ignores subject access, it’s going to be at higher risk of being fined,” says Brown. “But in most cases a delay would be because the request is particularly difficult or complex, or it involves a huge amount of searching and a huge number of records. “We’ve seen some case law this year which is based on the concept of disproportionate effort. While this is a Data Protection Act concept that we’re losing under GDPR, the courts have shown some degree of sympathy towards organisations that have to make a disproportionate effort to respond to these types of requests, which are often made by individuals who are contemplating litigation or are trying to
www.fintech.finance
extract some form of settlement. We’ll have to wait to see whether that will be reflected in enforcement under GDPR.” So where, then, will the regulator’s focus likely lie? “Security is always top of the list in terms of impact on individuals. It’s a human rights-based system and fines are determined based on the level of distress caused to an individual – the person whose bank details or medical records have been disclosed by accident, whether that’s through failing to take the right security measures or allowing data access to staff and suppliers who shouldn’t have it,” says Brown. In all the discussion around GDPR, the fact that culpability will be extended down the data processing supply chain has been largely overlooked – but it could have huge implications for the industry and the pricing of risk. “This is really the next game changing point in GDPR,” says Brown. “How it affects service providers like Dropbox, which are classed as data processors. They will be liable to be fined directly and face legal action from data subjects for the first time under GDPR, whereas, currently, the liability lies with the organisation that is using that provider. “Under GDPR, service providers can incur fines up to the maximum level, too. Joint and several liability under GDPR means the regulator can decide, in the event of a data breach, who’s most culpable, and apportion the fine between them. “As a result, institutions are reviewing their contracts and suppliers are reviewing
their insurance and risk positions – and this is hugely disruptive. “Where contracts can’t be renegotiated, and a service provider can’t give the security assurances it needs to, we’re seeing customers walking away because they’re not willing to take on that level of risk anymore, given that their potential liability is so much higher.”
Extended liability This has far-reaching implications for consumers, too, who increasingly rely on banking services in other aspects of their lives – from Uber to Amazon and the Internet of Things (IoT), all of which require inbuilt payment and data sharing capability. “Many of today’s service delivery models are priced on the basis of no liability. The law’s now telling them they have liability. “It’s a difficult balancing act for the banks, because if you want to engage with the new fintech technology and they want to provide the most adaptable, cost-effective service for their customers, they’re having to take a view on the levels of risk that they will accept for their suppliers. “Whereas, previously, data protection would have been a small line in the due diligence, now it’s an entire section, and that demonstrates the new importance of GDPR in general business planning.” And the million-dollar question: what will be classed as ‘personal, identifiable information’ when it comes to assessing an organisation’s compliance with GDPR? “It’s essentially anything that an individual can be identified from,” says Brown. “It very much depends on the context of the information itself. It could be factors that you might think are anonymous but it could be any combination of factors from which it’s possible to identify an individual – for instance, they might be the only person in their postcode with a red car.” In light of this considerable burden, developing the right kind of culture around data is as vital as the software, contracts and customer transparency, concludes Brown. “You’re only as strong as your weakest link,” she adds. “Every member of staff needs to be aware of the importance of protecting personal information and why. That involves training, communications and messages at the coffee point, and the longer you spend doing it, the more likely you are to get the message through.” Issue 8 |
57