Chapter 17 Key Takeaways: Data Privacy, GDPR, and Cross-Border Data Compliance
Core Concepts at a Glance
1. The GDPR Framework
The General Data Protection Regulation (EU) 2016/679 established a comprehensive framework for personal data protection applicable from 25 May 2018. Its central requirements:
- Personal data is any information relating to an identified or identifiable natural person.
- Processing covers every operation performed on personal data, from collection through deletion.
- Controllers determine purposes and means of processing and bear primary legal responsibility.
- Processors act on controller instructions and face direct obligations under Articles 28 and 32.
- The accountability principle (Article 5(2)) requires controllers to demonstrate, not merely achieve, compliance.
2. The Six Lawful Bases for Processing (Article 6)
Every processing activity must rest on exactly one lawful basis. Choosing the wrong basis is a compliance failure even if another basis was theoretically available.
| Lawful Basis | Article | When It Applies in Financial Services | Key Limitation |
|---|---|---|---|
| Consent | 6(1)(a) | Marketing with genuine choice; optional analytics | Freely given, specific, informed, unambiguous; withdrawable at any time |
| Contract | 6(1)(b) | Account management; payment execution; pre-contractual steps | Limited to what is genuinely necessary for contract performance |
| Legal Obligation | 6(1)(c) | AML transaction monitoring; regulatory reporting; tax information exchange | Obligation must arise from EU/UK law; must be sufficiently precise |
| Vital Interests | 6(1)(d) | Rare; life-threatening emergencies | Only where data subject cannot consent and no other basis applies |
| Public Task | 6(1)(e) | Relevant for public authorities and regulators | Not available to commercial banks for ordinary activities |
| Legitimate Interests | 6(1)(f) | Fraud prevention; CIFAS intelligence sharing; security monitoring | Three-part test required; cannot override data subject's fundamental rights; not available to public authorities |
The Legitimate Interests Three-Part Test: 1. A legitimate interest must exist. 2. Processing must be necessary for that interest (cannot achieve it less intrusively). 3. The interest must not be overridden by the data subject's rights and freedoms (balancing test).
3. Data Subject Rights and Response Deadlines
Controllers must respond to data subject rights requests without undue delay and within mandatory timelines. Failure to respond within deadlines is itself an infringement.
| Right | Article | What It Covers | Deadline | Financial Services Note |
|---|---|---|---|---|
| Access | 15 | Confirmation of processing + copy of data + supplementary information | 30 days (extendable to 90 days for complex/numerous requests) | Exemptions apply for AML SAR data under DPA 2018 Sch. 2 para. 14 |
| Rectification | 16 | Correction of inaccurate data; completion of incomplete data | Without undue delay | Apply to inaccurate credit scoring inputs |
| Erasure | 17 | Deletion of personal data in specified circumstances | Without undue delay | Does NOT apply where legal obligation requires retention (e.g., AML 5-year retention) |
| Restriction | 18 | Halt active processing while dispute is resolved | Without undue delay | Data retained but not processed actively during restriction |
| Portability | 20 | Machine-readable copy of data + ability to transmit to another controller | 30 days | Only applies to consent/contract basis, automated processing; underpins Open Banking |
| Objection | 21 | Object to processing based on legitimate interests or public task | Must cease unless compelling legitimate grounds override | Absolute right for direct marketing (no balancing) |
Extension Process: If a controller extends the deadline from 30 to 90 days, it must notify the data subject within the original 30-day period, explaining why the extension is necessary.
Exemptions: The DPA 2018 Schedule 2 provides UK-specific exemptions from certain data subject rights, including for crime and taxation purposes (para. 14), which applies to AML SAR data subject to the tipping-off prohibition.
4. GDPR vs. UK GDPR — Key Comparison
| Dimension | EU GDPR | UK GDPR + DPA 2018 |
|---|---|---|
| Legal basis | Regulation (EU) 2016/679 | Retained EU law via EU (Withdrawal) Act 2018 + DPA 2018 |
| Supervisory authority | EDPB + national DPAs (ICO for UK under EU GDPR where applicable) | ICO (Information Commissioner's Office) |
| Maximum fine | €20 million or 4% global annual turnover | £17.5 million or 4% global annual turnover |
| Adequacy decisions | European Commission | UK Secretary of State / Department for Science, Innovation and Technology |
| Transfer mechanisms | SCCs (June 2021 version); BCRs; adequacy decisions | IDTA; Addendum to EU SCCs; BCRs; UK adequacy decisions |
| Data transfers to UK from EU | Covered by EU adequacy decision for UK (June 2021, renewed 2025) | UK GDPR applies to UK controllers; EU GDPR applies extraterritorially to UK processors of EU data |
| Guidance body | EDPB (European Data Protection Board) | ICO |
| Core substantive rights | Art. 12–22 | Essentially identical |
Critical point: Where a UK financial institution processes EU residents' personal data (e.g., EU customers or employees), it must comply with EU GDPR as a matter of Article 3(2) extra-territorial scope, regardless of UK GDPR compliance.
5. Cross-Border Transfer Mechanisms — Decision Tree
Step 1: Is there an EU/UK adequacy decision for the destination country? - Yes: Transfer can proceed. No additional safeguard needed at transfer level. - No: Proceed to Step 2.
Step 2: Can appropriate safeguards be put in place?
| Mechanism | Who Uses It | Key Requirements | Limitations |
|---|---|---|---|
| Standard Contractual Clauses (SCCs) | Controllers and processors | Must use Commission-approved model clauses; cannot amend substantive terms; must conduct TIA post-Schrems II | Not sufficient alone if TIA reveals inadequate legal protection in destination country |
| International Data Transfer Agreement (IDTA) | UK transfers only | UK equivalent of SCCs; or EU SCCs with UK addendum | UK-specific; does not satisfy EU GDPR for EU-to-third-country transfers |
| Binding Corporate Rules (BCRs) | Multinational corporate groups | Supervisory authority approval (12-24 month process); comprehensive policy covering all group entities | Long lead time; only covers intragroup transfers |
| Adequacy decisions | All transfers to adequate countries | No additional steps required | Dependent on Commission/Secretary of State determination; subject to invalidation |
Step 3: If no adequate safeguards are available, can a derogation (Article 49) apply? - Only for exceptional, non-systematic transfers. - Explicit consent; contract performance necessity; important public interest; legal claims; vital interests; public register access.
6. Data Breach Notification Timeline Requirements
A personal data breach requires immediate parallel action across multiple notification channels.
HOUR 0: Discovery of breach
├── IMMEDIATELY: Internal escalation to DPO/CCO/CISO
├── WITHIN 24 HOURS: FCA initial notification (operational resilience)
├── WITHIN 72 HOURS: ICO/supervisory authority notification (GDPR Art. 33)
│ └── Must include: nature of breach, categories/numbers affected,
│ DPO contact, likely consequences, measures taken/proposed
│ └── If notifying after 72 hours, must explain delay
├── WITHOUT UNDUE DELAY (where HIGH RISK): Data subject notification (Art. 34)
│ └── Required when breach "likely to result in high risk" to individuals
│ └── Exemption: if controller implemented encryption/pseudonymisation
│ such that data is unintelligible to unauthorised persons
└── ONGOING: Internal breach register (Art. 33(5)) — ALL breaches,
regardless of whether notification to authority is required
The Key Risk Assessment:
| Breach Level | Example | Supervisor Notification? | Subject Notification? |
|---|---|---|---|
| No risk | Encrypted laptop lost; decryption key secure | No | No |
| Risk | Misdirected email containing customer names | Yes (ICO) | Case-by-case |
| High risk | Ransomware encrypting unencrypted customer records; credentials compromised | Yes (ICO) | Yes (individuals) |
US State Law Note: All 50 US states have breach notification laws with differing timelines (7 days in Ohio for certain breaches; 30 days in California; 45 days in Florida; up to 90 days in others). Financial institutions subject to GLBA face additional FTC Safeguards Rule notification requirements (notify FTC within 30 days of discovering a breach affecting 500+ customers).
7. RoPA, DPIA, and Privacy by Design — Practitioner Checklist
Records of Processing Activities (RoPA) — Article 30
The RoPA is the foundational GDPR compliance document. Every controller must maintain it.
RoPA must capture for each processing activity: - [ ] Activity name and description - [ ] Purpose(s) of processing - [ ] Categories of data subjects - [ ] Categories of personal data processed - [ ] Lawful basis (and Article 9(2) condition if special category data) - [ ] Categories of recipients (including processors and sub-processors) - [ ] Transfers to third countries and transfer mechanism used - [ ] Envisaged retention periods - [ ] General description of technical and organisational security measures
RoPA maintenance: - [ ] Annual review of all entries; more frequent review after system changes - [ ] Owner assigned for each processing activity - [ ] New processing activities added before commencement - [ ] Available for supervisory authority inspection on request
DPIA Trigger Checklist — Article 35
A DPIA must be conducted before commencing processing if any of the following apply:
- [ ] Systematic and extensive evaluation of personal aspects using automated processing (including profiling) with decisions producing significant effects on data subjects
- [ ] Large-scale processing of special category data (Art. 9) or criminal conviction data (Art. 10)
- [ ] Systematic monitoring of a publicly accessible area on a large scale
- [ ] ICO mandatory DPIA list items:
- [ ] Biometric data used to uniquely identify individuals
- [ ] Genetic data processed for healthcare-related purposes
- [ ] Processing children's personal data for profiling or targeting
- [ ] Automated decision-making with significant legal/similar effects
- [ ] Processing of data that could result in physical harm
- [ ] New technologies assessed as high-risk
If a DPIA reveals high residual risk that cannot be mitigated: Prior consultation with the ICO required (Article 36) before processing commences.
Breach Notification Checklist
- [ ] Have you identified the nature and scope of the breach?
- [ ] Has the DPO been notified?
- [ ] Has the ICO been notified within 72 hours? (Or delay explained?)
- [ ] Has the FCA been notified within 24 hours (if material operational incident)?
- [ ] Have affected data subjects been notified (if high risk)?
- [ ] Has the breach been logged in the internal breach register?
- [ ] Have remedial measures been implemented?
- [ ] Has root cause analysis been initiated?
8. The AML-Privacy Tension — Resolution Framework
When a customer subject to an AML Suspicious Activity Report exercises GDPR data subject rights, the resolution framework is:
| Customer Right | AML Counter-Consideration | Resolution |
|---|---|---|
| Right of access (Art. 15) | Tipping-off prohibition (POCA 2002 s.333A) | Provide access to all personal data EXCEPT AML SAR data; cite DPA 2018 Sch. 2 para. 14 |
| Right to erasure (Art. 17) | AML 5-year retention obligation (MLR 2017 reg. 40) | Refuse erasure for AML data; cite Art. 17(3)(b) (legal obligation); honour erasure for non-AML data where possible |
| Right to rectification (Art. 16) | Accuracy of AML records required for law enforcement | Assess on case-by-case basis; correct genuinely inaccurate factual data |
| Right to restriction (Art. 18) | Investigation may require active processing | Restriction may not be possible during active investigation; document reasoning |
Key legal provisions: - DPA 2018 Schedule 2, paragraph 14: crime and taxation exemption from data subject rights - POCA 2002 section 333A: tipping-off prohibition - MLR 2017 regulation 40: five-year AML retention obligation - GDPR Article 17(3)(b): legal obligation exception to erasure
9. Privacy-Enhancing Technologies — Quick Reference
| Technology | What It Does | Financial Services Use Case | Limitation |
|---|---|---|---|
| Pseudonymisation | Replaces direct identifiers with pseudonyms; reversal possible with key | Analytics and model development; satisfies Art. 4(5) | Still personal data under GDPR |
| Anonymisation | Irreversibly removes identifiability | Publication of statistics; open data release | High bar; must be truly irreversible; GDPR no longer applies |
| Differential Privacy | Adds calibrated noise to statistical outputs to bound privacy loss | Publishing transaction statistics; regulatory aggregate reporting | Accuracy-privacy trade-off; not suitable for precise regulatory numbers |
| Federated Learning | Trains ML models across distributed data sources without centralising data | Cross-institution fraud detection; AML model training | Complex to implement; requires secure aggregation |
| Synthetic Data | AI-generated data with statistical properties of real data but no real individuals | Model training; testing; sharing with third parties | Risk of re-identification if not rigorously tested; may not satisfy some regulatory requirements |
| Homomorphic Encryption | Enables computation on encrypted data without decryption | Secure third-party analytics; credit scoring with raw data protection | Computationally intensive; limited practical deployment in production |
10. Key Regulatory References
| Instrument | Jurisdiction | Status | Key Provisions |
|---|---|---|---|
| GDPR (EU) 2016/679 | EU | Applicable from 25 May 2018 | Core framework |
| Data Protection Act 2018 | UK | In force | Supplements UK GDPR; Schedule 2 exemptions |
| UK GDPR (retained EU law) | UK | In force | Mirrors EU GDPR with UK-specific modifications |
| EU-UK Adequacy Decision | EU | June 2021, renewed 2025 | Enables EU-UK data flows |
| EU-US Data Privacy Framework | EU-US | July 2023 | Replaces Privacy Shield; subject to legal challenge |
| Schrems II (C-311/18) | CJEU | July 2020 | Invalidated Privacy Shield; TIA requirements for SCCs |
| SCCs (June 2021) | EU | June 2021 | Updated modular SCCs replacing 2001/2004 versions |
| IDTA / SCCs Addendum | UK | March 2022 (ICO) | UK equivalent of EU SCCs |
| CCPA/CPRA | California, US | CCPA: Jan 2020; CPRA: Jan 2023 | Consumer rights; CPPA enforcement |
Practitioner Summary: What Every Financial Services Compliance Officer Must Know
-
Every processing activity needs a lawful basis — documented in the RoPA before processing commences.
-
Legal obligation is the workhorse basis for AML — but it only covers what the law actually requires, not what is convenient to retain.
-
Legitimate interests requires a genuine balancing test — not a rubber stamp. The ICO scrutinises over-reliance on this basis.
-
Data subject rights have mandatory deadlines — 30 days for access/portability/erasure/restriction; extendable to 90 days with notification. Missing deadlines is independently enforceable.
-
The AML-GDPR tension is resolved by specific legal exemptions — DPA 2018 Schedule 2 para. 14, not by general principle. Know the provision precisely.
-
Schrems II changed cross-border transfers permanently — Privacy Shield is gone; SCCs require Transfer Impact Assessments; the EU-US DPF is the current adequacy mechanism but faces legal risk.
-
72-hour breach notification to the ICO runs concurrently with FCA 24-hour notification — response procedures must be coordinated across both obligations simultaneously.
-
Privacy by Design is a legal requirement — Article 25 means data protection must be built into systems from the start, not bolted on afterward.
-
The RoPA is the foundation of all GDPR compliance — without an accurate data map, all other compliance measures rest on incomplete foundations.
-
PETs are shifting from theory to practice — differential privacy, federated learning, and synthetic data are available tools for enabling data use while managing privacy risk.