Answer ... The UK data protection regime is contained in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It applies wherever personal data are being processed by an entity in the European Union, or where goods and services are offered to data subjects in the European Union or their behaviour is monitored. Entities dealing with personal data are either controllers, which take decisions about how and why personal data is processed and are subject to the full range of GDPR obligations; or processors, which carry out processing operations delegated to them under a controller-processor contract which ensures that the requirements of the GDPR are met and the rights of data subjects guaranteed. Two or more entities may be joint controllers of the same data processing operation(s).

Given the large amounts of personal data involved in the provision of fintech products and services, fintech companies are likely to be subject to the GDPR in some capacity. It is therefore essential to determine the capacity in which a fintech company subject to the GDPR processes personal data.

Controllers must comply with the principles set out in the GDPR, including lawful, fair and transparent processing for specific, explicit and legitimate purposes, with purpose and storage limitations and appropriate security. The GDPR also confers rights on individual data subjects, including the right to be informed about personal data processing, to object to or restrict processing, to rectify data and to have it erased, and to data portability. While personal data may be transferred freely between EU countries, transfers of personal data outside the European Union are prohibited unless appropriate measures are taken to protect the data.

Answer ... In addition to the data security requirements set out in the GDPR, the Network and Information Services (NIS) Directive, implemented in the United Kingdom via the NIS Regulations, set out security and incident reporting requirements. These apply, among other things, to relevant digital service providers (RDSPs), which will likely include fintech companies that provide a digital service (provision of online marketplaces, online search engines and cloud computing services) and have a head office in the United Kingdom or have nominated a representative established in the United Kingdom. Small and micro enterprises are exempt.

RDSPs must:

• register with their competent authority (the Information Commissioner’s Office (ICO));
• take appropriate and proportionate security measures to protect their network and information systems; and
• put suitable procedures, policies and plans in place to enable detection and reporting of incidents which have a significant impact on the provision of services and business continuity in such circumstances.

When such incidents occur, the ICO must be notified within 72 hours of the RDSP becoming aware of them. The notification must include:

• the name and digital services provided by the company;
• the time and duration of the incident;
• information concerning the nature and impact of the incident, including any actual or likely cross-border impacts; and
• any other useful information.

The NIS Regulations provide for significant fines in the event of contravention. The legislation provides for various ceilings on monetary penalties relating to different types of incident, with fines of up to £17 million for the most serious cases.