General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.

The GDPR was adopted in April 2016 and added to the EU’s general policy of protecting citizen’s data. In addition to the notifications of collection and legal ramifications for misuse, there is also a requirement to obtain explicit consent, notify in cases of a hack or breach, appoint dedicated data protection officers, and much more. For financial institutions, the GDPR requires significant investments in compliance to ensure continuing access to the EU market. The GDPR also pushes firms to pseudonymize personally identifiable information (PII) prior to processing it, meaning that the data can’t be attributed back to a particular person. The pseudonymization of data allows firms to do some larger data analysis, such as assessing average debt ratios of its customers in a particular region — that would otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan.

The GDPR has effects beyond lending, insurance and other firms where sensitive personal data is collected and processed as a matter of course. The regulation applies to the human resources record of employees and even the IP addresses of people using online services. The GDPR builds upon data rights that the EU had advocated, such as the right of an individual to be forgotten and the right to data portability.

The decision to implement the GDPR came with criticism. Those opposed to the new regulation said that the position of the DPOs could be an administrative burden for many EU countries. The guidelines were set to include social networks and cloud provider but did not consider how to deal with employee data. In addition, data cannot be transferred to another country outside the EU - unless it guarantees the same kind of protection - so companies that didn't have this kind of privacy protection would be required to change their business practices. Furthermore, the costs associated with the proposed regulation could also increase over time due to the need for more investment, and general education in data protection is also sometimes required. There was also concern that data protection agencies across the EU would need to agree to a standard level of protection, something that may not be easy as they may disagree in the interpretation of the guidelines.