Many fintech and payment companies are not subjected to the regulatory standards applied to banks, insurance and investment management companies.

But May 25, 2018, the fintech industry will see the implementation of fundamentally a new global law that leaves little to no room for discretion or flexibility in implementation: the General Data Protection Regulation (GDPR).

Though the new regulation is designed to protect personal data of European Union members, it also has implications for companies in other countries—especially in today’s global industry. All U.S. businesses who process personal data from customers in the EU will be affected. On a national scale, consistency across the EU will reduce risks and costs for U.S. businesses; however, if regulations are not met, companies could be fined up to four percent of their annual worldwide turnover.

Image: Bloomberg News
While the pending data regulations come from European regulators, it's expected that most fintech and payments startups will be forced to comply.

Today’s organizations need to prepare for enforced disclosure requirements, the addition of data protection officers and transformed design standards. In implementing these, companies must be prepared to answer consumer’s right to explanation—ranging from why a customer’s data is used, to their right to have their data erased. Essentially, companies will either need to hire, or in essence become, privacy experts, in order to meet adjusted customer demand and continue global business transactions that are in compliance with regulatory standards.

With data breaches making headlines, public attention has turned to disclosure regulations. To date, there is no national consistency regarding how companies are required to disclose data breaches. In the U.S., these laws vary between states, both in time given for a company to report a breach, and in how much information a company must report. Forty-eight states currently require disclosure, to some degree, but only eight states specify timing—which varies from 15-90 days.

Contrarily, the new GDPR will require companies to disclose breaches no later than 72 hours after they become aware of the situation. U.S. companies with an extended customer base in the EU will need to ensure they are consistently monitoring their data to maintain regulatory standards. This will change the dynamic for U.S. companies, but it remains to be seen is if this will spur national consistency in disclosure regulation.

While many companies already have a compliance officer in place, the GDPR requires a data protection officer. The DPO must have the same knowledge as the compliance oficer, supplemented with the knowledge required to monitor for practices in guidelines with regulatory standards. Typically, the compliance officer maintains a position within a company, serving as a representative. The GDPR allows the role to be served by an employee of third-party service provider, but additionally suggests the DPO be independent of the organization to serve as an unbiased party to maintain compliance. Companies should be prepared to appoint this position and should begin accounting for the resources and training required to do so.

The GDPR introduces the requirements of Privacy by Design and Privacy by Default, thereby altering the standards for data processing. No longer will safety measures be viewed as a supporting feature with varying degrees of protection.

Rather, the GDPR requires that protection be designed into the development of business processes. As high security standards become a conventional norm, it is key for companies to know that processes must be designed in a way that only handles personal data on an as- needed basis. This will result in some companies undergoing a complete transformation. New processes must be able to track activity, prove consent of the customer and also process data beyond an algorithmic basis, as the GDPR allows customers to inquire and counter any practices that generate decisions from automated processing.

Businesses will not only have to make shifts for customer consent, but customers’ and clients’ expectations. The GDPR will result in increased demand for end clients to automate and control the use of their personally identifiable information (PII) with counterparties or vendors for future marketing purposes. This would impact and could potentially limit the vendors’ ability to market to those end clients who have taken charge of their PII. This would have a significant impact on digital marketing as we know it.

The GDPR will result in increased demand for both personal data and data protection expertise. As the GDPR is implemented within the EU, the U.S. companies that not only prepare for compliance, but also successfully offer services that help other companies prepare for the regulation, can pioneer global business in its transformation stage.