This is part of a series on how GDPR affects companies and how to comply with its requirements.
Although they’ve had two years to prepare to comply with the European Union’s General Data Protection Regulation (GDPR), many organizations are still scrambling as the Friday, May 25 deadline approaches. One challenge is understanding what the new privacy rules entail. Here, we ask companies in the financial and technology sectors what GDPR means for them.
“It’s important to know that the definition of ‘GDPR readiness’ may differ from company to company,” Colin Harper, head of business change services at GFT, wrote in an email. “For example, to be able to run it as project with a May 25 deadline, organizations may tend to limit the meaning of ‘GDPR readiness’ to rather formal aspects of the GDPR (appointing the [data protection officer, or DPO], setting up an inventory of processing activities, renewing contracts, updating privacy notice, etc.).”
GDPR applies to all companies the same way: It considers financial data to be personal data. But competing regulations, such as Open Banking, come into play, he wrote. Open Banking rules in the United Kingdom and EU mean banks must make customers’ data available to third-party service providers through APIs, but those third parties must be on a whitelist and the clients must have consented to the access.
Companies with strong data protection policies in place will likely have an easier time adapting to GDPR’s requirements, Harper added. For example, GFT, which provides IT solutions to financial-sector customers, used its compliance program as a benchmark in the United Kingdom to meet GDPR.
“A holistic approach, backed by a strong commitment from the top management of the financial institution is the heart of a successful strategy to achieve a data governance model that provides a coherent view of personal data,” he wrote. “Achieving this will make it easier for banks to not only comply rigorously and sustainably with the GDPR, but also achieve greater utility from their data, thereby enabling improvements in efficiency and cost reduction across the firm; good data underpins good processing in the long term.”
Challenges for AI companies include defining what an “overview” or a deletion of data entails because often an aggregation of many pieces of data are involved. Another is whether automation can apply to any GDPR requirements. “We have to be prepared that the personalization, anonymized or not, afforded by data collection and so necessary to AI algorithms could be up for question as owners of that data have a right to a) be forgotten and b) a right to explanation,” he wrote.
A GDPR-compliant company should have the following elements in their strategy, Pereira wrote:
- Data, in terms of collection, storage and use.
- Individual rights, namely how to deal with GDPR’s right to be forgotten and respond to customers’ inquiries about their data.
- Privacy notices, especially updating them to include the regulation.
- Consent, or how the company obtains it.
- Data breaches, specifically how to prevent, detect and respond to them.
For more, read Part 1: Are you ready to comply with GDPR?