As the companies that they are, banks and financial institutions are also required to comply with the GDPR. Traditionally, the banking sector has always taken the protection of their customers' data very seriously, given its sensitive nature. However, there are new changes now that banks have to adapt to. Some of the new features that the introduction of GDPR has brought about in financial institutions are as follows:
Creation of the role of the Data Protection Officer: one of the most significant changes that the GDPR has brought about in banks is the creation and appointment of the Data Protection Officer. The DPO's main purpose is to ensure the security of the data of the customers of the financial institution that it oversees, working independently and directly with the Spanish Data Protection Association (AEPD).
Consent: this is another aspect that has changed in terms of data protection. Before, silence, inactivity and omission constituted valid consent; however, customers must now give their free and unequivocal consent by opting in and letting financial institutions collect and process their personal data. A practical example of this is the use of boxes that the user has to check beforehand.
Accountability principle: The principle of active responsibility, known as accountability, is another new feature introduced by the GDPR. This means that now, financial institutions are not only responsible for complying with the data protection regulation, but must also implement internal processes to prove and ensure that they are in compliance with it.
Rights of a bank's customers: the GDPR also granted new rights to customers of financial institutions. One of these is the right to delete data, which allows the data provided to the bank to be deleted if it is not being used for the purposes for which it was collected, or simply if the customer withdraws their consent. Another important right introduced by the GDPR is the right to portability. This right makes it possible for the customers of a bank to obtain all the personal data that the financial institution has collected on them and to transfer it to a third party if they wish.
Right not to be subject to automated individual decisions: this last right is probably the one that has had the greatest impact on the banking sector. Oftentimes, financial institutions profile their customers based on the data they have on them and which they use to make decisions, such as approving a loan. As a result of the approval of the GDPR, from now on no organization will be able to make automated decisions (without the intervention of a person) for any of its customers that have legal consequences for them.