How Will GDPR Affect the Finance Industry?

What are some of the main concerns?

  • Privacy of Financial Data

  • Data Portability

  • Personal Data across Products

  • Right to be Forgotten

  • Data Breach Liability

  • PSD2 vs GDPR

Privacy of Financial Data

Historically, businesses within finance have kept even high-risk data for significant periods of time. Additionally, data is often moved freely around organisations. Due to this high level of risk, and the ongoing necessity for some additional data to be stored even under the GDPR, finance companies will need to consider the most appropriate solutions for restricting the movement of data. This is essential in decreasing the probability of a breach.

Personal Data Across Products

Within finance, personal data is often stored across multiple products. This means that pseudonymisation is likely to be a necessary process for ensuring data protection. Pseudonymisation is defined as the technique of processing data in such a way that the person who it belongs to can no longer be identified unless the data is cross-referenced with an additional, separate source.

Business Mobile Phone Plans

Data Portability

Under the new data privacy legislation, every person has increased rights to control the use of their data. This means they can request access to or removal of their personal data without the requirement of any external authorisation.

Right to be Forgotten

Unlike in many other industries, organisations within the financial sector may keep some data that is required to ensure compliance with other regulations. However, if there is no other justification for the holding of personal data, the right to be forgotten applies as standard.


 Although both of these regulatory initiatives share two common aims- putting customers in control of their own data and keeping that data safe- there are some apparent challenges that finance firms may face in their plan to become compliant with both. With factors such as customer consent and sensitive payment data being necessary considerations under both pieces of legislation, businesses should avoid viewing GDPR and PSD2 in silos, but instead, ensure they are coordinated and that their plan takes into account the requirements of both.

Data Breach Liability

Under the GDPR, businesses will now need to report a data breach to the supervisory authority within 72 hours. The notification should include details such as the nature of the breach, the approximate number of affected individuals, and contact details for your DPO. Likely outcomes and planned solutions should also be reported ‘without undue delays’.

Under the GDPR, liability is made more significant. For serious violations, companies will be fined up to 20 million euros, or 4% of their global turnover- whichever amount is greater. For minor violations, businesses will be fined 2% of their global turnover. Any financial sanction is also in addition to reputational damage.

Do you need more information about how you can get ready for the GDPR?

Contact a member of our team today to discuss your compliance plan.

Discover More

GDPR within Finance
GDPR in Education Featured Image

We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. That means that the views brought forward in this page are not necessarily shared by lawyers or courts.

Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.