EU General Data Protection Regulation

General Data Protection Regulation - How will it impact the Financial Services Sector and other Industries?

Dr. Priscilla Mifsud Parker | 31 Jul 2017

Investment Funds

The General Data Protection Regulation (the “GDPR”) has been recently finalised and it is deemed to come into force in May 2018. The new regulation will replace the existing one EU Directive 95/46/EC: Data Protection Directive. This is the legislative source which has defined the minimum standards on data protection in Europe over the past years.

The new regulation is intended to strengthen the data protection for individuals in the European Union. It provides a set of rules that describe how organisations are supposed to collect, store and dispose of personal data.

The aim of the article is to provide a general overview of the most important changes that will affect the industry as a whole, with a particular focus on the possible regulatory consequences on the financial services sector.

Data portability

The GDPR will be focusing on the right of individuals to have control over their own personal data. One of the most significant examples of the actual enforcement of this right is the right to data portability. The word “portability” leads to the conclusion that an individual has the right to transport his personal data from one organisation to another. Hence, such personal data must be delivered in a structured and easily readable format.

Furthermore, should the individual request to do so, organisations should facilitate the electronic transfer of personal data from one to another.

The aforementioned requirement could pose a big technical challenge to such organisations as it might be a hard task to provide a copy of all personal data.

Data breach notification

Every organisation that deals with and processes personal data shall ensure that such data is properly safeguarded against loss, theft, unauthorised access etc.

Given the importance of the issue, the upcoming GDPR provides a personal data breach notification rule, whereby it is stated that should a breach of security occurs this should be reported to the supervisory authority within seventy-two (72) hours. Moreover, if such security breach is likely to lead to a high privacy risk for the individual, he has the right to be informed of such breach.

Data protection by design and by default

Data protection by design and by default are general rules which are both included in the GDPR.  The term privacy by design shall mean that in case of the designing of a new system, process, and service that processes personal data, it is mandatory to make sure that data protection rules and considerations are taken into account since the early stages of such design process. In addition to that, organisations need to be able to prove the actual compliance with such requirement.

On the other hand, data protection by default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service, hence no manual changes would be required from the customer in terms of privacy settings.

To put in practical terms in case of signing up for a new service on which the customers can share personal information it would be considered a breach of data protection whether a service provider will disclose more personal information than necessary to the public. It is furthermore noteworthy that the regulation explicitly identifies and prohibits services that by default make personal information available to an indefinite number of individuals.[1]

Expanded territorial scope

It is important to bear in mind one of the main interesting features of the new regulation- the notion of territorial scope. This states that the GDPR (and therefore the European privacy laws) also applies to organisations which are not necessarily located in EU, but which offer goods or services to or monitor behaviour of data subjects in the European Union. Thus, every organisation that targets EU residents via the Internet has to be compliant with EU rules in respect of the privacy of those residents’ data. Such rules could create an interesting precedent where the rules follow the data instead of being strictly focused on the territory. 


A processor is considered as a service provider which process personal data for and on behalf of another organisation. Unlike the current Data Protection Directive, which states that the burden of compliance with privacy legislation is on the controller (i.e. the client) the new GDPR impose some responsibilities on these entities as well, with the consequence of being legally accountable in case of non-compliance. Some of these new responsibilities include that a processor must appoint a Data Protection Officer and keep records of all the processing activities they perform on behalf of the clients. It is predicted that this will contribute to a more level playing field.

Right to be forgotten

The data subject’s right to have all of his personal data removed was already present in the previous directive, but now the standards have been elevated under the GDPR. Under the new regulation all entities that process personal data must remove all of that data if one condition (out of a list of six) is met. For instance, one condition is when data has been unlawfully processed or when a data subject withdraws previously given consent. The aforementioned right has received further relevance following the decision by the Court of Justice of European Union (the “CJEU”) in the case Google vs Spain.[2]  


The GDPR introduces the Data Protection Impact Assessments ( “DPIA”) as a tool to identify high risks to the privacy rights of individuals when processing their personal data. This control should take place prior to the start of processing of personal data and should focus on topics such as a systematic description of the operations as well as their necessity and proportionality.

Accountability and data governance

Data protection legislation has always been characterised by a number of principles which need to be respected. As well-known examples, one could refer to the principles of lawfulness, fairness and transparency. The GDPR introduces the principle of accountability, which means that organisations will not only be responsible for adhering to those principles but they must also be able to demonstrate such adherence. That would lead to an elevation of their internal privacy governance, also taking into consideration what the public opinion will expect from modern organisations and the consequential reputational risk.


One of the most discussed aspects of the GDPR is the explicit mentioning of fines.  Whilst the Data Protection Directive only provides few references in this respect stating that sanctions had to be defined by the Member States, the upcoming GDPR specifically lists what administrative fines can be imposed for violating articles of the GDPR. The actual maximum amount of fines depends on what is the category in which the violation occurs. For less serious violations the maximum is Euro 10 million or 2% of the total annual worldwide turnover (whichever is the higher) whereas for more serious violations this might increase to Euro 20 million or 4%.

Supervisory convergence

A sort of “one stop shop” system for supervisory authorities will be introduced since the GDPR introduces a cooperation system between supervisory authorities. The “lead supervisory authority” will be the competent authority of the country in which the data controller or processor has its main establishment, but under particular circumstances, it can be assisted and supported by the other supervisory authorities.  Moreover, as a novelty, data protection mechanisms to certificate the actual adherence to the GDPR will be introduced.

Lastly, since the GDPR is a regulation and not a directive it will be directly transposed and applicable in each European jurisdiction, therefore avoiding any local deviations in such transposition.

Impact on financial services: What’s next?

It is clearly crucial for financial services operators to be thoroughly prepared for the advent of GDPR and to start addressing any shortfall in compliance in advance. In order to properly assess which are the areas that need to be strengthened in this respect, an impact assessment, including a data audit, should be suggested to find out where the information resides, what datrega are personally identifiable and how accessible it is.

It might be also useful to have a clear understating of which is the information flow through the organization in order to grasp how the data is managed and transferred to the different organizational layers.

Recent surveys indicate that some companies remain unprepared for GDPR; only 58% have a dedicated team addressing the new upcoming requirements. Thus, GDPR will pose a big strategic challenge on financial service players that should not underestimate the impact it will have in the near future.[3]



[2] The decision states that an Internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties. Thus, an Internet search engine must consider requests from individuals to remove links to web pages which are easily accessible as outcome for searches on their names. Grounds for removal include cases where the search result(s) “appear to be inadequate, irrelevant or no longer relevant or excessive in the light of time that had elapsed” (Judgment of the Court in Case C-131/12 , Costeja.)


Request More Information

Please send me legal and other updates

Key Contacts

Dr Priscilla Mifsud Parker

Senior Partner, Corporate, Tax & Immigration

+356 22056122

Mr Steve Muscat Azzopardi

Director, Trust & Corporate Services, CCA Interserv Ltd

+356 2205 6328