The EU General Data Protection Regulation (GDPR) is designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the countries approach data privacy.
The FAQs below are the result of the work carried out during the DBFI Workshops focusing on GDPR related issues with the support of Open Reply and the National Commission for Data Protection (CNPD).
1. What’s changed with GDPR
As the fated May 25th 2018 draws near, the regulatory framework is beginning to stir and evolve in preparation for the General Data Protection Regulation or the “GDPR”.
Here are some of the key changes that the GDPR will bring in its wake:
- Greater harmonization of rules across the EU
- Extension of the regime to regulate processors as well as controllers
- Recognition of pseudonimisation as a data protection enhancing technique
- Extra-territorial reach for controllers and processors
- Introduction of the accountability principle alongside existing data protection principles
- Stricter conditions for obtaining consent
- Redefined data subject’s rights
- Increase in transparency
- Data Security and mandatory breach notification
- Restructured means of International Data Transfers
2. Personal data
What is personal data?
Personal data is any information relating to an identified or identifiable individual, whether it relates to his or her private, professional or public life. An identifiable individual is one who can be identified either directly or indirectly, for example, through the use of an identifier, such as an identification number. Personal data therefore covers a lot of information and can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Specific examples include:
- ID card
- Image of ID document
- KYC identifiers
- Domicile address
- Secondary residence address
- Postal address (may differ from domicile or secondary residence addresses)
- Nationality (sometimes double nationality)
- Marital status
- Profession information: job title, cadre level, fiscal (tax) status
- Business cards
- Account number
- Biometrics: flag online identifiers: fingerprint, iris ID (never stored on bank servers)
- Email addresses
Is an account number considered personal data?
Are employees considered data subjects?
Yes, employees fall within the scope of the GDPR, because they are natural persons. As such, employee information is Personal Data.
Are professional email addresses considered personal data?
Yes, if the address can be traced back to a natural personal, e.g. where the first and last name are included in the email address, it is personal data. However, generic email addresses, such as “firstname.lastname@example.org” would not be considered as personal data.
What are some less obvious forms of personal data?
Personal data includes (non-exhaustive):
- Contact information
- Information collected from client: salary, assets, liabilities, expenses
- Family composition
- Health information for insurance information
- Amortization schedule, payment schedule
- Credit profiles
- MIFID profiles
- Filled-in questionnaires (including comment fields)
- IP address
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
Is information about the client that banks have collected on social networks considered “personal data”, even if the information is publicly accessible?
Yes, it is personal data – it’s like taking a phone number out of a phone book.
Is the interest rate of a loan personal data? What if the rate is preferential?
Yes, it is personal data. Such data can be subject to additional confidentiality requirements, such as professional secrecy obligations.
3. Protecting personal data
Which information should be protected?
All personal data, including pseudonymous data, regardless of the format or physical storage, must be protected. The obligation to protect personal data applies both to static as well as transactional data. The measures implemented to protect the personal data must be commensurate to the level of risk to the data subject. Data minimisation techniques must also be applied (ultimately, only the data that must be used should be used).
For sensitive personal data (i.e. data the processing of which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) and for the processing of data relating to criminal convictions and offences, a higher standard of security will be required.
If personal data has been anonymised (i.e. the personal data has been rendered anonymous in such a manner that the data subject is not or no longer identifiable, either directly or indirectly), the GDPR will no longer apply.
How can personal data be secured?
Security measures are not limited to technical measures, but also cover organisational measures to protect the personal data. The area in which the personal data is stored needs to be guarded safely with restricted access. Pseudonimisation and encryption of personal data, where implemented effectively, are considered sound security measures that could mitigate the risk to data subjects. Other technical tools may be implemented after a case-by-case analysis (e.g. DLP (Data Loss Protection) solutions or anonymisation techniques, including that of “noise addition”).
In general, a sound Data Protection Impact Assessment should guide data controllers in the identification of risks and the selection of appropriate security measures, which are commensurate to the risk to data subjects.
What are some practical data governance guidelines?
Some practical guidelines:
- Managing the data life-cycle.
- Could envisage the decryption to be temporary (destroy the decrypted data on the disk after a certain time-lapse).
- Provide for a clear role and clear responsibilities of the DPO to allow the DPO to effectively enforce data protection requirements, taking into account possible divergences with the roles and responsibilities of IT and Business Managers.
- Implement the three lines of defence model.
- Integrate data breach requirements in incident management procedures, including the involvement of the DPO and other key stakeholders.
- Integrate lessons learned from a data breach to prevent reoccurrences.
- Introduce a security event management tool to track relevant events (capture, change, delete).
- Anonymise data, where possible. Time stamp data movements and access to personal data.
- Introduce policy with regards to mobile phones in the workplace.
- Consider a mobile device management solution (e.g. ring fencing private from professional data). It should be kept in mind that professional data may also contain personal data.
- Safeguard the rights of employees when implementing physical security measures (for example, for computers, paper files).
- Keep in mind Guidance from Art 29 (monitoring in the workplace) – in particular with regards to new technologies, such as DLP and mitigation.
4. Lawful grounds for processing, including consent
When can a bank process personal data under the GDPR?
In order to process personal data, a bank must have a lawful ground for processing. This can be:
- Consent: The data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes.
- Performance of a contract: Data processing is necessary to perform a contract of which the data subject is a party, or to take steps at the request of the data subject prior to entering a contract.
- Legal obligation: Data processing is necessary for compliance with a legal obligation to which the controller is subject.
- Vital interests: Data processing is necessary to protect the vital interests of the data subject or of another natural person.
- Public interest: Data processing is necessary to perform a public interest task, or exercise official authority.
- Legitimate interests of the bank: Data processing is necessary for the purposes of the legitimate interests pursued by the data controller of by a third party and the fundamental rights and freedoms of the data subject do not prevail.
The processing of sensitive personal data (see above) and personal data relating to criminal convictions and offences are subject to specific requirements.
What is consent as defined by GDPR?
“Freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (article 4).
Please note that the Article 29 Working Party will publish guidelines on consent. The publication date is foreseen for December 2017.
What are consent requirements?
Consent must be:
- A ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes’ by ‘a statement or by a clear affirmative action’. ‘Silence, pre-ticked boxes or inactivity’ does not constitute consent; Genuinely optional and withdrawable. This means banks will need a process to manage requests to withdraw consent (What channels are available for a withdrawal of consent? How will the withdrawal be recorded and taken into account? What are the consequences of the withdrawal of the consent?)
- Consent is presumed to be invalid unless the individual is able to consent to ‘different personal data processing operations’ separately, where this is appropriate. This is beneficial for banks in the context of the withdrawal of the consent, as consent could be withdrawn for each specific processing activity.
Where consent is relied upon as the lawful ground for processing, the data controller must be able to demonstrate that the data subject has given consent to the processing. Consent is subject to further, separate conditions where the processing concerns the personal data of a child under the age of 16.
When will consent not be a valid processing ground?
The validity of consent must be assessed on a case-by-case basis for each processing activity. For example, “if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”, the consent will be presumed to not be freely given and would not valid (GDPR, recital 42). Also, consent is unlikely to be a valid processing ground, if there is a clear imbalance (and no free choice) between the data subject and the organisation.
Please keep in mind that this topic will be the subject of guidelines published by the Article 29 Working Party (foreseen for December 2017).
What are the consequences of processing data without a lawful ground for processing?
The sanctions for processing data without a lawful ground for processing, including relying on an invalid consent, are steep. Processing personal data without a valid processing ground could lead to significant financial penalties for the organisation: up to 4% of annual worldwide turnover or EUR 20 million, whichever is greater.
So, what does that mean for banks, and more generally for the financial sector?
Banks must ensure that they are clear about the lawful ground for processing that they rely on, and assess if these grounds are still valid under the GDPR. Processing of personal data by banks is usually performed after obtaining the consent of the data subject, or when the processing of the customer’s data is a necessary element in providing the service requested by the customer himself. Does it still work under the GDPR?
Furthermore, banks are subject to banking secrecy, and usually need to obtain consent to disclose customer information. In certain cases, banks must obtain a valid consent for the purposes of banking secrecy law, but that consent might not fully comply with the requirements of the GDPR. As such, it must be clear on which ground for processing the bank relies, and the bank must make a clear distinction between the consent required for the purposes of banking secrecy law and the lawful ground of processing (e.g. consent of the data subject, where this is relied upon).
Can banks rely on legitimate interests to process data?
“Legitimate interests” concern the legitimate interests of the bank in processing personal data. For example, the processing of personal data which is strictly necessary to prevent fraud may be a legitimate interest of the data controller. In any event, a case-by-case analysis has to be carried out to balance the legitimate interests of the bank with the interests or the rights of the data subjects. The processing cannot be only useful, it must be proven to be necessary. “Vital interests of the data subject or of another natural person” concern the natural person (e.g. a life threatening situation for the data subject) and can, in general, not be relied upon by banks.
How should prospect consent be dealt with for example, with an online simulation tool?
The same requirements as previously mentioned apply. Therefore, under GDPR, the consent must be: “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (article 4). If information is gathered, consent must be specified for the purpose of the data gathering and the consent must be freely given, specific, informed, and unambiguous. As such, the granularity of the consent needs to be specified as to which products it applies to such as: investment, credit, insurance products etc.
5. Data portability
When does the right to data portability apply?
For the right to data portability to apply, the processing must:
- Be based either on consent of the data subject or on a contract to which the data subject is party, and
- Be carried out by automated means.
In line with Opinion WP29, “The GDPR does not establish a general right to data portability for cases where the processing of personal data is not based on consent or contract. For example, there is no obligation for financial institutions to answer a data portability request concerning personal data processed as part of their obligations obligation [sic] to prevent and detect money laundering and other financial crimes”.
Which data falls within scope of the right to portability of personal data?
Opinion WP29: Inferred data and derived data are created by the data controller on the basis of the data “provided by the data subject”. This type of personal data does not fall within the scope of the right to data portability. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules). Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), this data will typically not be considered as “provided by the data subject” and thus will not be within scope of this new right.
Does observed data fall under the right of portability?
Observed data fall under the right of portability. These may include a data subject’s search history, traffic data and location data.
Which format does the data need to be in in order to be portable?
As the GDPR is technology neutral, a specific format has not been prescribed, but data controllers are encouraged to develop interoperable formats that enable data portability. According to the GDPR (Art 20(1)), the data must be in a structured, commonly used and machine-readable format.
Under the right to portability, how long must the personal data be available?
Portability does not interfere with retention periods and in no case can portability serve as a reason to keep data longer than needed. WP29: Data portability does not impose an obligation on the data controller to retain personal data for longer than is necessary or beyond any specified retention period.