The General Data Protection Regulation came into force on May 25, 2018, and has introduced the strongest data protection rules to protect EU citizen data on a global basis.
For many FinTech startups working in or targeting the EU, the GDPR should make you think about how you manage your data in a transparent, responsible and accountable way — showing and ensuring that you’ve put the right systems in place to manage user data securely, obtaining customers’ consent for processing their personal data, for example.
There is, however, plenty of confusion surrounding this law – whether you’re based inside or outside of the European Union (EU). This blog aims to clarify all the complexities related to this law.
GDPR overview for FinTech Startups?
The GDPR is a new data protection law and replaces the 1995 Data Protection Directive. Until now, this was the minimum standard for processing data in the EU. The new law has strengthened a number of rights: individuals now have the power to demand (view or delete) personal data held by companies. The regulators can work together across the EU avoiding the need to launch separate action in each jurisdiction, and the enforcement action can result in an eye-watering fine of €20m (£17.5m, $23m) or 4% of the company’s global turnover, whichever is the higher. Fines can be levied on businesses that aren’t compliant or choose to misuse the personal information of EU citizens.
In essence, the GDPR seeks to bring more transparency to EU citizens. Individuals have the right to be informed about the collection and use of their personal data. FinTech startups should carry out comprehensive analysis on how they collect natural persons’ personal data, the purpose for processing personal data, retention periods and who it will be shared with. The goal is to avoid unnecessary personal data collection. Personal information can include, but is not limited to:
- First and last name
- Bank account information
- Medical records
- Passport information
- Personal or business email address
- Credit card information
- Photos and videos
- Usernames and passwords
- Financial Transactions
The GDPR contains 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation and builds on the pre-existing EU Data Protection Directive. The former directive was introduced back in 1995, prior to the on-demand age of social media, rendering it outdated. The reforms have been designed to reflect today’s internet-driven world relating to data protection obligations (including those around personal data, privacy, and consent). Financial services are currently adopting biometrics, such as fingerprints and eye scans more and more frequently to identify their customers. Therefore, in addition to obtaining the data subject’s explicit consent when obtaining this biometric data, FinTech startups, must also have controls in place that protect them.
Who does the new law apply to?
Do you process EU residents’ personal data? If you do, the GDPR is likely to apply to you. This law applies to any organisation that stores, processes or transmits personal data belonging to EU residents.
For organisations outside the EU, the law is applicable if they offer goods or services, or monitor the behaviour of EU data subjects.
This regulatory law expects all small and medium-sized enterprises (SMEs), which includes FinTech startups, to comply with the regulation, with some allowances made for startups with fewer than 250 employees.
Who are data controllers and processors?
It’s important for FinTech startups processing personal data to determine whether they are a data controller or data processor. The data controller is the organisation who determines the purposes and the way personal data is processed. Generally, if a startup handles personal data on behalf of a data controller, they are a ‘data processor’ and subject to fewer obligations under the law. However, the fact that one organisation provides a service to another organisation does not necessarily mean that it is acting as a data processor. It could be a data controller in its own right, depending on the degree of control it exercises over the processing operation.
Clearly, identifying whether your FinTech startup is a data controller or data processor is important, particularly if there is a data breach. This determines which organisation has an overarching data protection responsibility. It is the responsibility of the controller to ensure that the processor complies with the GDPR. For processors, maintaining records of their processing activities is a must to ensure they are abiding by the rules. If a processor breaches the rules, the controller will still be liable for financial penalties, therefore, a processor must notify its controller immediately once a breach has occurred.
How can FinTech Startups process data now?
This law states that data controllers must process personal information lawfully, transparently and for a specific purpose. This means that EU citizens must clearly understand why you are processing customer data, how you are processing the data and that you are abiding by GDPR rules whilst processing it. The term “lawfully” can have various alternative meaning, including:
- The data subject has consented to their data being processed
- To comply with a legal obligation or contract
- Protecting the interest of the data subject (in term of it being essential for their life)
- Processing the data subject’s personal information is in the interest of the public
- Processing the data subject’s personal information is in the interest of the controller
- For your business to process personal data, one of these justifications must apply.
Given the broad scope of this legislation, there is no doubt that traditional financial businesses and startups need to remodel their existing systems or create formulas more attuned with the concept of ‘Privacy by design’ and integrate them into their operational ideologies.