Under the GDPR, the default position is to give the individual choice and control over how their personal data is used.
Banks and financial institutions that fail to take responsibility in this way – and we can see that most recently with the troubles encountered by TSB in rolling out its IT system – will lose customers, goodwill and ultimately shareholder value.
Conversely, those that demonstrate good data governance will find customers trusting them more and sharing more personal data, not less and that in turn will convert into stronger margins and revenues.
To achieve this, banks and financial institutions must be seen to do the right thing, because it’s the right thing to do rather than appear to be complying with some legal minimum standard.
I heard today from a very senior colleague at IBM that many executives in the banking and financial services sector are less concerned about doing the right thing because it’s the right thing to do but are motivated by not wanting to be the bottom of the class when it comes to data protection, privacy and security compared with their peers.
Does this strike you as having got your priorities sorted out under the GDPR and putting the interests of the customers at the centre of your thinking?
Better not repeat this to the Financial Conduct Authority when they check up on how you’re getting on with your GDPR plans, post-25 May.
It’s less about regulation and much more about reputation.
This was exactly the message the current Lord Mayor Charles Bowman was keen to deliver to the City when he asked me to run a special GDPR workshop for the Livery Companies at the end of February this year.
In many respects, the Lord Mayor’s ‘Trust in Business’ programme underpins pretty much all the moving parts in the GDPR where the focus is on the opportunity to do more, not less, with personal data.
Choosing to process personal data under the basis of ‘legitimate interest’ as one of the six legal grounds – others include consent, contract and a legal obligation – may look attractive.
But does it feel creepy or cool from the point of view of the customer? Remember, you haven’t sought consent to carry out this processing of personal data, so you need to be absolutely certain it’s the most appropriate legal basis for doing so.
Choosing legitimate interest as a basis for processing personal data rather than one of the other legal grounds places a higher burden on the shoulders of the bank and financial institution.
Guidance from the ICO is clear on this point:
- ‘Legitimate interests’ are the most flexible lawful basis for processing, but you can’t assume it will always be the most appropriate.
- It’s likely to be most appropriate where you use people’s data in ways they’d reasonably expect and which have a minimal privacy impact, or where there’s a compelling justification for the processing.
- If you choose to rely on ‘legitimate interests’ you are taking on extra responsibility for considering and protecting people’s rights and interests.
And remember, legitimate interest isn’t a quick fix – the Data Subject has an absolute right under the GDPR to receive a Data Privacy Notice and again, can object to the processing of their personal data. The burden of proof isn’t on them – it’s on you to show a legitimate interest.
Legitimate interest may be considered where:
- another lawful basis isn’t available due to the nature and/or scope of the proposed personal data processing or
- where there are a number of lawful bases that could be used but legitimate interest is the most appropriate.
When considering the lawful basis that’s most appropriate to rely on for the processing of personal data, the Data Controller should take account of the privacy rights of individuals under each lawful basis of processing.It’s important to note that these rights may differ depending on which lawful basis a Data Controller may choose to rely on.
For example, if a Data Controller relies on legitimate interest for profiling activities of customers, the Data Subject has the right to object to profiling under Art.21, GDPR.
However, if the Data Controller uses consent for its profiling activities, the Data Subject doesn’t have this right to object but can withdraw consent at anytime.
Fans of legitimate interest argue that the Data Controller may wish to rely on the ground of legitimate interest as it has the opportunity to defend its decision, whereas when consent is withdrawn, the personal data processing must cease immediately.
Recitals 47-50, GDPR describe circumstances under which a Data Controller may have a legitimate interest:
- Direct marketing to prospects and customers
- Reasonable expectation of processing the personal data
- Where there’s a relevant and appropriate relationship
- Where it’s strictly necessary for the purposes of preventing fraud
- Where personal data is being processed within an organisational group
- Necessary and proportionate for the purpose of ensuring network and information security.
Unfortunately, legitimate interest is far from a catch-all justification.
Banks and financial institutions will need to prove their just use of legitimate interest and will have to fully assess their legitimate interest vis-à-vis the rights, freedoms and interests of individuals, notify them of this interest and uphold individual objections unless there are compelling reasons for processing the personal data.
And if you choose to go down the legitimate interest route, don’t expect universal applause.In many respects, legitimate interest is an ‘expectation test’ that requires you to consider whether a Data Subject can reasonably expect their personal data to be processed in this way.
In other words, will it be creepy or cool?
The GDPR Handbook by Ardi Kolah is out June 3rd, published by Kogan Page, priced £49.99. For more information go to www.koganpage.com