In May 2018, new data regulation will be enforced. Although General Data Protection Regulation or GDPR is a European initiative, it can affect businesses all over the world, including the likes of Facebook and Google, and FinTech companies.
GDPR has been designed to meet the three following goals:
· Bring data protection legislation in line with the way data is being used today
· Give individuals in the European Union (EU) more control over how their personal data is accessed, communicated, and stored
· Create a simpler, clearer legal environment in which businesses can operate, with the same data protection law throughout the single European market.
The EU estimates that additional simplicity and clarity of GDPR will save businesses 2.3 billion euros per year. On the other hand, the regulation provides for hefty fines of up to 20 million euros (about $22 million) or 4% of global annual revenues for non-compliance, depending on the nature of the transgression.
Many FinTech companies working within the large and lucrative economic space of the EU could find GDPR compliance a challenge for at least two major reasons:
· They collect extensive personal data about their clients, albeit to make offers adapted to customer needs, or for other legitimate reasons such as fraud prevention
· They entrust the processing of the data collected to a third-party processor, for which the FinTech “Collector” then also bears a level of responsibility for GDPR compliance.
It makes no difference if a FinTech firm is US-based: if it is targeting consumers in the EU, or offering paying or free services to EU citizens, then GDPR applies. And although the UK is in the process of moving out of the European Union, even Fintech companies only targeting UK residents will still be affected: first, as GDPR comes into force and while the UK is still negotiating its exit; and second, as the UK is then likely to put GDPR-style rules in place itself, for data protection and to harmonize with the continental European version.
Among other things, each enterprise operating in the EU or collecting data from EU citizens will need to ensure:
· Proper consent (opt-in, not opt-out or passive consent) is obtained from EU citizens for use of their personal data
· Personal data is processed lawfully and transparently, then deleted when there is no further need for it
· Personal information must be stored in commonly used formats like CSV to facilitate transfer of a person’s information, if the person requests it
· All forms of personal data are protected, including for example IP addresses and possibly also pseudonymized data
· Individuals can exercise their “right to be forgotten”, i.e. insist on their personal data being deleted
· Accountability, in the case of a breach, to prove compliance in terms of access protection, data processing security, and prompt reporting (72 hours maximum) of breaches.
The deadline to be ready for GDPR enforcement is May 25, 2018, following the initial enactment of the regulation on May 24, 2016. In other words, almost half the breathing space has already gone. To help FinTech companies and others, Mi3 Security has already built GDPR compliance checking into its app analysis solutions to help businesses stay on the right side of GDPR as they develop apps for internal and external use. Compliance or non-compliance is determined rapidly and reliably, an essential advantage with a compliance deadline so close and consequences for infringement so dire.