< Back

Share |

Sector focus: Banking

March 2013

It is not surprising, given how data rich the Banking and Financial sector can be, that there is much discussion on the impact the proposed EU data protection regulation will have on this sector. Accordingly, the Ministry of Justice invited both Association for Financial Markets in Europe (AFME) and the British Bankers’ Association (BBA) to respond to draft EC data protection Regulation (Regulation). This feature highlights some key areas of concern and the challenges that lie ahead for the Banking and Financial sectors.

AFME is made up of members from a wide range of European and global participants in the banking sector and wider financial markets. The BBA represents members of the banking and financial sector in the UK, with over 200 members. Both AFME and the BBA support the purposes behind the Regulation although suggest that these purposes have not generally been met. They believe that aspects of the Regulation do not provide a ‘proportionate, practicable and effective system’ for either the individual who, they argue, receives little benefit from the proposal, or for businesses who could see a reduction in growth due to what are seen as the "onerous requirements".


flagThe Regulation will not only apply to those businesses established in the EU but also to those businesses that are not, if they are processing data of individuals who live in an EU member state. AFME argue that this will make the EU less appealing for investment for businesses based outside the EU as there will be greater requirements imposed on entities.

Moreover, AFME highlight the issue that even where non-European based entities have a very small number of European based customers they will have to comply with the Regulation, incurring greater costs and a higher administrative burden.  

At present, data subjects who do not reside in an EU member state benefit from the EU data protection regulation if their data is processed by a European data processor that is instructed by a data controller based outside the EU. AFME suggest that Regulation should deal with this issue.

Existing regulation

The Regulation, argue AFME, is "targeted at unregulated industry sectors". AFME and the BBA stress that there is already substantial regulation in the banking and financial industry regulating both global and local practices. Protection of information is essential to secure trust in the banking industry; entities must comply with regulations to maintain business and both organisations emphasise that these laws and regulations have serious sanctions if they are not complied with.

Breach notification

safeThe Regulation contains an obligation to notify the relevant authority of all breaches not more than 24 hours after having become aware of a breach. AFME and the BBA highlight a number of issues with this proposal.

Firstly, the BBA emphasises that this is in conflict with the UK Data Protection Act 1998, which states that the time to report breach notification should be "without undue delay".

Additionally, both organisations stress that investigating breaches is an exercise that requires not only a lot of work but also takes time. 

Finally, the Regulation does not distinguish between different levels of reportable breach. Both the BBA and AMFE welcome the Information Commissioner's Office (ICO) response to the Regulation, which asserts that breach notification should be "restricted to serious breaches only".  AFME suggest that in some cases it may be possible to realise early on that the breach may lead to serious harm, in which case notification is appropriate, but otherwise there is no benefit of notifying individuals before greater details of the breach are known.


The Regulation imposes a maximum fine of 2% of the annual worldwide turnover of entities for a breach. AFME and the BBA assert that this is disproportionate to the harm that an individual may face.

The BBA and AFME argue that there should be a statutory maximum amount for fines.

stop signThe BBA also suggest that there should be alternative sanctions such as enforcement orders which would help to ensure the protection of personal data. The two organisations highlight that in the financial services and banking industry especially, although relevant to other sectors, personal data processing is a small fraction of the overall global business for many entities. Fines, the BBA suggests should, therefore, be limited to that particular legal entity which committed the breach. AFME argue that it is not fair to enforce sanctions against areas of business that are not related to personal data processing.

AFME and the BBA are clear that they support the premise of the proposed EU regulation and that the views summarised above are unintended consequences. Both organisations fully support protecting an individual’s data but feel this should be done without a negative impact on business; both support a joined up system but one that "takes account of the differing regulatory regimes across Member states". AFME and the BBA are concerned that the Regulation has fallen short of balancing these issues.

Read the full BBA response.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.