In the last 25 years, technology in general, and the internet in particular, has unimaginably altered our way of living. After four long years of controversy, and push and pull, on April 14, 2016, the EU parliament finally approved the landmark General Data Protection Regulation (GDPR). GDPR was introduced to replace the Data Protection Directive 95/46/EC and integrate data protection laws throughout Europe, allowing non-European organizations to adhere to these laws. GDPR will be effective from May 2018.
The Principles of GDPR
The concept of GDPR has been initiated because the internet has fundamentally redone how businesses interact with personal information. Data is the new oil, and internet companies were harvesting user data to make billions in profits. European Union legislators felt like they had to do something to protect consumer information.
Some basic rights are provided to individuals under GDPR while strengthening existing ones under the current Data Protection Act.
The right to be informed
The right to be informed defines the information provided for the processing of personal data must be precise, transparent, and easily accessible while written in easy-to-understand language.
The right to access
With right to access, the person gets the right to request access to his own personal data to check how i is being used by the processing units.
The right to rectification
In case the user’s personal data is incomplete or inaccurate, he has the right to get the misinformation rectified.
The right to erasure
The right to erasure or ‘right to be forgotten’ gives a person right to have procedures in place to delete any personal data that is unnecessary or no longer useful.
The right to restrict processing
The individual gets the right to block or stop processing of personal data in situations where case data provided is inaccurate, or when the individual feels that processing is unlawful.
The right to data portability
The right to portability allows individuals to receive and reuse personal data in other services for their own purposes. Individuals can even copy, move, and forward data from one processing organization to another directly.
The right to object
Under the right to object, the individual can object to the processing of his personal data whenever he wants. Once this objection is received, the processing organization must stop processing data immediately.
Rights related to automated decision making and profiling
Individuals also have the right not to be subject to decisions built on automated processing (includes online credit applications, e-evaluation of performance without human intervention, and more).
The Impact of GDPR on Fintech Lenders
The EU estimates that additional simplicity and clarity of GDPR will save businesses 2.3 billion euros per year. On the other hand, the regulation provides for hefty fines of up to 20 million euros (about $22 million) or 4% of global annual revenues for non-compliance, depending on the nature of the transgression. By May 2018, GDPR will adversely affect businesses, including the likes of Google and Facebook, and it impacts fintech companies, too.
One of the key challenges for the alternative lending industry is to ensure that organizational data gathering and processing methods are accommodating the GDPR’s set of rules. Most fintech companies working in the wide economic space of EU find GDPR a challenge. The major reasons behind this could be that players were gathering the personal data of users and using it for purposes not defined under the terms of agreement. The law means alternative lenders and other fintechs will need to make some changes in how they collect, organize, and process personal data.
GDPR will impact the movement of data between the EU and the UK, and between EU and third-world countries. It will also affect the fintech companies in the following areas:
As per GDPR, personal data is the information which can identify an individual. This includes his name, email address, social media accounts, etc. GDPR makes it compulsory for firms to gain consent from individuals about the gathered personal data. Users get to know about the data firms hold on them.
Also, firms need to define their purpose clearly for which the data is gathered and pursue further consent if the firm wishes to share the data with third-parties.
Outcomes of a breach
Earlier, in case of a breach, firms had their own protocols to work with. But with the introduction of GDPR, it commands to report directly to the supervisory authority of personal data within 72 hours.
IT systems are the backbone of the financial sector, and user’s data regularly flows through various IT applications. As GDPR corresponds with user personal data, companies must understand data flows across their systems. Outsourcing development means that the data can be accessed by external vendors, thus increasing the data’s net exposure. So, vendors will not be able to disassociate themselves from the obligations of concern to data access.
In GDPR, data is pseudonymised into artificial identifiers in order to secure the personal nature of that data. It ensures that data access remains within the ‘need-to-know’ obligations. Due to this add-on, alternative lenders have to create new systems in their operating ideologies with the concept of “Privacy by Design’.
GDPR is a challenge but can become a moat for alternative lenders who are able to integrate GDPR-compliant data collection systems. Being on the right side of law but still ensuring they are able to leverage data will be a very thin plank to walk, but alternative lenders who execute this balancing act will be able to create a competitive advantage.
Written by Heena Dhir.