Meniga & GDPR Bragi Fjalldal, CMO & VP Business Development Reykjavik, January 25th 2018

Size: px

Start display at page:

Download "Meniga & GDPR Bragi Fjalldal, CMO & VP Business Development Reykjavik, January 25th 2018"

Cecilia Casey
5 years ago
Views:

1 Meniga & GDPR Bragi Fjalldal, CMO & VP Business Development Reykjavik, January 25th 2018

2 About Meniga Who are we? Meniga is helping leading banks around the world increase digital engagement & develop new revenue streams from data +60 Financial Institutions 50m Digital Users 20 Countries Offices London Stockholm Reykjavík Warsaw

are based on consolidation & enrichment of transaction data Examples of Meniga s

3 About Meniga What is it we do? We help banks improve and personalize their digital banking user experience All our products are based on consolidation & enrichment of transaction data Examples of Meniga s transaction-based services Transaction Categorization Transaction Merchant Mapping Expense Reporting Peer Comparison Targeted Messaging & Notifications Based on Spending Profile

4 About Meniga Our two operating models & GDPR B2B: White Label B2C: Meniga.is From GDPR perspective Meniga is not a controller not a processor of personal finance data From GDPR perspective Meniga is both a data controller & processor of personal finance data

5 GDPR What is new? Data protection officer Right to be forgotten Right to access & data portability Record keeping & documentation Stricter consent Penalties 72 hour data breach notification

6 4 principles to Meniga s approach 1 Compliance & Business Opportuntity 2 Cross-functional GDPR Taskforce 3 Hypothesis-Driven GDPR Action Plan 4 BoD & Management Level Attention

7 Cross Functional Team GDPR Executive Sponsors GDPR Taskforce CTO Senior Product Owner Representing the Product Organization. Responsible for assessing impact on our product and our clients use of the product CMO Head of IT OPS BDM Icelandic Business Representing IT OPS. Responsible for leading data mapping, documentation and establishment of processes/governance Representing Meniga s B2C business in Iceland. Ensuring we are fully compliant to our end consumers Head of Legal In process of being recruited. Responsible for legal interpretation of GPDR and our compliance. Counterpart to our clients in GPDR discussions

Hypothesis-driven approach Develop and execute on prioritized GDPR checklist

Conduct DPIA on existing processes Review records of processing Consider

access rights Conduct core product GDPR review Refine T&Cs and consent strategy

8 Hypothesis-driven approach Develop and execute on prioritized GDPR checklist Partner with advisor to review plan & actions Map processing of personal data Conduct DPIA on existing processes Review records of processing Consider appointing DPO Revisit security breach procedures Develop solution for data access rights Conduct core product GDPR review Refine T&Cs and consent strategy Finalize GDPR action plan & execute Evaluate GDPR expert vendor landscape International brand prefered so that we can have partner engage with our clients around the world if needed Example sources to help you get started Example partners that can help

9 Timeline & key milestones GDPR taskforce established with representatives from Product Office, IT-OPS & Business Development Select legal/ expert GDPR advisor Final version of GDPR plan passes review, engage data protection authority and commence action plan execution Today Iterate May 2018 Action Plan GDPR Action Plan Developed A plan to ensure we are full compliance May 25 th & euipped to advice our clients on GPDR. This includes: Meniga.is (B2C platform) fully compliant & documentation and adeuate governance in place Core Product fully supports GDPR compliance Strategy in place to advice clients on how to navigte GDPR in context of our products GDPR Action Plan Executed. Meniga is ready for compliance. Milestones BoD/Executive Management Updates

10 Meniga s biggest GDPR risk: Enhanced consent Issue : Do we need to ask for consent many times over? Options to explore within GDPR : Do our clients already have processing consent? Is the data we process anonymous or pseudonymous? Can consent for most of Meniga services not be part of digital banking Terms & Conditions? Single-user processing Multi-user processing Transaction Categorization Community Comparison Internal segmentation External Segmentation Budgeting Reporting Goal setting Compare your spending to people-like-you Personalized messaging Targeted offers from 3 rd parties

11 Meniga s biggest GDPR risk: Excessive consent Two clauses introduced/amended by GDPR that are of special interest to Meniga: Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acuiescence do not constitute valid consent vs. Where personal data are to be processed for a new purpose, the controller must consider whether the new purpose is compatible with the original purpose

12 Meniga s biggest GDPR risk: Excessive consent % of population that are organ donors OPT-IN OPT-OUT

13 Meniga s biggest GDPR risk: Excessive consent Source: Johnson and Goldstein

GDPR in Financial Services Sector PSD2 vs GDPR Objectives? Foster innovation & competition; firmly establish consumer as owner of their personal finance data... Objectives? Harmonize data protection laws across EU and give individuals better control over how organizations use their personal data What?

14 GDPR in Financial Services Sector PSD2 vs GDPR Objectives? Foster innovation & competition; firmly establish consumer as owner of their personal finance data... Objectives? Harmonize data protection laws across EU and give individuals better control over how organizations use their personal data What? Banks obliged to provide 3rd parties access to personal finance data upon consumer consent What? Service providers need to have clear and explicit consent for services they provide and handle private data with care