Complying with Financial Obligations: One Step Further with GDPR

Financial organisations are familiar with complying with stringent regulations for data processing and storing confidential and sensitive information. Therefore these institutes should be in the best position when GDPR comes into effect later this month.

One of the main principles of GDPR is that data controllers are accountable. They are responsible for compliance and must be able to demonstrate this. For example, new obligations involve keeping records of processing, however under various National and European banking laws financial organisations are already subject to similar requirements. It is vital that these are verified whether they correspond with the GDPR regulations when auditing processes.

Most financial organisations will be able to justify that “the processing is necessary for the performance of a contract with the data subject” as the legitimate basis for processing. This can include an account agreement, loan contract or insurance policy. The other lawful basis for processing is that the company has a legal obligation to do so.

Finance institutions may need another legitimate basis if the processing operations are not required for the performance of an agreement, therefore the other basis that can be used are:

• The data subject has given consent
• It is necessary to protect vital interests of an individual
• It is necessary for the purposes of legitimate interests of the controller or another third party, as long as they do not contradict the fundamental rights of the data subject.

Processing Consent

If a financial organisation wishes to use data subjects’ personal information for purposes such as marketing, then it is likely formal consent will be needed. This must be confirmed in writing and kept as evidence, recording who consented, when, how and what they were told.

The Right to be Informed outlines that data subjects will need to know how their information is being processed and how they can withdraw their consent at any time. It is recommended that this is including within your privacy policy as it needs to be concise, intelligible, easy accessible, free of charge and written in plain language.

When using a live chat for website software such as ‘Experiences’ by Click4Assistance, it is advisable to also include in your privacy policy, what type of data may be collected during a chat and how your organisation intends on using it. This can consist of but not limited to:

• Name
• Email address
• Telephone number
• Customer number
• Postal address
• IP address

The information should also contain details about the use of cookies to enable the chat system to function etc.

The visitor facing aspects of the Click4Assistance solution are 100% customisable; this means that any part of the chat windows can be configured to display a link to your privacy policy. This allows visitors to easily access the information about how their details are going to be used before consenting to share their data. This is a minimum requirement, but not the preferred method as it can navigate the individual away from engaging, therefore it has been recommended that before the data subject enters any details, a “just in time” notification is presented. This confirms to the visitor that by entering their data it will be processed. The notification can be added to any of the chat windows.

When gaining consent it will need to be done in a lawful and appropriate manner. For example, if collecting confirmation on the pre-chat form, it cannot be made a precondition of the service which restricts individuals starting a chat unless they consent. A checkbox can be used to record consent; however this would need to be unticked. During a chat session visitors can simply give a statement to confirm their consent or again a tick box can be present on the window. It can also be displayed on post chat forms, if collecting email opt-in details. Whichever window your organisation gains consent via, this will be stored against the chat record and can be used as evidence.

‘Experiences’ by Click4Assistance is developed and stored in the UK on Click4Assistance owned servers; therefore any processed or stored data is never transferred outside of the UK. For more information about our live chat for website solution, contact our team on 01268 524628 or email theteam@click4assistance.co.uk.