How will the GDPR effect the finance sector?

How Will GDPR Affect the Finance Industry?

What are some of the main concerns?

  • Privacy of Financial Data

  • Data Portability

  • Personal Data across Products

  • Right to be Forgotten

  • Data Breach Liability

  • PSD2 vs GDPR

Privacy of Financial Data

Historically, businesses within finance have kept even high-risk data for significant periods of time. Additionally, data is often moved freely around organisations.

Consequently, finance companies will need to consider the most appropriate solutions for restricting the movement of data. This is essential in decreasing the probability of a breach.

Privacy by Design

Personal Data Across Products

Within finance, personal data is often stored across multiple products. Consequently, pseudonymisation is likely to be a necessary process for ensuring data protection.

Pseudonymisation is defined as the technique of processing data in such a way that the person who it belongs to can no longer be identified unless the data is cross-referenced with an additional, separate source.

Business Mobile Phone Plans

Data Portability

Because of the GDPR, every person has increased rights to control the use of their data. Therefore, they can request access to or removal of their personal data without the requirement of any external authorisation.

Right to be Forgotten

Dissimilar to many other industries, organisations within the financial sector may keep some data if it is required to ensure compliance with other regulations. However, if there is no other justification for the holding of personal data, the right to be forgotten applies as standard.


The PSD2 and GDPR both share common aims. They are both designed to put customers in control of their own data and keeping that data safe.

However, there are some apparent challenges that finance firms may face in their plan to become compliant with both.

With factors such as customer consent and sensitive payment data being necessary considerations under both pieces of legislation, businesses should avoid viewing GDPR and PSD2 in silos. Instead, they should be coordinated and their plan should take into account the requirements of both.


Data Breach Liability

Businesses will now need to report a data breach to the supervisory authority within 72 hours. The notification should include details such as the nature of the breach, the approximate number of affected individuals, as well as contact details for your DPO. Likely outcomes and planned solutions should also be reported ‘without undue delays’.

Since May, liability has been made more significant. For serious violations, companies will be fined up to 20 million euros, or 4% of their global turnover- whichever amount is greater. For minor violations, businesses will be fined 2% of their global turnover.

Any financial sanction is also in addition to reputational damage.

Do you need more information about how you can get ready for the GDPR?

Contact a member of our team today to discuss your compliance plan.

Discover More

GDPR tools for compliance
How will the GDPR affect your email marketing?
Data Protection
GDPR within Finance

We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. That means that the views brought forward in this page are not necessarily shared by lawyers or courts.

Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.