The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018. In accordance with the GDPR, organisations that conduct identity checks and hold potentially sensitive information about customers must be completely transparent about what happens to the data after use.  While few penalties have been imposed for GDPR violations, many companies are concerned about the consequences of non-compliance and how GDPR will impact their operations, particularly with regard to Know Your Customer (KYC) regulations. 

As effective risk management tools, KYC checks and procedures are essential for AML (Anti-Money Laundering) and the identification of suspicious financial activities. In this article, we will discuss the things you need to know about GDPR and how it might affect KYC in the EU. 

What is the impact of GDPR on KYC?  

Although KYC in the EU is mandatory in due diligence where clients are required proof of identity and relevant documents, it does not impose a conflict of interest with GDPR and other data protection laws. Companies will continue to do due diligence as long as data protection laws are in existence, and regulations are in place to provide best practice guidance on safe data collection.

Strengthening KYC data security 

It should come as no surprise that the GDPR lays a heavy focus on protecting KYC data since improving data security can be considered its primary objective.

The GDPR does not mention specifically how data protection will be implemented. Thus, situations where workers can unintentionally store data in a public cloud and/or use their own devices while at work or take sensitive data home must be eliminated.

Customers will have more control over stored data 

Customers, clients and individuals have more control over their KYC information after onboarding. The rights of the customers to control data collection and retention require companies to keep accurate records and give users the opportunity to delete some or all of the sensitive data.  

Also, this data must be portable or simple to transport between organisations. Furthermore, users have the right to be notified immediately if any of their personal information is disclosed.  

Increased use of automated data processes 

GDPR compliance has been challenged by the amount of digital data that can be shared. However, automation has been useful in this process. It eliminates human error by automating the collection, storage, management and maintenance of personal data.  

As a result, companies need to invest in technology to safeguard the collected data as well as conduct extensive checks to ensure GDPR compliance. Nonetheless, automated data collection will aid another component of GDPR compliance which is data portability.  

Penalties for non-compliance with GDPR 

The following penalties may apply if your business is proven guilty of a data breach as a result of non-compliance with the GDPR:   

• €10 million, or 2% of your annual revenue from the preceding financial year, whichever is bigger, for less severe infringements (failing to maintain proper records, failing to adhere to the requirements for notifying data breaches, failing to appoint a data protection officer, when necessary, etc.)
• €20 million, or 4% of your annual revenue from the preceding financial year, whichever is bigger, for more serious infringements (violating basic processing principles, disregarding people’s rights, improperly transferring personal data, etc.)

It’s crucial to remember that the GDPR does not only apply to businesses in the EU. All multinational corporations should understand how the GDPR affects them, including the KYC data collection, as it applies to anyone who serves even a single EU client or organisation. 

How can Bolder Group help?  

At Bolder Group, we ensure that our clients are GDPR compliant through our data privacy policy and data privacy officers around the globe. As we always keep GDPR in mind, we have developed an automated tool to help us facilitate our KYC and AML-driven services for our clients in the EU.  

Our specialists administer a GDPR-friendly KYC approach that protects our clients’ personal data and helps businesses avoid potential GDPR charges.  

For secure compliance solutions, contact our team. 

Bolder Group does not provide financial, tax or legal advice and the information contained herein is meant for general information purposes only. We strongly recommend that before acting on any of the information contained herein, readers should consult with their professional advisers. The Bolder Group accepts no liability for any errors or omissions in the information, or the consequences resulting from any action taken by a reader based on the information provided herein.

Bolder Group refers to the global network of independent subsidiaries of Bolder Group Holding BV. Bolder Group Holding BV provides no client services. Such services are provided solely by the independent companies within the Bolder Group which are each legally distinct and separate entities and have no authority (actual, apparent, implied or otherwise) to obligate or bind Bolder Group Holding BV in any manner whatsoever. The operations of the Bolder Group are conducted independently and have no affiliation with third party financial, tax or legal advisory firms or corporations.