GDPR where context is king
Mary Dryden is business development director at 360Dotnet
GDPR (General Data Protection Regulation) will be dropping in May 2018 and will define a new reality towards how organisations process personal data.
It provides more rights and controls to the individual while placing a greater emphasis and responsibility on the organisations who process such personal information.
But while the industry begins to wake up to the new realities of how GDPR will affect the financial services sector, it is worth describing the context that some of the more elusive concepts will seek to enforce. After all, the GDPR will affect the EU and all industries within it, not just financial services.
The Right to be Forgotten allows individuals to ask for the explicit removal of their personal data to prevent any further processing, which in certain corners has caused concern.
Its origins though, lie with search engine listings wherein 2014 a Spanish individual wanted Google to remove the entries about himself regarding some debts, which he had subsequently paid off and felt the listings were no longer applicable.
The result was Google complied with the court ruling, but the news sites running the story were not compelled to remove the story as there was a legitimate reason to have the article.
Put simply, if there is justification to hold the data then any claim for removal can be denied, or least, any data not pertaining to such justification may be removed.
The Right to Data Portability provides the opportunity for individuals to obtain and reuse their data, handing them an electronic and machine-readable copy of the data held about them.
This comes from a larger trend of governments understanding the power of data and how this can be used to make various industry sectors more competitive. An example is the ambitious MiData initiative that attempted to allow permissive access to an individual’s bank account and export that data to other providers.
This ultimately resulted in the nerfed ability to extract current account data into a comparison website to determine the best available current account rates, and in part opened the door to more heavy-handed legislation within PSD2 and Open Banking. Here GDPR shifts the ownership and control of data from the organisation to the individual.
Lastly, the consent to processing, is needed for those activities that fall outside of the legitimacy to process or is not necessary to render a specific service, may require verifiable and explicit consent from the individual in order to process.
This requirement looks to ensure there is greater transparency and understanding of how our data will be used and processed, which is something pretty much 99% of people do not truly understand.
If you’re the kind of individual who happily sells their soul by not reading lengthy terms and conditions and/or privacy statements, because – you know- life, then unambiguous consent statements will ensure you know exactly what you are signing up for (beyond the processing that would be reasonably expected).
Surprisingly, this kind of consent is more aimed at the younger generations who at 14 and above, will happily sign up for services (think Facebook, Instagram, Snapchat, etc.) without understanding the implications of how that data may subsequently be used.
It would be too easy to approach the GDPR with an abundance of skepticism, especially to an industry fatigued by a regular churn of regulation and legislation.
But the GDPR should be viewed as both important and pragmatic to the new demands that individuals and new technology will dictate.
For the intermediary world, it is about understanding this new reality and how your organisation handles this from both a technical/back office standpoint as well as a process perspective.
The reasoning? Well, like Mario Costeja González who is now ironically cited as the man who sought anonymity after having his property forcibly sold, there are consequences that go beyond that of reputational damage.