New data protection laws, in the form of the GDPR, will have a major impact on the Fintech and broader financial services sectors. Many Fintechs, particularly those involved in Banktech (banking apps and services) and Regtech (regulation and compliance tools), rely on the sharing and processing of personal data. That data may include an individual’s contact details and bank account numbers and information, but it will also increasingly include biometrics, location data, IP addresses and other rich data such as an individual’s spending habits. The GDPR will shake up and modernise data protection laws to bring them into line with the way that data is being used today. But what are the main issues likely to be for Scotland’s growing Fintech sector?
As a member of the SFE’s Fintech Strategy Group, whose aim is to promote Scotland as a world leading Fintech hub of innovation and creativity, I know that the GDPR is likely to affect Fintechs in many different ways – although there are some common themes.
We are all used to ticking the box to say that we consent to our data being used for marketing or other specified purposes. However, the requirements around obtaining consent are going to get a lot tougher under the new law. In order to rely on customer’s consent, Fintechs will need to demonstrate that consent was freely given, specific, informed and unambiguous and that the customer provided clear affirmative action (i.e. we can’t rely on pre-ticked boxes anymore). Companies will need to be mindful of these new rules when they are designing their customer journey and sign up processes to ensure that they can lawfully use customer data for all of the various purposes they wish to use it. Oh, and customers can withdraw their consent at any time…
Privacy notices (the small print that many of us seem to ignore when we sign up to a new app) are also set to change. Fintechs will require to provide customers with a lot more detail about the nature of the processing that is to be undertaken, but at the same time must do so in a clear and concise way – which might prove to be a real challenge for some!
Data processing and data sharing is also under the spotlight. Any Fintech that relies on service providers to assist them by holding, storing or processing data (such as data centres) will need to review their contracts to ensure that they are GDPR compliant. The new law extends compliance responsibility to data processors for the first time, so there is a need to ensure that data processing obligations, responsibilities and liabilities (particularly if something were to go wrong!) are clarified.
Processes and contracts should be brought into line with the GDPR. It’s about moving away from the old perception that data protection was just a box ticking exercise and making sure that privacy is ‘baked in’ to all aspects of an organisation’s activity. This is as much about a change in culture and approach than anything else, but it is something that Fintechs, with their disruptive technologies and creative ideas, ought to be well placed to embrace.
The ongoing success of the Fintech sector is deeply connected to consumers' trust and confidence that their personal data is being processed securely and confidentially. The winners will be those companies that are able to successfully adopt good practice and communicate that to their consumers to let them know that privacy by design is built into their apps and services.
Take a look at our latest video highlighting all you need to know about GDPR and the new data protection laws, and please do get in touch if you'd like to discuss how they will affect your business.