The general data protection regulation came into force on 25 may 2018
The GDPR harmonises data management in the different EU countries. It allows for more transparency and therefore more trust in the digital world. It combines the protection of individuals’ rights with the free movement of data within the European Union.
Because the amount of sanctions has become very important for non-compliant companies and can rise up to 4% of the worldwide turnover of the company concerned.
First of all, let us remember that this European regulation is applicable to all companies processing personal data and not only to financial institutions.
Personal data is information that makes it possible to identify or recognize a person directly or indirectly, such as a date of birth, a postal address, an e-mail address, a computer’s IP address, a telephone number, a payment card number, a vehicle registration plate, a fingerprint, a social security number…
Financial institutions therefore process a significant amount of personal data.
The definition of the purpose of processing personal data is very important because financial institutions will have to obtain the consent of the data subjects on the purpose of processing the data concerning them.
If the purpose changes, the consent of the persons concerned must be obtained for the new purpose. For example, if customer data is collected to manage their account, and customer consent has been collected only for that purpose, if the bank wishes to send customers marketing materials, their consent will need to be obtained for that new purpose.
This consent must be a positive act (no default consent).
New rights appear for the data subjects as well as the obligation to set up a mechanism for the exercise of these rights (right to information, rectification, opposition to data processing, etc.).
For example, following the intrusion on a computer system.
It must be verified that the duration of the data archiving is consistent with the purpose for which the clients’ consent was obtained.
This provision replaces the previous obligations to declare to the “CNIL”.
This DPO is the real conductor of the system. He must obviously be familiar with these regulations, train the teams, ensure the conformity of the devices and be the sole contact person for the CNIL.
Marie-Agnès Nicolet