When Regulations Collide: GDPR and AML Compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is designed to protect the data privacy of EU citizens. Every company that processes the data of EU citizens, regardless of where that company is located, must comply with GDPR policies. The fines for non-compliance are huge: up to €20 million (~$22 million) or up to 4% of the company’s annual sales, whichever is greater.

How does it affect AML compliance?

One of the keystones of GDPR is the right of EU citizens to have their data erased. For example, a French citizen who does business with your company can instruct you to erase all digital traces of her. If she has been your customer for five years, you must be able to go back through five years’ worth of data backups and delete her from your databases, marketing lists-everything.

But here’s the catch: AML regulations require that when you investigate suspicious activity, you must save each person’s data and transactions for five years or face huge fines for non-compliance. So if you investigate the transactions of that same French citizen for suspicious activity, and she then requests that you erase her data, what are you supposed to do?

Articles 6 and 17 to the rescue

GDPR includes language that protects data controllers like your company as well as data processors like Jumio.

First of all, Article 6 provides the legal basis for data controllers to collect the data of EU citizens: to comply with AML regulations. Second, it provides the legal basis for data processors to process the data to support “legitimate interests”, namely, to verify your customer identities and detect suspicious activity so you can be compliant with those AML regulations.

What about the right to have their data erased? Article 17 has a provision that says that legal requirements take precedence over the right to erasure. So if a regulation requires you to save the data, as AML regulations do, the right to erasure does not take effect until after that legal period ends.

Data security is paramount

Even though you don’t have to worry about these key parts of GDPR, you should never let your guard down when it comes to data security. Jumio is 100% aligned with GDPR’s main purpose: to keep data safe. That’s why we adhere to the absolute highest standards of data security.

Our security page provides more details on our approach, including best-in-class security technologies to ensure everything from our APIs to your customer’s account numbers are secure.

In summary, Jumio meets the requirements of GDPR and treats data security as its top priority, so our customers and their customers — in the U.S. and beyond — can rest assured that their data is secure.


Get the latest updates from the Identity and Beyond blog, delivered to your inbox.

    Yes, I would like to receive periodic updates from the Jumio blog as well as marketing communications regarding Jumio products, services, and events. I can unsubscribe at any time.

    Jumio values your privacy. To learn more, visit our Privacy Statement.