GDPR: this acronym, now in everyday language, materialized the will of the Commission and the European Parliament to strengthen the protection of information allowing the identification of natural persons (personal data) and to regulate their use by companies within the union.
As a reminder, this regulation reinforces the requirements in terms of personal data management: collection, recording, conservation, adaptation, modification, extraction, consultation, use, communication … It also aims to “ensure that individuals have better control on their personal data and that this data is processed for a legitimate purpose, within a legal, equitable and transparent manner ”.
As part of their activities, banks process a large number of personal data (name, photo, telephone number, postal address, login details, etc.), as well as sensitive data such as the amount of income, assets, civil status, etc. These actors are therefore particularly exposed in terms of data protection.
In order to comply with GDPR which was enforced in May 2018, French banks have initiated projects with substantial budgets, “tens of millions of euros” announced by Société Générale.
The “base of GDPR principles” is already in place in most establishments:
However, progress still needs to be made on various topics:
3 years after its entry into force, the results of the GDPR within financial institutions are therefore mixed. This delay in compliance could be explained by various reasons:
In addition to the GDPR, the protection of personal data and the consent of French website users are also governed by the Data Protection Act (law n.78-17 of 6 January 1978). This law, updated in June 2018 to ensure consistency with the GDPR, transposes the ePrivacy directive into French law, which mainly deals with cookies, the retention of digital data and unsolicited e-mails.
On September 17, 2020, the CNIL adopted new guidelines and a recommendation which specify the applicable rules for the processing of data from French Internet users (management of cookies and other types of tracers).
Thus, “the automatic deposit of marketing cookies without the prior collection of the consent of the person is no longer acceptable“, or even “the consent of the person can only be valid if it is accompanied by information presented efficiently and succinctly, in order to avoid overwhelming the information to be delivered among other informative content of several dozen pages ”. The leniency period granted by the CNIL to comply ended on March 31, 2021.
The penalties for non-compliance with the GDPR can amount to 4% of global annual turnover or 20 million euros in fines. At the end of 2020, the CNIL sanctioned a bank up to € 800,000 for several breaches: non-consent of customers, excessive retention of customer data as part of the loyalty program, non-response to requests from customers to obtain their personal data, Unwanted SMS in prospecting, …
Finalizing GDPR compliance and setting up a sustainable system are still challenges for banks. In this context, Akeance Consulting is a privileged partner for its expertise in compliance diagnosis, project recovery and / or delegated project management.