BIPAR (European Federation of Insurance Intermediaries)
We are surprised that there are no specific references to the General Data Protection Regulation in the Chapters dedicated to the potential benefits and the risks (see our answer to question 8 in this respect). Additional references to it may be necessary in order to more accurately reflect the current and upcoming situation, as it will apply at national level in May 2018.
It is necessary to evaluate the effect at national level of the implementation of the Mortgage Credit Directive and more in particular possible barriers for further use of data.
Another aspect in relation to this issue is the question of cross-selling and in this respect supervisory authorities should always remember that a level playing field between various distribution channels is essential. It includes the issue of the processing of the data and the fact that financial intermediaries must have the same level of access to data as other distribution channels.
Innovative uses of personal data are important to manage the expectations of a generation that are now technical savvy and use social media as a way of communicating in every aspect of their lives.
This will, among others, depend in the future upon the effects of the General Data Protection Regulation.
The list of risks described in this Chapter reflects issues faced by financial institutions regarding risks linked to consumer data. Indeed, and as indicated in this Chapter (R10), integrity of the financial sector is undermined if trust in financial institutions decreases because of lack of data security. However, and regarding more in particular risk 9 (“Financial institutions are exposed to legal risks if their IT systems are compromised”), we believe that this part of the Chapter could more accurately reflect existing and upcoming rules and in particular the Article on the notification breach as well as the Chapter on sanctions in the General Data Protection Regulation.
One element we are wondering about is how the responsibility will in practice be shared between authorities such as the EBA and the European Data Protection Supervisor (EDPS) and how in practice could double work be avoided.