What is GDPR - The Core Elements

The GDPR will have significant impact on fintechs and financial services firms in areas such as the concept of customer consent, transparency of data arrangements, accountability, data breaches and more. Also, I'm sure you've heard about those fines in the media. Non-compliance with the GDPR can be up to 4% of your annual worldwide so that's global turnover or $20,000,000 Euro whichever is greater.

These penalties together of course with the reputational risk that you must consider, make it vital for fintechs and financial services firms to understand how the GDPR may impact your business. This is what we'll cover today and the themes I will discuss as you see here are the main themes that we think will be applicable to our financial services firm or a fintech.

However to note, even if you're not in this field, most of the topics we cover will be relevant to you as the company if you're either established in the EU or you're offering services or targeting EU residents and I'll discuss that more later on in the presentation. I hope you don't mind me noting before we continue and you will have read this when you signed up to the presentation.

This presentation focuses specifically on data protection legislation and I will not be covering banking and financial services law. At Mason Hayes & Curran, we do have a fantastic financial services team that would be happy to advise on the specific area of law and regulatory issues that may impact you especially if you're a financial services firm or in fintech and potentially subject these regulation.

I just note that you may need to be keeping in mind of other financial services regulation specifically one coming down the pipeline which is the revised payment services directive that's coming into force around the same time. I just note that and with that disclaimer, we'll continue on our journey [inaudible 00:05:39] to understanding the GDPR further.

You see, the 10 themes that I will be discussing today, the territorial scope, the expanded territorial scope of the GDPR, increased financial exposure that I already mentioned, the stricter obligations or concepts of consent, the transparency obligations on a company if you're processing personal data, the potential need or requirement to undergo a data protection impact assessment or to appoint a data protection officer, security obligations, how you engage with data processors and data processors obligations under the GDPR, the concept of accountability and then finally, the expanded data subject rights.

Next slide. First, some background to data protection reform. I want to lay out briefly maybe perhaps a boring legal subject, but something that's important to consider when you're understanding the reason for why there is a new data protection law. It's not just because there's been significant increases and uses of data throughout the world. What is current data protection rules throughout the EU, that's based upon a 1995 EU directive on data protection.

Now, an EU directive is different than a regulation. A directive applies to all the member states across the EU. It set certain aims, requirements and results that must be achieved in each member's state. It sets the process for it to be implemented by a member states and then national authorities must create or adapt their legislation to meet these aims by the dates specified in each given directive.

Now, as supposed to a directive, a regulation is actually immediately applicable and enforceable by law in all member states. As a good practice, member states may issue national legislation that defines the competent national authorities or inspections and sanctions that are outlined in the actual regulation. Because of this difference under the directive, there may have ... The law was implemented separately in member state national law.

As a result, there may not have been full harmonization across data protection law. It resulted potentially in inconsistent interpretations or different interpretations of data protection law throughout the EU. Now, the GDPR will apply directly as I said. It will replace the 1995 directive and if you didn't know, it comes into effect the 25th of May.

Hopefully, the GDPR is identified as a consumer, friendly law, however it is better for business too with more harmonization, it will result in better predictability. You as a company can prepare and understand how the law will be enforced across the EU. Next slide. Briefly, I will discuss the data protection principles.

The GDPR and the directive are all based or both based upon principles of data protection that you see here. The same basic concepts and principles exists under the GDPR that existed under the directive, but they're generally tighter controls and there is a greater emphasis on data subject rights. First, and it's just important to understand these principles because they found the baseline.

They're the foundation to data protection in the EU. It's good to understand that the foundation of it when you're implementing this in practice. First, the concept lawfulness, fairness and transparency in processing. Personal data must be processed lawfully, fairly and transparently. Organizations or you should read this transparency requirement specifically in light of your privacy notices and we'll discuss what she must disclose in order to being considered transparent to your data subjects or to data subjects.

The purpose limitation. Personal data that you collect must be for specified explicit and legitimate purposes and you cannot further process data in a manner that is incompatible with that purpose, the initial purpose for which you collected the data and the concept of data minimization, now this is a slight tweak in the GDPR as opposed to the directive.

Personal data must be adequate and relevant to data that you collect under both the directive and GDPR. However, the standard under the GDPR appears to be tougher. The directive's obligation was to ensure that personal data was not excessive. Now, that is replaced with the personal data that you collect must be limited to what is necessary.

Organizations you may have to review your data processing operations in order to ascertain whether you process any personal data which is unnecessary having regard to the purpose for which you actually are doing the processing. It may seem to be a semantic change, but that semantic change will have a real impact in terms of your approach to collecting and processing data.

Next. Concept of storage or data retention. You must keep personal data in the form where it permits identification of the data subject for no longer than necessary. Data security or integrity and confidentiality, personal data must be processed in a manner that ensures the appropriate security of personal data including protection against unauthorized or unlawful processing and against accidental loss destruction or damage and using appropriate technical and organizational measures.

This requirement existed under the directive however, the GDPR now specifically categorizes this as the data protection principle therefore elevating its stature I guess under the law and really emphasizing how important data security is and that's fairly obvious considering the breaches we hear about it every day.

This is really considered to be an important consideration that a company must take when they're collecting and processing personal data. Finally, accountability. Making sure that you as a company are actually complying with the GDPR and are able to demonstrate that compliance. This is a new concept that's introduced by the GDPR. It requires controllers to be able to demonstrate their compliance with these data protection principles that I've just outlined.

This is significant even if it sounds a bit airy-fairy because it shifts the actual legal burden of proof on a data control in the event of a compliance investigation by a data protection authority within an EU member state. Organizations or our company should do this principle in light of the record-keeping obligation which I will discuss later on in the presentation.

Basically, the requirement to prove that consent for example, consent is obtained to process a data subject, data and also the concept of privacy by design and privacy by default.