GDPR Summary Part 2: How the GDPR Will Impact the Financial Industry

Restrictions in the GDPR will impact the finance industry

This is Part 2 of a series of articles about how the General Data Protection Regulation affects corporate innovation. In this article we will break down the impact the GDPR has on the financial industry and how enterprises, startups and financial institutions will be impacted by the regulation.

To recap what the GDPR is and what makes it significant, read Part 1 of the series here.

Since the 2008 recession and the rise of the FinTech industry, the financial space has changed drastically, with the most notable change being the increased reliance on digitization.

The growing need to transfer information digitally has challenged the way data is stored and has brought to light many issues concerning privacy – issues the General Data Protection Regulation (GDPR) is meant to address.

With the regulation going into effect in just a few months, many companies in the financial industry are going to have to change the way they protect and store consumer information, interact with third parties, communicate with their customers and approach security risks to ensure GDPR compliance.

Increased Scrutiny of Financial Companies

The primary goal of the GDPR is to give citizens control over their information, letting them choose how businesses use their information and in what capacity. This will particularly impact startups, enterprises and institutions in the financial space because they process large amounts of sensitive and confidential information on a daily basis.

Since financial institutions rely on data aggregation to asses risks, offer tailored solutions and relay important information to consumers, consumer data is often their most valuable asset. As a result, the type of data financial institutions need to compile is often highly sensitive and includes personal data that makes it possible to identify a person with relative ease.

Not only does this make financial institutions, enterprises and FinTech startups increasingly desired targets for hackers and at a heightened risk of exposing information, it also increases their risk of violating the GDPR. As a result, it is safe to say that GDPR regulators will likely be scrutinizing companies in the financial industry to ensure GDPR compliance.

It is safe to say that GDPR regulators will be watching the financial industry for compliance. Click To Tweet

What Data is Collected, Stored and Transferred?

In order to comply with the GDPR and protect their data, startups and enterprises in the financial industry must have a clear understanding of where their data is stored, how it is stored and who has access to the information at any given point.

Complying with the GDPR will impact services and collaborations in the financial industry such as aggregating information from a variety of third party sources to offer high quality services and solutions. The way information is stored, transferred and protected will therefore become increasingly important and financial institutions will need to ensure they collaborate with GDPR compliant companies.


Free Ebook: Stay Innovative
While Complying with the GDPR


The GDPR also decrees that companies only collect the minimum information needed in order to operate, and that justification for data collected may be requested.

Since many financial industry companies rely on big data to gain in-depth understanding of their consumers and their needs, operating on the minimum amount of information could challenge the customization and risk assessment capabilities of financial institutions.

The GDPR puts transferred data under increased scrutiny, and data transfers outside the European Economic Area are generally prohibited under the GDPR, limiting the way global financial companies interact with one another.

How Long Can Data be Stored?

In addition to impacting the way information is stored, the GDPR also challenges the length of time it can be stored for.

Since consumer data is perceived as being the most important element that needs to be protected under the GDPR, companies must be able to completely erase data at the request of the consumer. GDPR compliance also requires that personal information be stored for the minimal amount of time required.

Consumer Data


The problem with that directive is that it contradicts the second Markets in Financial Instruments Directive (MiFID II) that is going to go into effect January 2018.

Under MiFID II, banks and financial institutions may be obligated to store transactional information and communications for up to five years, which may or may not exceed the GDPR definition of the minimal amount of time required.

Reporting Breaches

Cyber crimes are increasing at an alarming rate, and financial institutions are at the highest risk of being targeted due to the nature and quality of information they need to collect and store. Part of the GDPR necessitates that startups, enterprises and financial institutions must report breaches that impose a data risk within 72 hours of becoming aware of the breach.

This directive poses difficulty for financial institutions that must increase their security capabilities as well as potentially notify consumers of a breach prior to understanding its full impact and eliminating the risk.

Failure to comply with the breach reporting regulation could lead to fines of 10 million Euros or 2% of the global company turnover.

How FinTech Companies Are Preparing for the GDPR

With just months left before the GDPR goes into effect, the clock is ticking for financial companies to figure out how they are going to comply.

To ensure that data collected is in accordance with the GDPR, companies will need to integrate and deploy systems that can adhere to the limitations of the regulation. Many of these deployments will require time, complex integrations and IT developments, and companies that have not yet begun implementing such innovations may find themselves stressed for time.

With this in mind, many enterprises have turned to the startup community in the hopes that proofs-of-concept with software solutions that can comply with the GDPR will yield the innovation they need in the short time that they have.

Ultimately, compliance with the regulations set forth by the GDPR will not be easy. After the regulations go into effect next May, many companies will be exposed to penalties and potential reputational damage if found to be in violation of the regulation, making GDPR compliance an issue all financial industry companies must focus on — and quickly!

Frustrated with regulations in FinTech? Learn how RegTech can help.

About the author