Will the GDPR stop us from complying with our other regulatory requirements, such as Anti-Money Laundering, Know Your Customer and Open Banking requirements?

We do not believe that data protection law prevents organisations from complying with other financial regulatory requirements. The GDPR allows you to process personal data where it is necessary to comply with other legal obligations, and the FCA takes data protection into account when it is setting its own regulatory rules.

For more information, see the joint statement released by the FCA and the ICO on the effect of the GDPR on other regulatory requirements in the financial services sector.

Will I need consent to process personal data under GDPR?

Not necessarily. Like the current Data Protection Act 1998, there are a number of different lawful bases for processing personal data, and consent is just one of them.

In some cases, consent will be an appropriate way to legitimise your processing. However, there will be situations when consent is not the appropriate legal basis - for example, if you are processing personal data for the performance of a contract with the data subject, or if you are complying with a legal obligation.

For more information, see the Lawful bases for processing section of our Guide to the GDPR.

What if someone asks us to delete data using their ‘right to be forgotten’, but we need to keep the data for our own purposes or for a regulatory requirement?

Individuals have a new ‘right of erasure’ under Article 17 of the GDPR, also known as the ‘right to be forgotten’. However, this is not an absolute right that you will always have to comply with.

Generally speaking, if you have a genuine need to continue processing that personal data (for example, because you have a legal obligation to do so), you will be able to do this. However, you must consider each request on its own merits and, if you decide not to delete data when requested by a data subject, you will need to be able to justify why.

For more information on how this right works and when you will have to comply with it, see the Right to erasure section of our Guide to the GDPR.

Do I need to appoint a data protection officer (DPO)?

The GDPR does not always require you to appoint a DPO. However, you will need to do so if:

  •  You carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  •  You carry out large scale processing of special categories of data or data relating to criminal convictions and offences

For more information, please see the section on DPOs and when they need to be appointed in our Guide to the GDPR.