GDPR has wide-ranging implications for commercial organisations that hold the personal data of EU citizens, generally raising the bar in terms of:
- The measures that must be undertaken to protect personal data
- Ensuring that there is a lawful basis for processing personal data
- Giving individuals the right to request that their personal data is deleted
- Taking steps to avoid potential fines imposed on organisations that transgress: up to €20 million or 4% of turnover
The challenges will vary by organisation and, among other things, the type of business. For firms working in regulated industries like financial services — there is an added need to square away apparently conflicting directives. Specifically, the obligation to maintain records in order to comply with customer-protection and market-abuse regulations such as the EU’s Markets in Financial Instruments Directive (MiFID II) and the Market Abuse Regulation (MAR), versus the rights of the individual “to be forgotten”. Corporate governance can further muddy the water: in investment banking, for example, where billions of dollars are transacted every day, the right of an individual – an employee or a counter-party – may sit counter to the need to protect the interests of a firm and its various stakeholders.
This, of course, rests on establishing an acceptable legal basis for retaining individuals’ personal data. As explained by the UK Information Commissioners Office (ICO), GDPR provides six lawful bases for processing personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
So an asset management firm will have a legal obligation under MiFID II to retain certain transaction-related communications – and by extension personal data – of past and present employees and counter-parties. (And this would normally trump any request to be forgotten should it arise.) Similarly, a mortgage provider will have a contractual reason to retain a customer’s personal information for the life of the product.
While these may seem like obvious needs, the complication comes when addressing this on a large-scale basis where the data subjects span a range of constituencies: from prospective customers, to actual clients and past and present employees with a variety of different functions, shareholders, suppliers and so on. Suddenly the classification of data, and the subsequent data-retention management, becomes a non-trivial task — one that can only be addressed through an effective combination of policy, process and technology.
These conflicts between GDPR and industry regulation go beyond data retention, extending into areas such as the supervision of operations. Under MiFID II regulated firms must take steps to supervise transaction-related communications — internal or external. If those supervised staff are allowed to use company email or phones for private conversations, do you allow them to determine which are personal and removed from supervisory processes?
Although seemingly, the answer is obvious, it might be less so in EU countries where individuals’ rights to privacy are coveted, often beyond the requirements of GDPR. The aforementioned scenario is real: a major French bank is grappling with this precise issue as they roll out new communications-compliance technology to meet MiFID. This is by no means a Gallic aberration: In Germany for example, the replay of an employee’s telephone conversation may only be undertaken with the employee present. How does that scale?
These may be just the initial teething problems of implementing conflicting regulations in territories that have a keen sense of the individual’s rights which date back to the 80’s and arguably before that — well before there was a recognition of the imperative to protect consumers, business, markets or even nations from the effects of financial crime or misconduct.
Published in GDPR: REPORT, February 26, 2018
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.