As the 25th May implementation date for General Data Protection Regulation (GDPR) fast-approaches, businesses across Europe will be turning their thoughts to the practicalities of operating under the new regime.
For banks, effective data management is essential for providing an efficient and secure service to corporate and institutional clients. Therefore, being well prepared for its implementation is a crucial consideration. Especially given that banks are already subject to many different pieces of financial regulation and guidance, and not only is GDPR an additional and sizable regulation to consider in its own right, it also has the potential to clash with existing rules.
Banks regularly need to respond to requests from financial regulators and law enforcement - often requiring them to obtain, analyse, and retain large amounts of personal data. The need to respond to such regulatory requests creates an obvious potential for conflict with the GDPR, which seeks to ensure data processing is kept to a minimum.
While GDPR has taken this conflict into account, and does establish several bases for lawful data processing, it may not always be a clear-cut issue.
“Legal obligation” to process data
A key requirement under the GDPR is to establish a lawful basis for any processing of data. One of the lawful bases (the “Legal Obligation Basis”) will apply if the processing is “necessary for compliance with a legal obligation to which the controller is subject”.
This will allow firms to continue processing personal data where necessary for compliance with EU regulations such as the 4th Anti Money Laundering Directive, the Market Abuse Regulation, the Markets in Financial Instruments Directive, and the Second Payment Services Directive.
Banks will need to be satisfied that the processing is necessary and they are able to demonstrate they have made an assessment prior to doing it. But generally, where complying with EU regulation is concerned, the situation is relatively straightforward.
Data processing without a “legal obligation”
But, while the Legal Obligation Basis solves the problem in many cases, it doesn’t address every possible situation because of the difficulty of establishing that processing is necessary for compliance with a regulation, as opposed to being, for example, good practice.
In particular, it doesn’t address situations where processing is necessary for:
(1) Compliance with guidance from regulatory authorities
(2) Compliance with a non-EU legal obligation
(3) Regulatory cooperation with financial conduct regulators and law enforcement (where not mandated by EU law)
(4) Protection, e.g. protecting the firm against legal claims, or protecting the firm, customers and others against fraud and other crimes
Banks will be well aware that items 1-3, at least, are not optional. So they face being caught between breaching the GDPR or not being able to comply with other important obligations. In these cases, firms will need to establish another lawful basis for processing.
Weighing up whether it is lawful to process data
The GDPR states that it is lawful for a firm to process data if it has a “legitimate interest” in doing so. Legitimate interest will cover many scenarios where firms have wider obligations which could otherwise put them at odds with the GDPR. However legitimate interest has qualifications; the guidance states it can be “overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data”.
This means if banks are to rely on ‘legitimate interest’ they must first conduct a balancing test between their interests (or that of any third party to whom data are disclosed) and the interests of the data subject.
GDPR guidance states that the assessment is not as straightforward as merely weighing two easily quantifiable and comparable weights against each other. Rather, banks must fully consider a number of factors, including context.
Public interest may also be a helpful justification. If, for example, they could show processing is for the purposes of preventing and detecting financial crime, or for protection against other crimes, this could be categorised as data processing in the public interest.
Banks should deal with each scenario on a case-by-case basis and will need to demonstrate that there is a legitimate interest and that the balancing test is met on each occasion.
Banks can continue to meet their regulatory obligations
As has been made clear, banks should be able to continue processing data and meeting their wider obligations to regulators in the majority of circumstances, providing they adhere to the procedures outlined. But, it is important to remember these procedures will not be trivial, so firms will need to ensure they are able to dedicate time and resources to carrying them out.