Europe’s Finance Sector Privacy Maze

Financial institutions serving European customers face a complex web of EU and national data protection laws.

General Data Protection Regulation (GDPR)

The GDPR represents the bedrock for data protection compliance in the EU. It sets out key principles around lawfulness, fairness and transparency of data processing. Financial firms must have legitimate, documented grounds for data activities, limit collection only to necessary purposes, and provide people (or in GDPR parlance, “data subjects”) with clear notices explaining processing and rights. Mandatory data protection impact assessments must precede high-risk activities. The GDPR also broadened requirements for explicit consent and reporting of breaches within 72 hours. Non-compliance can trigger administrative fines up to €20 million or 4% of global annual turnover.

Revised Payment Services Directive (PSD2)

While primarily focused on open banking and payment services reform, PSD2 also contains specific data protection stipulations for payment data. Providers must implement appropriate security measures like multi-factor authentication and maintain dedicated data breach response procedures. Outsourced providers also face due diligence requirements.

E-Privacy Regulation

This legislation covers privacy of electronic communications data across messaging, email, and other mediums. Financial services firms must adhere to confidentiality safeguards around information contained in or accessed through customer communications. Strict consent rules also apply for metadata, cookies and direct marketing messages through digital channels.

Anti-Money Laundering Directives

Financial watchdogs tightly regulate use of personal data to meet extensive anti-money laundering and counterterrorism monitoring rules in the EU. However, principles of data minimization and storage limitations apply even when processing for AML purposes under the GDPR. Data protection authorities have warned firms to not retain information indefinitely just for speculative monitoring.

Emerging Regulations

Sector-specific regulations also continue to emerge at EU and national levels. Examples include EU investment services rules like MiFIR and national laws on payment data protections. The European Banking Authority recently issued recommendations for remote customer onboarding and authentication. Meanwhile, Eurozone regulators are eyeing rules to promote cross-border data flows after Brexit.

Compliance Burden Increasing

Organizations seeking to offer financial services in Europe must integrate this patchwork of overlapping regulations into their data governance frameworks. Requirements span security rules under PSD2, transparency standards from GDPR, restrictions on marketing communications, due diligence on outsourced data processing, and new recommendations from transnational authorities. The compliance burden continues increasing in scope and complexity.

Waltzer Consulting provides both secondments and advisory services to help any organization subject to these rules to meet their privacy compliance obligations.

Previous
Previous

Train AI models while keeping customer trust