New entrants to the UK banking sector have just under two years to prepare for the enforcement of the EU General Data Protection Regulation (GDPR). Enforcement will commence on the GDPR Effective Date (25 May 2018).
The 2-year transition period is designed to allow organisations to adapt to the new requirements of the GDPR. Processing of customers’ personal data that’s already underway should be brought into conformity with the GDPR within this 2 year transition period.
Recital 171, GDPR provides:
(1) Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.
Processing that hasn’t yet commenced by the bank should be carefully reviewed and planned to ensure conformity with the GDPR. The Board and Non-execs of such banks should also bear in mind that although enforcement of the GDPR doesn’t commence until early 2018, Data Protection Authorities (DPAs) across the EU are increasingly likely to interpret and apply EU data protection law in accordance with the provisions of the GDPR and we’re already starting to see this happen in Germany, Ireland, Spain, France and other EU Member States.
The previous Directive 95/46/EC had to be transposed into the national laws of each Member State and this resulted in a patchwork of 28 different interpretations of EU data protection law.
In contrast, the new unified data protection law will be directly applicable throughout the EU. The GDPR (like all Regulations) applies across all Member States without the need for enabling legislation in each country to be passed.
The aim is that this creates a more uniform set of data protection laws across the EU as there will be less scope for national legislatures to add their own interpretations to the GDPR.
Earlier this week I asked Giovanni Buttarelli, the European Data Protection Supervisor (EDPS) whether the consistency principle behind the GDPR could be compromised as a result of the large number of derogations contained in the GDPR that could allow Member States to pass data protection laws that are interpreted to take into account their own national interests.
In response, Giovanni Buttarelli said that the EDPS would be scrutinising Member State national laws to ensure that whatever was passed by National Governments was totally aligned with the GDPR and thereby in accordance with European Treaties that prevent Member States from passing laws that aren’t in alignment with EU Regulation.
He added that given the GDPR was to some extent ‘future proofed’ unlike Directive 95/46/EC, he could see the application of the GDPR to Member States being valid for over the next decade and beyond!
This level of confidence of course remains to be tested but clearly the intent to ensure compliance of the GDPR across the EU was extremely clear.
It’s worth repeating here again that under Recital 171, GDPR the European Commission decisions adopted – such as the Adequacy Decisions regarding personal data transfers to third countries – and authorisations by DPAs based on the Directive 95/46/EC remain in force until amended, replaced or repealed.
The UK and its banking system will be subject to the GDPR irrespective of the date that the UK leaves the EU given that ‘challenger banks’ are virtual and operate without geographical boundaries making observance of EU law mandatory.
A special workshop – ‘GDPR – What Senior Managers Need to Know and Do Now’ – has been organised by Henley Business School and the British Bankers Association (BBA) for Friday 18 November 2016 at Brand Exchange around the corner of the Bank of England.
Further details, including booking your place on this workshop, is available here.