Why GDPR is important for a business?
Why GDPR is important for a business?
Or how much as individual should I be concerned regarding it?
In the previous articles we were reviewing the AML rules and principles and their influence into the business and why it is important to adhere to those standards. Currently we will discuss how these rules corelates with other legislations with affective impact to the business and other financial organizations.
Hence what is GDPR and why it bears so much attention recently?
Briefly, the General Data Protection Regulation (hereinafter – GDPR) was a response to a massive global data breach that were undermining the trust of the governments and security of private citizens whose personal information was implicated. As this data was exposed due to a poor security measures, authorities of the European Union (hereinafter – EU) assumed they must get involved into creating a new legislation which would by some means protect the data and the personal information of the citizens, also it was a perfect conditions to regain a declining trust in the society[1].
Hence, the GDPR which was implemented on May 25th, 2018, and it is changing, shaping the business within the EU on how they handle the personal data of their customers and clients. Thus, GDPR constructs, makes the clarification and harmonization on the legislation across all EU member states, but also it influences all the organizations outside the EU with the territories which are processing, monitoring, or selling goods and services for EU citizens outside its territory as well[2].
Practically, GDPR is the regulation that is a prime purpose is to provide more consistent protection of consumer and personal data among EU countries and to ensure that the rights of subject’s data are protected and not misused, stolen, or being used without their permission. Hence, any organization using the personal data must comply with the regulation and make sure that data received form the citizens are placed under great supervision and security measures are implemented accordingly, otherwise sanctions such as fines will be applied respectively (the biggest GDPR fines of 2019, 2020, and 2021 (so far)[3].
Thus does these rights operate in the day-to-day activities, and does it mean that in the workplace/outdoors I am not allowed to disclose any names of my friends, relatives, and neighbors? The answer briefly and firmly is no — and indeed that’s usually how the law is applied in practice.
In an opinion given by Advocate General Bobek of the European Court of Justice, Bobek said the following: “Humans are social creatures. Most of our interactions involve the sharing of some sort of information, often at times with other humans. Should any and virtually every exchange of such information be subject to the GDPR?[4]”
The clear answer to these statements should be negative, as it should mostly concern the business and financial institutions, or entities that would typically be understood to operate as controllers (businesses, charities, etc.) – meaning that if you are controller and holding the personal data of the subject or acting on behalf of it as the processor, that both parties fell into this description of processing data[5].
Therefore, almost everything now involves the use of technology that, strongly speaking, does or may constitute “processing” for the purposes of the GDPR is still under consideration. Hence, should that possibly question our data is used and its interaction to its rules relevant? As a financial institution, delivering GDPR compliance while managing the AML obligations, remains a huge responsibility and involves a great number of resources to comprehend to both legislations and their application.
GDPR vs. AML; and how to remain compliant
Since the directives came into force, they are under the observation that all the business should be obliged to adhere their internal procedures to these requirements, meaning that they need to establish intense focus on personal data in order to follow them. Implication of the Know Your Customer, or Know Your Client, require financial institutions and obliged entities to try to verify the identity, suitability, and risks involved with maintaining a business relationship. These procedures inevitably involve a huge amount of data required to receive from the customer, while on the other side of this requirement we have the restrictions introduced by GDPR, which represent a challenge for financial institutions as this regulation provides security on the subject data perspective. More specifically, the legal scope of GDPR in some scenarios is clashing with the way institutions identify customers during their due diligence procedures and how they manage their risks thereafter.
Hence, as a company or a business you may need to process personal data to proceed further with the customer application related to business activities. Therefore, the processing of personal data in that perspective can be justified on grounds of legitimate interest. A lot of people incorrectly assume that business need acquire their consent before they are going to proceed with their data, but consent as a prerogative right is just one of the other six lawful grounds for processing data, and it is only applicable then none of the other grounds are relevant[6].
Moreover, processing data under “legitimate interests” demands that processing is unquestionably required. If an alternative approach can be fulfilled in order to achieve the same objective without processing personal data, then processing is not lawful without consent.
Therefore, the application of GDPR from the first glance is a rather simple as all you need is to obtain the data subject consent to operate the information related to the person, however, it becomes a rather difficult task to the businesses to know which articles or grounds should be applicable to reach the goal in order to please a regulator and to protect fundamental rights of the individual.
Thus, do we need modification to GDPR to fulfil current society needs?
While the COVID pandemic resulted to the shift to distant working it has also created unprecedented circumstances to all the business, resulting the technical challenges of compliance with a remote staff using software that authenticates them using it while a lot of data being transmitted regarding it.
It is asserted by the German MEP Axel Voss, a major figure behind the GDPR, recognizes that the GDPR is not sufficiently adapted for some of today’s challenges including blockchain, facial or voice recognition, text, and data mining.
Nonetheless Sophie in’t Veld, a Dutch MEP who was also involved in drafting GDPR, on the other hand is stating that it took almost five years to prepare such a substantial legislation, also it does leave loads of flexibility for implementation of it, she declares it is adjustable to such circumstances as it is now[7].
To conclude referring to these statements above whether we will see any supplementation or amendment to the legislation remains under the matter and the considerations of the governments and other relevant authorities. Hence Afacomp can engage into relevant training and capture necessities of your business needs.
[1] Cyber security: how to maintain GDPR compliance? – Lexology
[2] Soriano v Forensic News LLC and Other [2021] EWHC 56 (QB)
[3] https://www.tessian.com/blog/biggest-gdpr-fines-2020/
[4] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3a62020CC0245&from=EN
[5] AI Regulation: Implications for FinTech and FinTech M&A | Resources | DataGuidance
[6] GDPR: When do you need to seek consent? – IT Governance Blog En
[7] EU must overhaul flagship data protection laws, says ‘father’ of policy (irishtimes.com)
Inga Vaitkunskaite
Senior Compliance Officer