10 Jan What your African FinTech needs to know about GDPR
General Data Protection Regulation, is an EU regulation designed to protect the personal data of EU citizens. It’s also one of a handful of regulations the UK has committed to retain when it leaves the EU. The regulation was adopted in April 2016, but becomes enforceable on 25 May 2018.
Protecting the personal information of citizens is important given the number of data breaches that have occurred recently, and when one considers the increasing incidences of credit card fraud and identity theft. GDPR is designed to provide standardized data protection laws across the EU, and in doing so, establish personal data freedom as a fundamental human right.
The implication is that companies have to take responsibility for any personal data they collect, store or transmit.
While previous legislation has left a lot open to interpretation, GDPR is very specific about what qualifies as personal data and about who is responsible for protecting that data. Non-compliance can leave companies liable for severe fines as high as €20 million or 4% of an organization’s total global revenues.
This puts FinTech companies in the spotlight. By their, nature FinTechs use and store personal data on a daily basis. Personal data includes names, street and postal addresses, phone numbers, email addresses ID and passport numbers, date of birth, and in many cases banking details.
What Measures are FinTechs Obliged to Take?
Some of the types of measures that companies are obligated to ensure include:
- Consent: Any company that stores or makes use of personal data needs to obtain that individual’s consent to do so. That consent can also be withdrawn at any time.
- Transparency: Companies will need to inform individuals about any personal data they are storing or processing. They will also need to inform individuals if that information is being transferred outside of the EU.
- Data Breaches: Companies have an obligation to inform the supervisory authority if any personal data was the subject of a data breach. The supervisory authority may then compel the company to inform the individuals concerned.
- Rights to access, portability and erasure: Companies have an obligation to provide individuals with a copy of any personal data being stored, used or transmitted. Under certain circumstances, they may also be obligated to transfer that data to other organizations. Individuals may also request personal data to be erased.
Developing a Plan to Ensure Compliance
So how does a company comply with these regulations? The UK’s Information Commissioner’s Office has published a report highlighting 12 steps companies can take to ensure they comply with the regulation. The following is a brief summary of those steps.
- Create awareness of the regulation and its requirements within the organization.
- Conduct an audit of data currently being stored or used.
- Audit current privacy notices on websites and any correspondence being used.
- Ensure the organization has procedures to enable an individual’s rights with regard to their personal data.
- Ensure the organization is able to deal with and comply with requests made by individuals.
- Ensure that the company has a lawful basis for processing the data it does.
- Review and update the procedure to obtain and manage consent to use personal data.
- Decide whether you need to verify an individuals age and whether you need parental or guardian consent to use a minor’s personal information.
- Ensure you have procedures in place to detect, report and investigate data breaches.
- Decide whether a Data Protection Impact Assessment may be required. DPIAs are mandatory if data processing may result in high risk to individuals.
- Designate someone within the organization as a Data Protection Officer.
- Identify the most appropriate data protection supervisory authority.
There are other measures a company can take to reduce the burden of compliance. For instance, in some cases identifying information can be replaced with pseudonyms. In other cases, anonymized data can be used for analysis. If personal data is removed from data sets and records cannot be traced back to individuals, that data no longer falls under GDPR.
Complying with both GDPR and KYC regulations will pose a further challenge for FinTech companies. On the one hand they will have to obtain certain information to comply with anti-money laundering regulations. On the other hand, they will need to comply with GDPR when obtaining and storing that information.
In South Africa, similar legislation will come into effect when the Protection of Personal Information Act 4 of 2013 (POPI) is signed. The date that it will take effect is still to be determined, but FinTech companies will need to prepare for it to take effect at some point soon. It, therefore, makes sense to address both sets of regulations when conducting a data privacy audit.
This is a brief overview of the measures a company needs to take and the ways an organization can address the requirements of GDPR. To ensure a company is in full compliant with the regulation it is advisable to seek the assistance of data security or legal specialists.]]>