Increased transparency and trust doesn’t come cheap. Enhancing data protection in financial institutions and larger corporations are going to be complex and expensive, but for SMEs and fintech companies, the new legislation brings along new opportunities

Data is the backbone of every financial institution, and for the last while, data has been the new oil. After years of acquiring sensitive data and personal information, essential for competing in the financial industry, larger corporations and financial institutions might find themselves engaged in a process of Kafkaesque dimensions when attempting to implement the EU General Data Protection (GDPR).

According to McKinsey, the time it may take to implement the regulation could easily exceed 18 months, and the cost could be considerable (more than €10 million), depending on the starting position of the company. But because banks and other financial firms are no strangers to regulation, it would be fair to assume that at least the majority are already working on spreadsheets at the time of writing this.

A competitive advantage

A fintech company that likely has access to a lot of data should also have multiple opportunities to reassess relationships with clients and demonstrate that personal data will be handled in the most respectful and secure manner possible.

“The first thing any fintech has to do is to take a proactive position to the GDPR. It might seem complex. Fintechs have a lot of confidential data they must process. However, if you do the right thing in the right order, it can be broken down into manageable pieces. They need to start with assessing their customer’s journey, and make sure they understand which data they need and to only have what is necessary,” says Bjørn Bjørnsvik, Senior Manager at Accenture Security in Norway.

All companies must comply with the new legislation by 25th of May this year, and in the first six months of 2018, the GDPR could give a competitive advantage to smaller fintech companies with high compliance.

Startups, and in this case fintech companies, will almost certainly experience that customers, clients or corporate partners will challenge them on the GDPR compliance. If a fintech is able to demonstrate they are aware of the extent and strictness of requirements coming with the new legislation, they are already ahead of other fintech companies who haven’t as yet assessed their need to comply.

“To prioritise the exercising of due diligence when it comes to seeing where data flows, where it is stored and who has access to it, and to be proactive on reassessing the need for data, is also a good investment for your company, since the use and protection of data will only receive more attention as time progresses. You need a legal assessment to identify what parts of your data are considered personal data and to make sure that data is secured, as well as ensuring that you have the valid consent from the customer to collect it,” Bjørn Bjørnsvik says.

Consent is king

It is most common that fintech companies are third parties in the data flow, and have access to customer data through a bank or financial institution.

“GDPR legislation affects data processors and data controllers equally. Considering that fintech companies will likely be accessing data from a financial institution, they will not be owning or controlling the data, but rather processing the data on behalf of the banks. Some of the requirements of the data processors and controllers will vary, but based on how each of them engages with the client and determine the means and purpose for processing this data, they may need to agree to joint control,” Bjørn Bjørnsvik says.

There are multiple challenges, but Bjørn Bjørnsvik sees this as the biggest. Innovation is based on how fintechs choose to use existing data in new ways, and they need to make sure they have consent for how they decide to use the data. GDPR imposes limits on further processing, which might make it more difficult for many fintechs to drive innovation.

“The need for consent will depend on how the fintech company processes the data on behalf of the financial institutions. But if a fintech company decides to innovate new products or services for their clients then the question is whether consent has already been given by the data subject on how their data will be used. Fintechs have to be careful when processing new data,” Bjørn Bjørnsvik says.

Data collected for a specific purpose cannot be transferred or shared for a different purpose without explicit consent from the data subject. The innovative nature of fintech companies makes consent management the biggest challenge.

Prepare for the breach

Companies that fail to meet the criteria and are reported or suffer from a data breach can be subject to fines. Although it is not entirely clear yet, we can estimate the worst case scenario to be a fine of up to 20 million euros or 4 percent of the total global profit in a company.

If your organisation suffers a data breach, you must report it to either the data controller without undue delay or, if you are a data controller, to the authorities within 72 hours.

“If a fintech company is using information from the data controller, that fintech company will need to report the data breach to the controller. The financial institution will then report the breach to the authorities and the data subjects. But if the fintech becomes the data controller, they themselves will have to report the breach to the authorities and the data subjects. Whether or not they become a data co-controller depends on whether they are acquiring their own consent for the processing activities they are performing,” Bjørn Bjørnsvik says.

For obvious reasons, we are yet to see the full consequences of a data breach or violation of the legislation, but companies should have processes in place that would allow a data breach to be examined and properly researched.