark Adair, technology law partner at Mason Hayes & Curran, to get his views on the areas of GDPR Fintech businesses need to focus on.
“There are new concepts being brought in. The likes of biometric data and fingerprints are now being classed as sensitive personal data” said Adair. “You would need explicit consent to process those. It’s tightening up and bringing new technologies under the auspices of existing data protection law.”
Access requests and data transfer
“End users can make requests to fintech businesses for copies of their personal data. The new data laws really open that up to a streamlined process” said Adair. “The other point is that transferring data outside of the EU is now more difficult for organisations. There have to be appropriate safeguards and the ways of retaining those safeguards have been tightened.”
Privacy by design
“Essentially privacy is now part of the DNA of a company and its products. The obligation is on companies to build in privacy protection from the ground up” said Adair. “That’s possibly easier for emerging companies whereas a legacy company like a bank might have to retroactively build in privacy. It’s going to be more difficult for less nimble organisations.”
“If there is a data breach and it is a risk to the rights or freedoms of an individual, the company has to notify the Data Protection Commissioner with undue delay if it is a high risk” said Adair. “In any other situation the notification has to be within 72 hours. There’s little time from when you learn about a breach until you notify.”
Automated processing restriction
“If a credit card company or bank is going to (or subcontracts to a fintech to) run an algorithm that decides whether you get credit, they have to let you know they are going to do that and get your explicit consent for that” said Adair. “They can’t make automated decisions in the background without telling you.”