Based on the EU directive published in 2016, all EU-based institutions and entrepreneurs are obliged to store and work with personal data of their Customers (starting from May 2018) with highest care in order to protect Customers against violating their rights through free distribution of their personal data without their prior consent. This measure is aimed to cope with increasing importance of data, especially in times of modern applications and web tools, it has become increasingly dangerous how personal data can be misused in marketing, promotion and sales activities aimed to be “tailored” on each personal needs. The Customer should be herewith protected against unwanted marketing attacks whereas his/her own personal data could be used to create an offer that he/she would not be able to refuse (although he/she actually does not necessarily need such product).

Content of GDPR Regulation:
Article 4.11 – Consent Definitions
Article 6 – Lawfulness of processing
Article 7 – Conditions for Consent
Article 8 – Conditions applicable to child’s consent in relation to information society services
Article 9 – Processing of special categories
Article 15 – Right of Access by the data subject
Article 16 – Right to Rectification
Article 17 – Right to Erasure ‘right to be forgotten’
Article 20 – Data Portability
Article 21 – Right to Object
Article 24 – Responsibility of the controller to demonstrate compliance

source: Ryan Hughes – „12 steps to GDPR“

GDPR works with notion “Personal data” which may be described like group of various personal identifiers among others including name, date of birth, sex, residence address, e-mail contact etc. This scope of personal data is not definite, as it is hard to predict now, which identifying keys will be used in near future in various IT platform (like scan of ID card, digital signature, biometry data, scan of Eye, fingerprint etc.). In fact, combination of various identifiers create unique individuality, which may be later clearly distinguished from others. In fact, web platforms like Facebook, Google Analytics and many others are even able to create certain personal characteristics only based on published pictures, articles, visited locations and web pages. All these information may be then easily misused, when respective person is not aware of collecting such data.
This is creating additional agenda for all institutions and entities working with personal data starting from hospitals, insurance companies, banks, travel agencies, hotels etc., ending with public institutions including Government bodies. Each institution is encouraged to implement necessary processes in its internal guidelines and de-facto create also its own Data Protection Officer (DPO). Due to fact that explanation and interpretation, which data are considered as sensitive under the group of Personal data, this creates quite big space for uncertainties and future potential failure.

Based on that, it is sound to expect that especially institutions that are under strong regulation, will prefer to act pre-cautiously in order to avoid potential penalties (4% from Annual Sales resp. up to EUR 20 Mio max.) ¹ and reputation issues. Therefore and especially in combination with potential breach of PSD2 rules, the Banks may tend to behave more conservatively (as the Banks should be conservative institutions), which may however become certain obstacle in adopting modern on-line tools for distributing their products and services.
This is due to the fact that all technical requirements for clear identification of Customers on web/online applications are designed in a way, that each Customer will have to use combination of his/her own unique identification tools, so that flow of such data, which is by the way naturally expected (especially from User, through Third-Party Providers up to Regulator) will automatically require the consent of Customers with sharing/storing these data.

This Directive came into Business (and Financial) sector in quite demanding and challenging time, because the Banks were used to work with personal data in paper-form in latest decades, while currently the processing of Customers data is more or less designed to be in electronic form. And the security of working with data, resp. compliance with GDPR rules can be guaranteed by responsible staff like Data Administrator/Officer and internal set-up of Institution. This setup will be subject to various audit controls to prevent the possibility of data-leak and potential misuse as well as compliance with general standards.

References:

1/ EU Publications – „Handbook on European data protection law, Sanctions, page 247”