GDPR: the banking sector must improve its compliance

The protection of personal data concerns all companies… particularly banks

GDPR: this acronym, now in everyday language, materialized the will of the Commission and the European Parliament to strengthen the protection of information allowing the identification of natural persons (personal data) and to regulate their use by companies within the union.

As a reminder, this regulation reinforces the requirements in terms of personal data management: collection, recording, conservation, adaptation, modification, extraction, consultation, use, communication ... It also aims to "ensure that individuals have better control on their personal data and that this data is processed for a legitimate purpose, within a legal, equitable and transparent manner ”.

As part of their activities, banks process a large number of personal data (name, photo, telephone number, postal address, login details, etc.), as well as sensitive data such as the amount of income, assets, civil status, etc. These actors are therefore particularly exposed in terms of data protection.

GDPR compliance projects started on time, but they are struggling to be completed...

In order to comply with GDPR which was enforced in May 2018, French banks have initiated projects with substantial budgets, “tens of millions of euros” announced by Société Générale.

The "base of GDPR principles" is already in place in most establishments:

• appointment of a Data Protection Officer (DPO),
• development of data governance in order to supervise their collection and use,
• setting up of processes to allow the exercise of the rights of the data subjects (right of access, portability, rectification and forgetting) and to guarantee compliance with the notification conditions in the event of a personal data breach (notification to the National Commission for Informatics and Liberties - CNIL - within a maximum period of 72 hours, notification to the persons concerned as soon as possible in the event of high risk),
• employee awareness (training, provision of documents on the Intranet, etc.),
• update of legal notices and privacy policies.

However, progress still needs to be made on various topics:

• the inventory of treatments is not exhaustive: the registers have been created but in a piecemeal fashion, some activities are not covered and the level of precision is variable. In addition, for more than 2/3 of the banking / insurance players, the register is kept in Excel.
• the updating of contracts or the formalization of amendments with customers and service providers, to include GDPR clauses,  is far from being finalized.
• updating customer data on an ongoing basis, purging electronic data and destroying paper files remain very difficult to achieve.

3 years after its entry into force, the results of the GDPR within financial institutions are therefore mixed. This delay in compliance could be explained by various reasons:

• the high volume of data used,
• the diffuse nature of the use of personal data: presence of data in many tools as well as on paper,
• stacking GDPR requirements with other regulations, particularly in terms of archiving and retention,
• the global nature of the impacts of the GDPR, which requires carrying out several related projects. To illustrate: data security, customer communication, conditions of use of data collected by a channel / department and used by others (in particular for commercial prospecting, the design of new products, etc.).

... while new requirements are added to the GDPR constraints ...

In addition to the GDPR, the protection of personal data and the consent of French website users are also governed by the Data Protection Act (law n.78-17 of 6 January 1978). This law, updated in June 2018 to ensure consistency with the GDPR, transposes the ePrivacy directive into French law, which mainly deals with cookies, the retention of digital data and unsolicited e-mails.

On September 17, 2020, the CNIL adopted new guidelines and a recommendation which specify the applicable rules for the processing of data from French Internet users (management of cookies and other types of tracers).

Thus, "the automatic deposit of marketing cookies without the prior collection of the consent of the person is no longer acceptable", or even "the consent of the person can only be valid if it is accompanied by information presented efficiently and succinctly, in order to avoid overwhelming the information to be delivered among other informative content of several dozen pages  ”. The leniency period granted by the CNIL to comply ended on March 31, 2021.

… And that the penalties can be severe.

The penalties for non-compliance with the GDPR can amount to 4% of global annual turnover or 20 million euros in fines. At the end of 2020, the CNIL sanctioned a bank up to € 800,000 for several breaches: non-consent of customers, excessive retention of customer data as part of the loyalty program, non-response to requests from customers to obtain their personal data, Unwanted SMS in prospecting, ...

*

Finalizing GDPR compliance and setting up a sustainable system are still challenges for banks. In this context, Akeance Consulting is a privileged partner for its expertise in compliance diagnosis, project recovery and / or delegated project management.