独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

How will GDPR affect Finance Companies and How to Be Ready?

Data breaches and identity theft which have become very important in recent years, did not mean much before smartphones; for years when the phone was just used to call and message. Bank transactions were made face to face. People did not have to think too much about passwords, data theft, hackers and cyber criminals were not in the category of risk that people should consider.

Therefore, there is an increasing need for regulation of data and a unified data protection policy. The European Union observes this need and has created a new legislation, GDPR, that companies are hoping to fundamentally change the way they collect, manage and store information.

Financial institutions and service providers operate a large amount of personal data on a daily basis in the financial sector. Most of the processed data is confidential and sensitive. This means there is a growing risk, and this sector is likely to be focused by the supervisory authorities who will be authorized to issue new rights to audit and administrative fines on a timely basis. Therefore; GDPR allows a company’s global annual turnover to have a maximum of 20M € or as much as 4% administrative fines.

Every financial institution that processes personal data will need a legal basis to proceed with data processing. Processing shall be lawful only if and to the extent that at least one of the following applies:

Generally, financial institutions will process personal data to fulfill their obligations by contracting with the data subject, such as an account contract, a credit contract or an insurance policy, or they will act as a legal obligation. Provided that the processing is necessary for this purpose, no further legitimating is needed.

For processing operations that are not required for the performance of an agreement, institutions need another legitimate basis, such as the data subject’s “consent”. This consent must be “freely given, specific, informed and clear”. This requires, in particular, the provision of adequate information on the right to consent. For this reason, institutions may not rely on broad terms and conditions or general permit statements, but they will have to ask the individual for each specific type of financial operations.

Addition to this, services must not be made conditional to consent, unless the processing of the data is essential for the service. This means evaluating the legitimate foundations of existing computing operations, verifying existing contracts, terms and conditions, notifications and template agreements for financial institutions. For example, if previously approved, this approval may no longer be sufficient for GDPR and may need to be obtained.

One of the main principles of the GDPR is that the controllers are accountable — they are responsible for compliance and should be able to demonstrate compliance. This includes new obligations to keep records of processing operations. Financial institutions are already subject to similar conditions under various national and European banking laws, but they should be verified whether they comply with GDPR obligations.

Organizations should also ensure that their contracts and warnings contain the information that must be communicated to the individual according to GDPR, and that this information is presented in a clear and transparent manner (transparency). A data protection officer (DPO) will have to be appointed where the core activities of an organization include large-scale processing or monitoring activities that would be applicable to large financial institutions.

Companies must hire a DPO if they do any of the following subjects;

Financial institutions should also implement the necessary technical and organizational measures to provide timely and appropriate responses to requests for data, based on the expanding rights under the GDPR. The ‘right to be forgotten’ allows one to request the deletion of the data; Where the data are no longer necessary for the transactional purposes for which the data were collected, or where there is no legitimate basis for the transaction — for example, the withdrawal of a preliminary grant.

The “data portability” right will enable individuals to request a machine-readable copy of the personal data stored by a service provider, provided that the transactions are based on a contractor’s approval or performance. Even individuals may wish to transfer data directly from one provider to another where technically feasible.

The Data Protection Impact Assessments envisaged for the potential “high risk” transaction will become mandatory for financial institutions as they operate with high amounts of confidential customer data. In cases where the process is likely to result in a high risk, the supervisory authority should be consulted prior to processing.

Automatic decision making based on profile creation activities or, more precisely, profiling activities only, is strictly regulated under GDPR. However, when the data subject explicitly consents, or when necessary for entering into or performing a contract.

GDPR will require financial institutions to implement appropriate measures to protect the rights and freedoms of the data field, its legitimate interests, and at least the right to human intervention, when it is based on the disposition of the data issue or when it is necessary for a contract to be signed or fulfilled. On the controller side, he should be allowed to express his / her point of view and appeal to the court.

Data transfers outside the European Economic Area will generally be prohibited unless legitimated by a decision of competence for the target country or other individual legitimacy. In the absence of such a legitimacy, organizations can continue to ratify binding or transitional contracts by relying on the provisions of the standard contract (EU Model Clauses). The newly established EU-US Privacy Shield does not include financial institutions. Therefore, it is only a matter of working with the US or third party service providers in the United States.

According to the GDPR, a new possibility is to have an approved code for the behavior and approved certifications that may have been developed for the financial sector.

Such behaviors and certifications can serve to prove compliance with both GDPR and international data transfers.

As long as the violation is not possible “to expose a risk to the rights and freedoms of the individual” it will become mandatory to notify the inspection authority “without delay” of data breach. If the violation is likely to create a “high risk of rights and freedoms” for the real persons, then the individual must be informed. Financial institutions should implement these obligations with other data breach notification duties.

For this reason, it is very important to take appropriate technical and organizational measures to detect, handle and report a violation.

We shared the important headings that will change in finance companies above with GDPR. How do you become ready for GDPR?

How quickly can you identify all the data items for a particular person in your organization? Doing this not only ensures that you meet the relevant requirements under GDPR, but also allows you to open up the exact value of the data assets held by you.

A Data Protection Officer (DPO) must be assigned to influence the senior decision-making process to contact regulators, maintain adequate privacy awareness in your organization, monitor compliance with GDPR, and improve privacy and data protection.

Data protection has become a market parser. Customers expect their personal data to be confidently managed by the organizations they share. Transparency between you and the customer is the key.

In fact, this is one of the most important goals of the GDPR, transparency. Depending on how transparently you communicate and interact with your users, your relationships and shopping will also improve.

Not only transparency, but also emphasize the trust that is one of GDPR’s other key concepts, and pay attention to what you can do in this regard.

What are the risks of processing personal data? These may be organizational risks or technical risks. Which outside forces can move to disrupt your business and your cyber security strategy allows you to react to them?

You must protect your awareness of the legal developments at home and abroad in the constantly changing secrecy landscape and reflect your business plans with your strategies. They should cover all of the global organization that processes personal data from the EU.

The individual is empowered to know all the ways in which you use your personal data, what purpose you should use it, and what you intend to mean under GDPR. The rules on ratification are becoming increasingly difficult and individuals can withdraw their approval at any time.

Are you using the data for your purpose for something else? Do you need to educate your staff about data limitations? How are you going to watch this? Organizations should only assemble and process personal data they need legitimately for the purposes they describe. You will see that you can mitigate the risk overall for your organization by carefully passing the data that you do not need or whose purpose has expired.

Most financial institutions share data with third parties. These can be customers, suppliers, regulators or partners. You must understand and direct the risks involved in transferring the data to third parties and ensure that your data is adequately protected by the people you share.

Before attempting more action on your data, learn how to handle your data and create your own contextual background on this page.

You should have a clear understanding of where you are and what you need to access what you need. What are the basic data sources? How do you manage the risk of repeating, erroneous, and erasing overdue data?

It is important to adopt an organizational-wide approach by factoring data protection and privacy management into your overall protection strategy. You should understand the inherent risks, opportunities and priorities for your establishment.

GDPR does not only consist of a few measures and elements coming from national regulations, it will come as a fully effective structure at the level of the union and partly at the national level. For this reason, be careful to remember that the GDPR is correct.

Financial institutions should take steps now to ensure that they are able to comply with the new requirements of the GDPR. This should help such organizations to build and maintain the trust and confidence of their customers, business partners other individuals whose personal data they collect and process and avoid breaches of relevant data protection rules.

References:

— Orhan Bayram, Growth at Countly

Add a comment

What is your view?

Send

Related posts:

CyberSecurity CheckList for an association

Accomplishing powerful network safety doesn’t need to be a long and costly cycle. There are numerous basic controls you can execute to support your guards. The more you know, the more ready you are…

9 Keys to Successful SMS Campaigns

Making an effective SMS campaign, every marketer should take into account the following recommendations for successful bulk SMS messaging outcome. Which ones? They’re right below. - Compose texts…