The EU General Data Protection Regulation (GDPR) is making headlines. It changes both the rights of EU citizens and the responsibilities of businesses - irrespective of the country they’re based in - with regards to personal data.
Basically, it’s a big deal.
As a fintech company with investors and borrowers in the EU, we often field questions concerning these changes and how we will implement them. Here are just a few.
Can you explain the EU climate regarding data protection and why this regulation is important?
How is this different from the climate in the US?
European citizens have, for many years, benefited from data privacy and protection rights that are written into their constitutions because the EU views data privacy as a fundamental human right which is protected under the European Union Charter.
In the US, there is no equivalent protection as the American Constitution doesn’t include the same level of protection for citizens’ privacy. However, the US has various data protection laws targeting specific markets and activities and some legislation at state level.
The US approach is more targeted and bespoke while the EU authorities have taken a ‘citizens first’ approach.
The upcoming GDPR replaces the previous the 1995 Data Protection Directive.
Can you explain the difference between a directive and a regulation? What are the major changes that will go into effect on 25 May 2018?
Put simply, a regulation is a set of binding laws; in this case, they’re binding on EU member states and every EU state has to comply with the regulation exactly as passed by the EU Parliament. A directive, on the other hand, are sets of principles that each member state can interpret in their own way as long as the same regulatory results are achieved.
The major change introduced by the GDPR is moving from data protection (which is an organisational issue) to data subject rights (which is an individual right issue).
Data subjects (owners) will be empowered to know exactly how organisations use their data and have a right to refuse consent for certain uses. These will typically be uses that are not relevant to the core purpose for which the data was collected.
For the first time, EU data protection laws will now also apply to all companies processing personal data of EU residents, regardless of whether the company is located in the EU. This means that a US-based company providing a platform used by EU residents will have exactly the same legal obligations to comply as a UK-based company.
Some other interesting changes include increased penalties for breaches of the regulation (up to 4% of annual global turnover), clearer rights of data subjects to access information held about them by a business, and the right to be forgotten when the information is no longer required for the purpose it was collected. Data subjects will now also have a right to move their data from one company to another (portability).
What counts as personal data?
Personal data is defined by the regulations as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In simple terms, any information that is unique to an individual is likely to be personal data. To catch up with advances in technology, the regulation also introduces the inclusion of electronic identifiers like metadata, IP addresses, social media accounts and posts.
Who specifically will be affected by the GDPR?
Any organisation that processes personal information of EU resident regardless of where that organisation is located.
So, any business from a small hairdressers that collects booking information from customers to large social media platforms that collect huge sets of big data as long as they process information of EU residents.
This wide application explains why GDPR is a big deal globally.
How do these regulations affect EU citizens?
How will they affect non-citizens studying in the EU?
EU citizens and non-EU citizens who are resident in the EU will have their rights protected under GDPR. This means they will enjoy new rights like the right to be forgotten, right to ask for their data to be transferred to another service provider and right of access to data held about them.
What effect will Brexit have on the GDPR in the UK?
Brexit won’t affect the changes in the GDPR. The UK has been a champion of privacy rights and the data regulator here (Information Commissioners Office) have confirmed that the UK implementation of GDPR is going ahead regardless of the outcome of Brexit.
Indeed, the UK Government has already published the Data Protection Bill 2017 which will implement GDPR in the UK from May 2018.
What is Prodigy Finance doing to ensure compliance with GDPR?
Will there be any visible changes that borrowers (and potential borrowers) will be able to spot?
Prodigy Finance recognises the importance of good data practices to our customers regardless of where they are located. We believe the regulation is about transparency and as a socially responsible business we have been planning for GDPR for some time now. We’re committed to providing our customers with clear and fair information on how we use their data and take the security of their personal data very seriously.
Most of the changes we are making will be to our internal working processes, and we don’t expect any changes to the front end systems. Having said that, we will be reviewing our customer privacy notices and consent options to make sure they are clear and provide sufficient information to our customers on how their data is processed.
Will the changes Prodigy Finance is making apply to all borrowers and interested parties, or just those in the EU?
We will apply any changes to all our customers across the world as we believe this is the right thing to do.
Will Prodigy Finance have a Data Protection Officer?
We are not required by the regulation to appoint a DPO as we are not a public authority and our core activities do not involve systematic monitoring of individuals or large scale processing of special categories of dat
While the GDPR is a regulatory requirement, we’ve embraced its principles as an opportunity to review some of our internal processes to ensure we are as transparent as possible with our customers on how we use their data.
Want to know more about Prodigy Finance?
*We're more than a fintech company with a social impact heart; we're a global community. And, we'd love for you to join us on our journey. *
Prodigy Finance Ltd is authorised and regulated by the Financial Conduct Authority.