Understanding GDPR and its impact on KYC
The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018. In accordance with the GDPR, organisations that conduct identity checks and hold potentially sensitive information about customers must be completely transparent about what happens to the data after use. While few penalties have been imposed for GDPR violations, many companies are concerned about the consequences of non-compliance and how GDPR will impact their operations, particularly with regard to Know Your Customer (KYC) regulations.
As effective risk management tools, KYC checks and procedures are essential for AML (Anti-Money Laundering) and the identification of suspicious financial activities. In this article, we will discuss the things you need to know about GDPR and how it might affect KYC in the EU.
What is the impact of GDPR on KYC?
Although KYC in the EU is mandatory in due diligence where clients are required proof of identity and relevant documents, it does not impose a conflict of interest with GDPR and other data protection laws. Companies will continue to do due diligence as long as data protection laws are in existence, and regulations are in place to provide best practice guidance on safe data collection.
But does compliance with the GDPR provide a challenge? Bolder Group Global Head of Compliance Harry Polman responds, “GDPR has always been a challenge, especially in the current times. GDPR is a European regulation initiated to protect the rights of European citizens on their privacy. To protect (privacy) in the context of the fast-evolving global digitalisation and commerce, it’s a constant challenge.”
Strengthening KYC data security
It should come as no surprise that the GDPR lays a heavy focus on protecting KYC data since improving data security can be considered its primary objective.
The GDPR does not mention specifically how data protection will be implemented. Thus, situations where workers can unintentionally store data in a public cloud and/or use their own devices while at work or take sensitive data home must be eliminated.
Customers will have more control over stored data
Customers, clients and individuals have more control over their KYC information after onboarding. The rights of the customers to control data collection and retention require companies to keep accurate records and give users the opportunity to delete some or all of the sensitive data.
Also, this data must be portable or simple to transport between organisations. Furthermore, users have the right to be notified immediately if any of their personal information is disclosed.
Increased use of automated data processes
GDPR compliance has been challenged by the amount of digital data that can be shared. However, automation has been useful in this process. It eliminates human error by automating the collection, storage, management and maintenance of personal data.
As a result, companies need to invest in technology to safeguard the collected data as well as conduct extensive checks to ensure GDPR compliance. Nonetheless, automated data collection will aid another component of GDPR compliance which is data portability.
Penalties for non-compliance with GDPR
The following penalties may apply if your business is proven guilty of a data breach as a result of non-compliance with the GDPR:
- €10 million, or 2% of your annual revenue from the preceding financial year, whichever is bigger, for less severe infringements (failing to maintain proper records, failing to adhere to the requirements for notifying data breaches, failing to appoint a data protection officer, when necessary, etc.)
- €20 million, or 4% of your annual revenue from the preceding financial year, whichever is bigger, for more serious infringements (violating basic processing principles, disregarding people’s rights, improperly transferring personal data, etc.)
It’s crucial to remember that the GDPR does not only apply to businesses in the EU. All multinational corporations should understand how the GDPR affects them, including the KYC data collection, as it applies to anyone who serves even a single EU client or organisation.
How can Bolder Group help?
Our specialists administer a GDPR-friendly KYC approach that protects our clients’ personal data and helps businesses avoid potential GDPR charges.
For secure compliance solutions, contact our team.