GDPR in Financial Services

The General Data Protection Regulation (GDPR) is the EU’s foundational privacy law, applicable since May 2018, that grants data subjects extensive rights over their personal data and imposes strict obligations on organisations—including banks, investment managers, insurers, and fintech firms—to collect, process, and store that data lawfully and transparently. In financial services, GDPR has reshaped customer onboarding, marketing, risk assessment, and algorithmic decision-making, making data governance a core compliance function alongside traditional prudential regulation.

Personal data and the scope of regulation

GDPR defines personal data as any information relating to an identified or identifiable natural person. For a bank, this includes the obvious: names, account numbers, transaction history, and income. But it extends to IP addresses, device identifiers, location data, and behavioural information (browsing history, app usage patterns). The definition of “relating to” is expansive; if a data point could, in combination with other information, be used to identify a person, it is personal data.

Financial firms have historically collected and retained vast datasets about customers: creditworthiness, investment preferences, trading patterns, insurance claims, family circumstances, health indicators, and biometric information. GDPR constrains this via the principle of data minimisation—organisations must collect only the personal data that is adequate, relevant, and limited to what is necessary for a specified, explicit, and legitimate purpose. A bank cannot retain a customer’s religious affiliation “just in case” it becomes useful; it may only retain data actively needed for account management, compliance, or agreed-upon services.

A second foundational principle is purpose limitation: data collected for one purpose (e.g., credit assessment) cannot be repurposed for another (e.g., targeted marketing to a customer about investment products) without fresh consent or a legitimate legal basis. Financial firms must map their data flows and justify each processing activity with reference to one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The “legitimate interests” basis, which permits processing if the organisation’s interests outweigh the data subject’s rights, is available to finance firms for many anti-fraud and credit-risk assessment activities—but only if the firm has conducted a “balancing test” and documented it.

Consent and the shift away from opt-out

GDPR requires consent to be explicit, freely given, specific, informed, and unambiguous. Pre-ticked consent boxes, consent bundled with service terms, and opt-out mechanisms do not satisfy the standard. A bank cannot assume consent because a customer opened an account; it must affirmatively request consent for each material use of data. This has upended the financial-services marketing playbook. Firms that historically relied on “soft opt-out” consent—sending marketing materials unless a customer objected—must now obtain clear, separate consent before marketing.

For cross-selling within a banking group, the principle of purpose limitation becomes acute. A customer who consents to data sharing with the mortgage division has not automatically consented to receiving investment product marketing from the asset-management subsidiary. Each sharing, each processing, requires its own lawful basis. In practice, firms have deployed detailed consent matrices and preference centres, allowing customers to granularly select which uses of their data they permit. Customers often opt out of non-essential processing, which has reduced the addressable audience for cross-sell campaigns and diminished the value of customer data for marketing purposes.

Profiling, automated decision-making, and algorithmic bias

GDPR grants data subjects the right not to be subject to automated decision-making, including profiling, that produces legal or similarly significant effects. A bank’s use of algorithmic-trading models or credit-scoring algorithms is not directly regulated—but if those algorithms make consequential decisions about a customer (approving or denying a loan, setting an interest-rate, flagging an account for review), the customer has the right to human review and explanation.

“Explanability” has become a major compliance burden. If a machine-learning model denies a mortgage application, the firm must be able to explain why in terms a customer can understand and contest. Many models—neural networks, ensemble methods—are inherently opaque (“black boxes”), making it difficult to articulate the causal link between input features and the output decision. Regulators have pushed firms to use more interpretable models or to maintain human override mechanisms. In practice, this has slowed the adoption of sophisticated machine learning in high-stakes lending and investment decisions and has forced a return to more transparent, albeit less predictive, statistical techniques.

Profiling for marketing purposes is similarly constrained. Creating segments of customers based on inferred characteristics (income, risk appetite, family status) and targeting them with customised offers is common in finance, but GDPR requires transparency and provides data subjects the right to object. Firms must disclose when profiling occurs and the basis for it. Customers increasingly exercise this right, further limiting the ROI of micro-targeted marketing campaigns.

Data retention and the right to erasure

GDPR requires that personal data be kept in a form that permits identification of the data subject for no longer than necessary to fulfil the purpose for which it was collected. For a bank, this is in tension with legal and regulatory obligations to retain customer records for extended periods (anti-money-laundering rules, tax requirements, litigation holds). GDPR does allow retention if there is a legal basis—and banking regulations do provide such a basis—but firms must rigorously justify retention periods and delete data as soon as legally permissible.

The right to erasure (“right to be forgotten”) adds complexity. A customer can demand deletion of their personal data if the firm no longer needs it for its original purpose and has no other lawful basis for retention. A bank cannot simply refuse on the grounds that it might be sued or investigated later; it must weigh the customer’s right against its own legitimate interests. Firms have established data-retention schedules and automated deletion processes, but they frequently encounter conflicts: a customer requests erasure of investment history, but the firm is required by tax authorities to retain it for six years. The firm must refuse the erasure request but must clearly explain the legal basis for retention.

Data transfer and adequacy decisions

Financial services are global; data often flows across borders. GDPR restricts international data transfers. Personal data can be transferred out of the EU only to jurisdictions deemed to have an “adequate” level of protection—or with contractual safeguards (standard contractual clauses) that substitute for adequacy. The UK, post-Brexit, initially had adequacy status; EU-US transfers became fraught after a 2020 court ruling invalidated the Privacy Shield framework, forcing firms to use standard contractual clauses (which themselves face legal uncertainty).

For a multinational bank, this means customers’ data cannot freely flow to US headquarters, Asian back offices, or third-world call centres without contractual assurances that the recipient will meet GDPR standards. These assurances are often illusory—a US bank cannot guarantee its government will not demand access to data via subpoena—but the fiction is legally necessary. In practice, firms have established regional data hubs (a European entity for European customers, segregating their data) and have moved some processes out of jurisdictions with weak adequacy status.

Enforcement and the cost of non-compliance

GDPR empowers 27 national data-protection authorities (DPAs) to investigate and levy fines. The penalty structure is steep: up to 4% of global annual turnover or €20M (whichever is greater) for fundamental violations like processing without a lawful basis. A bank with $1B in revenue could face a €40M fine for systemic consent breaches. Early enforcement was uneven—some DPAs were aggressive, others lenient—but major cases have set precedent. Amazon was fined €746M for exploiting the “legitimate interests” loophole in personalised advertising; Meta faced repeated fines for cross-border data transfers.

In financial services, enforcement has focused on customer onboarding and marketing consent. Firms have been fined for using customer data to train credit-scoring algorithms without explicit consent, for failing to provide clear explanations of automated decisions, and for unlawful data retention. The reputational damage from a GDPR fine is often as material as the fine itself; it signals poor governance to regulators, customers, and investors.

Practical impact on banking and investment

Complying with GDPR has imposed costs and constraints. Investment firms have had to rebuild consent-management systems, audit data flows, and establish data-protection impact assessments for new products. Customer onboarding has become slower as firms request granular consent and verify data accuracy. Customer data quality has improved—firms now ask customers to correct records—but the addressable customer database has shrunk as customers exercise their right to erasure.

For fintech and digital banks, GDPR compliance is often framed as a competitive advantage; older institutions are hamstrung by legacy systems and have higher compliance costs per customer. But the regulation has also raised barriers to entry for new competitors, as building GDPR-compliant infrastructure requires significant investment in legal, technical, and audit resources.

See also