General Data Protection Regulation (GDPR)

DEFINITION of 'General Data Protection Regulation (GDPR)'

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based. The General Data Protection Regulation covers all companies that deal with the data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR will come into effect across the EU on May 25, 2018.

BREAKING DOWN 'General Data Protection Regulation (GDPR)'

The GDPR adds to the EU’s general policy of protecting citizen’s data. In addition to the notifications of collection and legal ramifications for misuse, there is also a requirement to obtain explicit consent, notify in cases of a hack or breach, appoint dedicated data protection officers and much more. For financial institutions, the new rules will require significant investments in compliance to ensure continuing access to the EU market. The new rules are also pushing firms to pseudonymize personally identifiable information (PII) prior to processing it, meaning that the data can’t be attributed back to a particular person. The pseudonymization of data allows firms to do some larger data analysis - such as assessing average debt ratios of its customers in a particular region - that would otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan.

GDPR Versus Big Data

The GDPR has effects beyond lending, insurance and other firms where sensitive personal data is collected and processed as a matter of course. The rules apply to the human resources record of employees and even the IP addresses of people using online services. The GDPR builds upon data rights that the EU has been pushing for, such as the right of an individual to be forgotten and the right to data portability.

As such, it is expected that the GDPR will lead to data minimization where companies willingly prune down the amount of information they collect to the functional essentials needed to complete a transaction. This could be a reversal of one of the big data trends where companies seek to collect and analyze as much data on their customers as possible in order to gain new insights. This analysis can still take place after appropriate pseudonymization, but other data rights prevent those insights from being used to profile customers in a way that could be discriminatory or put them at a financial disadvantage. As the GDPR is a new regulation, there will no doubt be a period of adjustment where gaps and thorny issues like profiling are addressed.