Some new bank schemes are coming that are impeded by GDPR
2018.04.26. 08:00 | Hírek
This is the part 2 of 4-part series of articles. <<< Part 1
Clients can avoid profiling and automated decision making with the new GDPR regulation entering into force. This, on the other hand, can prevent them from using certain bank services. In the first part of our series of articles, we discussed GDPR in general and now we are providing details with the involvement of Bancard Ltd. expert Gabriella Tóth-Haász.
Péter Homa, Bankkártya.hu (BKHU): - In the first part of the series, we covered that clients can request not to be a subject to profiling and automated decision making. Can they truly be denied from certain bank products and services?
Gabriella Tóth-Haász, Bancard Ltd. (H.G.): - In a webshop, you can decide with a button to switch the feature on or off that offers you products and you can choose what you need to buy. According to GDPR regulation, clients have the right to know in advance what legal consequences does switching profiling on or off have. A webshop can then prompt that since the customer switched the profiling off, it cannot provide personalized product offers but the services of the webshop are still available in the menu.
However, if a bank product relies heavily on profiling because an advanced risk management algorithm is working in the background, which renders the product unusable due to the high risk when profiling is turned off, then a bank can definitely say that it cannot provide the service, if the client does not give consent for profiling.
BKHU: - How can a client know what bank schemes is he/she denied from by this?
H.G: - Denial is a legal consequence that the client must be informed about in advance. It is likely, though, that only a few clients will exercise this right, if they wish to use the services of the bank and in addition, all banks will handle this similarly, as they have no fundamental differences in risk management practices. This means that if the client cannot use a certain type of services - which needs profiling - because of refusing the data management in one bank, it is likely that five other banks will respond the same way. Thus, if you want to use the service, sooner or later you need to give consent for profiling at one of the banks.
BKHU: - What does a bank or a financial service provider need to watch for regarding GDPR?
H.G: - What needs to be discussed and what will probably have heavier impact on IT systems is the client’s right to erase his/her data, or so the regulation says: “right to be forgotten”. So far, banks archived the client’s data but it was not erased, at least not physically from the database and certainly not irretrievably.
From now on, however, clients will have the right to do so, so a preparation will be needed which was not typical till now in the processes of bank IT systems. Here we are talking about truly irretrievable erasing process, so if someone presses that one button, client data will be erased for good. After this, the data will not be retrievable in any way, neither from archives, nor from any backup data storage – from this point, it can only be stored as unidentifiable, provided with a data protection ID for e.g. statistical purposes. Many banks are coping with this rule as far as we know but the development is in testing phase at several sites in this regard. The goal is to provide a solution that does not compromise prudent bank operations and is also compliant to the data protection regulation.