01 May 2018
Complying with Financial Obligations: One Step Further with GDPR
Financial organisations are familiar with complying with stringent regulations for data processing and storing confidential and sensitive information. Therefore these institutes should be in the best position when GDPR comes into effect later this month.
One of the main principles of GDPR is that data controllers are accountable. They are responsible for compliance and must be able to demonstrate this. For example, new obligations involve keeping records of processing, however under various National and European banking laws financial organisations are already subject to similar requirements. It is vital that these are verified whether they correspond with the GDPR regulations when auditing processes.
Most financial organisations will be able to justify that “the processing is necessary for the performance of a contract with the data subject” as the legitimate basis for processing. This can include an account agreement, loan contract or insurance policy. The other lawful basis for processing is that the company has a legal obligation to do so.
Finance institutions may need another legitimate basis if the processing operations are not required for the performance of an agreement, therefore the other basis that can be used are:
- The data subject has given consent
- It is necessary to protect vital interests of an individual
- It is necessary for the purposes of legitimate interests of the controller or another third party, as long as they do not contradict the fundamental rights of the data subject.
If a financial organisation wishes to use data subjects’ personal information for purposes such as marketing, then it is likely formal consent will be needed. This must be confirmed in writing and kept as evidence, recording who consented, when, how and what they were told.
- Email address
- Telephone number
- Customer number
- Postal address
- IP address
When gaining consent it will need to be done in a lawful and appropriate manner. For example, if collecting confirmation on the pre-chat form, it cannot be made a precondition of the service which restricts individuals starting a chat unless they consent. A checkbox can be used to record consent; however this would need to be unticked. During a chat session visitors can simply give a statement to confirm their consent or again a tick box can be present on the window. It can also be displayed on post chat forms, if collecting email opt-in details. Whichever window your organisation gains consent via, this will be stored against the chat record and can be used as evidence.
‘Experiences’ by Click4Assistance is developed and stored in the UK on Click4Assistance owned servers; therefore any processed or stored data is never transferred outside of the UK. For more information about our live chat for website solution, contact our team on 01268 524628 or email firstname.lastname@example.org.