General Data Protection Regulation: a milestone for the digital age

4 februari 2016

Financial Services
data protection

“Credit card breach exposes 40 million accounts.”   “Health Insurance companies prime targets for hackers”. “Banks to trial letting companies target ads at customers based on their payment history.”  “Lots of Health Apps are Selling Your Data.”….  Stories like these appear in the news on a regular basis.


In today’s world where everything and everyone is connected, where data is gathered to explore new business opportunities and improve customer experience, proper arrangements are needed to build trust, especially in a sector like Financial Services where customer data are very sensitive. That’s the purpose of the General Data Protection Regulation (GDPR), approved on December 15th and applicable from 2018. This trust is needed so we can all gain the advantages of the digital transformation we are going through.

It’s a Regulation, a European law. Regulations are addressed to all member states and are applied in full. They are directly applicable without the need for national legislation. 

5 things you need to know about GDPR:

1. Are you concerned ?

This regulation will have an impact on almost every organization.

At first, GDPR will apply to every organization with more than 250 employees and handling more than 5 000 data transactions. In a second stage,  it will also be applicable for every organization – no matter the size or how many data transactions. The only difference will be that organizations with less than 250 employees won’t need a Data Protection Officer.

2. What kind of data is it about ?

It’s about personal data and how you process them.

It concerns pseudonymized data because they can be re-associated with a specific customer but does not apply to anonymized data.

3. Privacy by Design

You need to take the necessary precautions to avoid that data gets lost or that consumers get harmed.  You also need to do an impact analysis in case incidents occur. For example how to handle a data breach or what to do when employees see information about customers they are not allowed to see.

You need to ask your customer if you are allowed to save and use his data. And for different kind or different use of data you need individual approval from your customer.

Furthermore your customer has the right to be forgotten (if there are no legitimate grounds for retaining their personal data).

And finally customers have the right to access their data and can take them with them when they want to switch between service providers.

4. What needs to be done to meet GDPR?

You need to document how to process personal data: 

  • How do you collect data?

  • What do you need them for?

  • How do you store them ?

  • How do you secure these data ? 

  • How do you manage these data?

  • What to do when you lose data?

In other words you need to do describe how you handle personal data from cradle to cradle.
Larger organizations (+250) will need a Data Protection Officer (DPO). Smaller organizations only need a DPO if processing data is their core activity.

5.  What if you don’t meet the requirements?

If you  violate GDPR, you will face fines up to 4% of your worldwide annual turnover of the preceding financial year.

Be prepared

If you’ve not already done so, it’s time to start preparing for this upcoming regulations. RealDolmen has been investing to guide you where necessary. Besides our team of data scientist, there’s a team of 9 certified Privacy Aware Technologists ready to assist you.



This blog post is the fourth post in a monthly series about IT in Financial Services.
Written by: Raf Celis – Customer Executive Financial Services