Labyrinth IT Blog

What Does GDPR Mean for Financial Services?

The General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018, replacing the current Data Protection Directive. Given the transformation in the way that information is processed and the value that data now holds, many argue that stricter regulation is long overdue.

A vast amount of personal data is processed by financial organisations and third-party processors. Much of this information is confidential and sensitive. Thus, there are increased risks and there is a high probability that supervisory authorities will initially focus on this sector.

Supervisory authorities will be given new rights to audit and impose fines of up to €20m or 4 percent of the company’s global annual turnover (whichever is higher).

We have seen a lot of scaremongering around this topic and see it as our responsibility to help break down the requirements, understand the data your hold and ensure you have the infrastructure in place to comply.

Legitimate Processing

Firstly, you need legitimate grounds for processing all personal data, which can be anything from an email address to an individuals’ financial information.

Legitimate processing is defined in Article 6 of the GDPR as:

Processing carried out with consent from the data subject
Processing required for the performance of a contract with the data subject
Processing required due to legal obligations, or tasks carried out in the public interest
Processing which is necessary for the purposes of legitimate interests of the controller or another third party, providing they do not contradict the fundamental rights of the data subject
Financial organisations commonly process personal data to meet obligations of a contract or because of legal obligation. If the processing is required for this purpose, no further consent is necessary. All other processing will require legitimate grounds for processing, such as consent from the data subject. The data subject must be provided adequate information on the processing activities and will have the right to withdraw consent.

Consent must be given for each processing activity. This will see the end of broad terms and conditions or blanket consent declarations. In addition, services must not be made conditional to consent, unless the processing of the data is essential for the service.

As a financial organisation, you will need to evaluate the legitimate basis for your data processing activities. You will need to review existing terms and conditions, contracts and agreements. You will also need to determine whether consent will be required under the GDPR, even if consent has been given in the past.


Data controllers are responsible for ensuring they are compliant and must be able to demonstrate this. Data controllers should maintain the following documentation as a minimum:

Data processing policies
Information asset registers
Data security policies
It is also vital to ensure information communicated under the GDPR within contracts, privacy policies and notices are clear.

Organisations must consider whether they need to appoint a data protection office (DPO), particularly those who undertake large scale processing activities. The role of the DPO is defined in the GDPR.

Data Subjects Now Hold More Power

Data subjects now have “the right to be forgotten”, which means they can request removal of their data from organisations who no longer have a legitimate reason for processing (e.g. due to withdrawal of consent). Data requests must also be responded to in an “adequate and timely fashion”.

Data Protection Impact Assessments

Data protection impact assessments will be essential to financial organisations due to the large volume of confidential data they process. The supervisory authority must be consulted prior to processing where processing is likely to result in a high risk.

Data Breach Notifications

The GDPR defines that data breaches must be reported to the ICO (information commissioner’s office) and effected individuals within 72 hours of discovery.

Organisations must have the appropriate processes in place for dealing with breaches.

Data transfers

The EU-US Privacy Shield does not cover financial organisations. Data transfers outside of the European Economic Area will largely remain forbidden in most cases.


The GDPR will have a big impact on the way that data is processed, not only by financial institutions but by all European businesses, it is not being taken lightly, this is reflected in the fines for non-compliance.

Whilst there may be some work & training required to become compliant, overall the new regulations should not have too much of an impact on the day to day running of your business.

Your IT infrastructure will have a large role to play in ensuring compliance and it is important to have an IT partner you feel you can trust.

About Labyrinth

Labyrinth believe that you shouldn’t have to be an IT expert to run your business. We provide an outsourced service that will help you save time and stay ahead of your competition.

We understand how disrupting IT problems can be. In our 16 years of experience we have worked with many SME clients as their trusted IT partner, providing ongoing support, advice and consultation.

Our promise to you:

Our service is a monthly rolling agreement, we will never make you sign a long contract
Our approachable staff will use plain English and not confuse you with technical jargon
We guarantee to respond within an agreed timeframe
We will never oversell and will always work on the principle of ‘best advice’
Get in touch:

We are always happy to have a chat about your IT infrastructure!

Leave a Reply