Banks and GDPR, what are the foundations of good compliance?
As we mentioned in our first article on banks and the GDPR, the large amount of data collected by banking institutions provides precise knowledge of the consumption habits of the people concerned. This data is a real goldmine for companies, especially since the development of Big data and machine learning based analytics technologies.
It is therefore only logical that banks should seek to protect it by complying with the GDPR. Especially as breaches of this data can have negative consequences for the individuals affected.
Securing bank data and GDPR compliance
Part of securing personal data within the banking sector is now compliance with the principles of the GDPR.
The principle of accountability
Accountability is defined as responsibility, more specifically, accepting responsibility for honest and ethical conduct towards users. While banks used to have to declare their personal data processing to a data commission, they are now themselves responsible for their own GDPR compliance.
Banks must therefore keep a register of personal data processing, specifying the data they hold, the type of data, where it is stored, what it is used for, when it is stored and what security measures are in place. This documentation attests to their compliance with the GDPR, in particular with the CNIL in the event of an inspection or incident.
The principle of Privacy by design
The principle of Privacy by Design implies that banks take into account the security of personal data right from the design stage of any service or product. The integration of the concept of personal data protection from the design stage of projects allows for a limitation of the risks of non-compliance with the GDPR.
The principle of lawfulness of processing
Lawfulness of processing, this principle is based on the fact that the processing of personal data is only permitted if it is based on one of the six legal grounds provided for in the GDPR.
The grounds are as follows:
- if it is necessary to comply with a legal obligation, for example, to comply with one of the regulations imposed on the banking sector
- if it is necessary for the performance of a contract or pre-contractual measures involving the data subject
- if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- if it is necessary for the legitimate interests of the banking institution responsible for the processing, for example in order to canvass customers to ensure the smooth running of the organisation, or to prevent fraud;
- if it is necessary to safeguard the vital interests of the data subject;
- the last possible legal basis is, of course, the GDPR, General Data Protection Regulation of the data subject, which must be given by a clear positive act, and must be as simple to withdraw as to provide.
The principle of fairness and transparency
The principle of fairness and transparency is defined by the fact that an organisation processing an individual’s data must provide him or her with clear, accessible and concise information (right to information) about that processing.
The individual must also be able to easily exercise his or her GDPR rights with the organisation when he or she wishes to do so: right of access, rectification, opposition, deletion, right to portability, etc. Obviously, the data collected must be processed for the precise and legitimate purposes explained to the data subjects, and may not be processed for other purposes.
The principle of relevance and minimisation
The principle of relevance and minimisation restricts the collection of personal data to the processing operations intended for the bank. Access to the data must be limited to the competent persons involved in its collection or processing, and its retention may not exceed the period required for the purposes for which it is processed. Finally, the processing of data must also be limited to what is necessary.
Principles whose respect requires the implementation of internal processes required by the GDPR
An up-to-date processing register detailing all personal data processing that may be carried out must be implemented. In addition, a data protection impact assessment (DPA) must be proposed in order to identify possible risks in the event of a breach and to put in place adequate security measures. The appointment or recruitment of a Data Protection Officer (DPO) for organisations with more than 250 employees or processing a significant amount of personal data is mandatory.
In addition to these measures, the implementation of GDPR compliance is not so simple, as it is complicated by a few parameters specific to the banking sector… This will be the subject of the next article in our dossier on banks and GDPR compliance.