The European Union wants to boost the level of data protection for Europeans, and to this end, it has approved the General Data Protection Regulation (GDPR). The GDPR establishes a series of new requirements, including the mandatory designation of a Data Protection delegate within institutions and companies handling sensitive data. The delegate will be responsible for ensuring that the personal information handled by these organizations is adequately protected. BBVA has already created that post, getting ahead of the standard’s effective date.

“This standard is a step forward in consumer data protection. At BBVA, we are already tackling the implementation process,” says Data Protection Delegate Florea Egea, who joined the company from IBM.

In April 2016, after more than four years of debate, the European Parliament finally approved the General Data Protection Regulation (GDPR), which will enter into force as of May 25, 2018. Starting on that date, organizations in non-compliance will, according to the EU’s website, “face heavy fines.”

This standard [GDPR] is a step forward in consumer data protection.  At BBVA, we are already tackling the implementation process”

The financial sector will be one of the industries most profoundly affected  by the GDPR regulation, especially now that its vast data repositories are seen as key assets for competitivity.  Striking the right balance between the value of customer data and protection of the same is essential for financial institutions.

That’s why it’s not surprising that regulators rule on a matter that affects, first and foremost, consumers, who need to be reassured about how the data they share with companies are handled, and protected against possible security breaches.

What type of data is the EU looking to protect?

The aim of GDPR is to safeguard the privacy of EU citizens’ data against possible infringements and to harmonize legislation between countries, in an environment that has changed a lot since 1995, when the first Data Protection Directive was enacted.

Under the new regulation, everything from names to photos, including email addresses, bank details, personal posts in social media, medical information or a laptop’s IP address, are deemed to be personal information.

What does this regulation change?

One of the main regulatory changes is the increase of the territorial scope (extraterritorial applicability), as it not only regulates organizations based in the EU, but also applies to all companies processing and storing personal data of EU residents, regardless of their location.

Also, the conditions for obtaining consent for handling customer data have been strengthened.  Now, consent must be not only informed, free, and unequivocal, but also provided by means of a clear, affirmative action. Silence, inaction or omission will no longer be deemed equivalent to consent.  Likewise, consent may no longer be deemed tacit, nor provided through pre-marked boxes.  Consent should be as easy to withdraw as to grant.  In addition, parental consent will be required to process the personal data of underage children. Member States will be granted a margin to set the age limit at between 13 and 16 years of age.

Another key point are the fines that companies will pay for failing to comply with the standard: up to 4% of the infringing party’s annual global revenues, or €20 million, whichever one is greater.  It should be noted that these rules apply to both companies collecting the data and those processing them. This means that companies providing cloud computing services will also be deemed accountable.

What rights will Europeans have from now on?

EU citizens will have the right to be notified when their data are compromised as a result of a security breach within 72 hours of the incident.

The rights known in Spain as ‘ARCO’ (access, rectification, cancellation and opposition) will be strengthened thanks to GDPR, while the right of information for the collection of personal data will be expanded considerably.  In addition, new rights will be created, such as the “right to be forgotten,” which will affect online search engines, or the right to data portability, which allows interested parties to obtain a copy of their personal data in electronic format, either for themselves, or to be transferred to another company.

On the other hand, the so-called ‘privacy by design‘ approach, which has been around for years, will now become a legal requirement.  This approach entails taking privacy into account in all stages of the design of new products or services.  In addition, the ‘privacy by default‘ principle, also included in the new directive, stipulates that data protection options must be set to their most restrictive level by default, allowing users to tune them down if they wish to.

The new directive also contains another important innovation: the principle of active responsibility, better known as “accountability,” according to which companies are responsible for implementing the internal evidence-gathering processes to prove their compliance with the standard.

Contact: Communications

You may be interested in these stories

Did you enjoy what you read? Read more on