Data Protection

As of 25th May 2018, the EU General Data Protection Regulation (GDPR) came into effect in the UK. The penalties for non-compliance are set high, with breaches set to incur a maximum fine of 4% of an organisation’s annual global turnover or €20 million - whichever is higher. Here at Selachii, our expert FinTech lawyers can advise and guide you on all aspects of data protection concerning your business under the new GDPR.

Why does GDPR matter?

Data is a fundamental part of nearly every business, and for the FinTech Industry, this is particularly true. Due to their involvement in the collection, controlling and processing of a wide range of often sensitive personal data, the FinTech industry need to be mindful to implement the provisions of the GDPR. FinTech companies now face the challenge of balancing the use of new technologies while remaining compliant with the new data protection regulation.

The GDPR has been introduced to ensure companies comply with how data is handled. Most companies are unaware of how their organisation stores and processes the data it receives, and whether or not it is compliant with relevant legislation. In order to comply with GDPR, companies need to have completed an audit to determine:

• The measures they have in place to protect data (particularly sensitive data);
• How data, gained or shared, with third parties is monitored;
• Whether all data subjects agreed to the retention and use of their data;
• If they have explained to the individuals how their data is going to be used; and,
• If there are any risks attached to how the data is stored.

With FinTech companies, there is a high risk with data protection because most of the data is accessed online. There have been countless reports of companies suffering data breaches which, not only damages the reputation of the company but can now result in serious fines. It is important for companies to ensure that they are monitoring their data to make sure it is safe. Databases require encryption with strong algorithms to ensure that, even when data is stolen, it cannot be used.

Key changes under GDPR

The whole remit of collecting, retaining and using personal data needs to be examined to ensure compliance with the GDPR. It not only covers companies that are based in the EU but also companies outside of the EU who offer goods and services to customers within the EU.

The GDPR covers both controllers who determine the purpose and means of processing data, as well as processors who process the data on behalf of the controller.

The way that companies can obtain data has also changed. It is no longer possible to state that a person has to "opt-out" in order to prevent you from collecting or using their data. Pre-ticked opt-in or opt-out boxes are also banned under new GDPR. For every category of data, companies have to provide an opt-in method where they request a person's data separate from other issues (i.e. terms and conditions). The burden of proof that the data has been correctly processed and received is on the company (who will be the data controller).

FinTech companies may be required to appoint a data protection officer (DPO) to oversee their compliance since data management will be a key activity of these particular organisations. This position can either be performed by an employee or an external appointment. The DPO will need to assess any risks, such as money laundering and terrorist financing.

FinTech companies are likely to process data that would be regarded as high risk, and therefore data protection impact assessments (DPIAs) need to be performed. Carrying out a DPIA lets a company identify any privacy risks to the processed data. This type of assessment will probably be required where the automatic data processing will result in predictions based on sensitive data such as health, race, ethnicity, behaviour or location. DPIAs are also needed before monitoring a public area (such as video surveillance) or processing large scale filing systems with biometric data.

Additionally, FinTech companies must consider how they do any cross-border data transfers. It is permissible to do this outside of the EEA, so long as the country that the data is being transferred to has an adequate level of data protection, or there are appropriate safeguards in place by the data exporter.

Businesses also need to understand what rights people whose data they hold have under GDPR. These include:

• The right to be informed;
• The right to access their data;
• The right to have data rectified;
• The right to be forgotten;
• The right to restrict processing;
• The right to data portability;
• The right to object to data processing; and,
• Rights related to Automatic decision-making and profiling (this will be particularly relevant to FinTech companies).

Contact our FinTech Solicitors London, Today

At Selachii, we understand that while it is fundamentally important for existing FinTech businesses and customers of those businesses to be aware of the regulations that affect them, it is especially important that new FinTech companies are aware of which regulations apply so they can remain compliant.

We offer the same level of experience andexpertiseas you would expect to find at a large city law firm, with state-of-the-art case management technology. We will assist you with every aspect of regulatory compliance, from updating current practices to understanding your legal requirements in data protection. We provide forward-looking legal advice specific to your business needs and will be on hand to provide pragmatic and holistic solutions to the challenges faced by your business.

If you require advice on data protection within theFinTech industry, then please contact aFinTech lawyerat Selachii today for expert legal advice on 0203 811 3004 or complete the online form to arrange a consultation.