FinTech companies can’t overlook their responsibilities under the GDPR umbrella

FinTech Companies can’t Overlook their Responsibilities Under the GDPR Umbrella


The year 2018 has been all about changes for the European Union, especially when one talks about the data privacy and data storage reforms. European General Data Protection Regulation—better known by its acronym, GDPR has been rolled out, and FinTech companies with their bases in the European Union are struggling to ensure that they remain compliant to the guidelines of the GDPR. With so many talks of GDPR compliance and data storage, the facts which emerge are, “What is GDPR all about, and why is it so important for your business?”

What is GDPR all about?

GDPR is a legal structure, which authorizes businesses to protect the personal records, data along with the privacy of the European Union citizens. The transactions that occur within the EU member states are the only ones which fall under the jurisdiction of the GDPR policies. When it comes to protecting the privacy of the citizen’s personal data, all banks, insurance companies, agencies and financial institutions operating within the EU comes into the purview of the GDPR rule.

Overall, the GDPR was born in April 2016, as an act to replace the running Data Protection Directive, which was enacted back in 1995. While the data limits might seem limited to the EU citizens only, but it has not stopped the users all over the world to take notice of how their data is stored and used by companies all over the world.

The whole set of GDPR policies rest broadly on the earlier directives of the Privacy Shield and Data Protection Directive. Nevertheless, its basis is formed by two crucial factors, which include the following:

  1. The GDPR is setting a higher bar with respect to the maintenance of personal data. The moment any company collects any EU citizen’s data, the company is automatically required to obtain implicit and explicit permissions from the concerned people in question. At the same time, the concerned users need a method through which the permissions to store and use the data can be revoked. This policy has been strengthened manifold, with the introduction of the new GDPR law.
  2. With the introduction of the GDPR rule, the penalties are severe, and have definitely caught the attention of the companies, all over the world. Right from the top conglomerates like Google, Facebook, Amazon, to the lower level companies, everyone has begun to take notice of these penalties, for obvious reasons. As of now, the maximum limit of the fine has been set at 4% of a company’s global turnover for a particular year, or €20 million, whichever is higher. If companies lacked the motivation to comply with the laws and regulations of the GDPR before, the penalties are definitely enough to make them toe the line with these new policies.

Impact of the GDPR laws on FinTech companies within the EU region

Now that we have discussed what the GDPR is all about, let’s talk about the impact of these new policies on Fintech companies and what segments they need to focus on.

  • Customer consent: Personal data, as noted in the GDPR policies, refers to any type of information, which can be used to identify an individual. These pieces of vital information include the person’s name, email/IP address, any social media profiles or even their social security numbers. By requesting consent from the users, the targeted individuals are made aware of the type of information being held by the companies, and what are the identifiers within the company’s systems. The end result is to let the customers retain the exclusive rights over their own data.
  • Right to erase own data, and the right to be forgotten: Earlier, individuals within the EU zone, did not have the right to have their data erased from the company’s databases. Through GDPR, every EU citizen has been empowered with the right to data privacy. Individuals can request their data to be erased from all public and private databases, which is covered under the right of Data Portability. Financial institutions have been allowed to keep a part of this data to remain compliant with certain regulations; however, without proper justification, no part of the data can be stored. Any data, which is not accounted for, can and will attract heavy penalties.
  • Breach handling: Earlier firms had the option to create their own protocols to handle data breaches. However, with the rollout of the GDPR, data protection officers or DPOs are required to report any data breaches to the supervisory authority of personal data. This needs to be carried out within a maximum span of 72 hours from the time of breach. The notifications should contain all relevant details of the breach and the list of individuals impacted by the breach. The impacted people also need to be informed of the data breach within 72 hours. Failure to do these can make the impacted companies liable for fines and other penalties.
  • Vendor management: Financial firms rely on their IT systems to function smoothly. Given the level of outsourcing within the corporate world these days, it is safe to assume that vendors have access to the personal data, as much as the company’s management. Keeping this thought in mind, it is necessary for vendors to remain covered by the GDPR’s rules and policies around data processing, and everyone should be governed by these rules for maximum effect.
  • Sanctions: The fines for breaches can’t be overlooked; companies which don’t comply with the policies will be faced with higher sanctions; those found guilty will be fined €20 million or 4 per cent of their overall global turnover. The minor fines have been limited to 2 percent of the overall global turnover for the year. However, despite the implications of these fines, these sanctions form an integral part of the GDPR statutes and each policy should be upheld for maximum adherence.

When it comes to GDPR, there has been a lot of traction around the guidelines over the past few months. As most companies scramble to get their resources and data management policies in place, there is a lot of effort being put in to ensure maximum adherence with the rules and regulations laid down by the GDPR directives.

About Author:  

Mohammed Akheel  is a regular contributor on the subject of Data Quality, Fintech, KYC, AML and Fraud. With 10 years of international marketing communications experience, I now work for Melissa as a Digital Marketing Specialist. Melissa has specialized in global intelligence solutions to help organizations unlock accurate data for a more compelling customer view. For more information on eKYC and AML please visit