By Keith Monson, CRCM, CSI Chief Risk Officer
Two years ago, the European Union (EU) took an unprecedented step toward resolving the conflict between big data and privacy. Passage of the General Data Protection Regulation (GDPR) ushered in a new era for individual privacy rights, but it created a potential compliance nightmare for organizations that collect and handle data.
According to the official GDPR website, “The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” The 1995 directive provided an answer to the division of privacy regulations across the EU, and overall, both the directive and GDPR hold tight to the idea that privacy is a fundamental human right.
GDPR, with an effective date of May 25, 2018, has far-reaching implications. Companies in the EU have spent the past 24 months preparing for this date. However, GDPR doesn’t just affect businesses in the EU, and that’s left many American financial institutions unaware of—or uncertain about—their obligation to it.
Is Your Institution on the Hook for GDPR?
The GDPR website states that the law, “not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.” Given this long reach, some U.S. financial institutions fall under the GDPR umbrella. But which ones?
The International Association of Privacy Professionals (IAPP) recommends the following three-question test to determine GDPR liability. A “yes” to any of the three indicates a GDPR obligation.
- Do you have a physical presence in the EU? Even if it’s just a small branch or office inside the EU, you are bound by GDPR.
- Do you sell your products or services to EU citizens? If you have a premeditated strategy to sell to persons or have customers located in the EU, GDPR applies.
- Do you use advertising technology that tracks and profiles EU citizens? This test has the most potential to trip up American institutions. Consider whether your advertising strategy regularly targets EU citizens for products or services.
Security and Privacy Principles of GDPR
At its core, GDPR establishes a set of three principles to protect consumer data and the corresponding privacy of its owners. The language around GDPR applies to data controllers (controllers), which include financial institutions, as well as data processors (processors), which include all organizations that process data for controllers, such as a bank’s core processor. The three principles, which apply to controllers and processors, can be organized according to the following three categories:
1. Data Processing: New York University School of Law’s primer on GDPR outlines the principles that specifically apply to how controllers and processors obtain and handle the data of EU subjects, including the following:
- Legal basis: Controllers must meet one of five lawful bases for processing a subject’s data. It must: be needed to fulfill a contract; meet compliance obligations; protect the individual’s “vital interests”; perform a task in the public interest; and/or meet the legitimate interests of the controller, unless that is outweighed by the individual’s rights.
- Express consent: Without such legal basis, controllers must obtain an individual’s consent, which NYU explains “must be freely given, specific, informed and unambiguous.”
- Delegation to processors and sub-processors: To outsource to a processor, a controller must obtain written guarantees that the processor and any sub-processors will comply with GDPR.
- Contract language and obligations: Contracts between controllers and processors must specifically detail the subject matter, duration, purpose, data type, data subject categories and each party’s obligations and rights.
2. Individual Rights: GDPR grants individuals substantial data privacy rights. Individuals may exercise the following rights, which controllers and processors must fulfill starting May 25, 2018:
- Data access: The right to request a copy of their personal data from a controller.
- Data correction and erasure: The right to request that any errors be corrected or to be forgotten, i.e. have their data erased.
- Data portability: The right to transfer data to another controller.
3. Governance: Chief among the GDPR principles that relate to accountability are the following:
- Record keeping: Both controllers and processors must keep a record of all processing activities, and controllers must also conduct inventory audits of the same.
- Data protection officer: Controllers and processors that process and/or monitor data on a large scale are required to appoint an officer and grant them the requisite authority to fulfill that role.
- Data protection impact assessment: Those involved in high-risk processing are required to conduct this assessment.
- Designated representatives: Some controllers and processors not located in the EU, but subject to GDPR, must name a representative in the member state where the data is processed or monitored.
Even if, after conducting the above analysis, your institution concludes that it isn’t covered under GDPR, you still need to understand the law’s broader implications. There is good reason to believe that the U.S. will follow the EU and enact something similar to GDPR in the coming years. Although it is difficult to predict exactly when or how such a law may come to pass, the 2017 Equifax breach and more recent privacy concerns at Facebook are but two examples of incidents that will likely spur consumers to push for greater privacy protections, and legislators to answer that call.
GDPR liable or not, financial institutions should invest in ways to better protect customer data and privacy. Those that do will not only be better prepared for existing and future regulation—but also they will protect their reputations as trusted resources.
For additional insight on GDPR, download CSI’s white paper, How to Prepare for the Extensive GDPR.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.
Part of the BankNews OnPoint Series