How financial institutions are affected by the EU’s General Data Protection Regulation.
By Keith Monson
While community banks specialize in serving their local community, the reach of global regulations can still have a significant impact on a bank’s business plan.
The European Union’s General Data Protection Regulation took effect on May 25, and although it isn’t a U.S.-based regulation, it is important for banks to understand how the scope of GDPR will change usual business functionality. The law will be one of the more significant regulations to hit financial institutions in quite some time, bringing changes for them as well as all other businesses — and their customers.
One significant effect of GDPR is that the term “personal data” has expanded to include a broader range of information. Under the regulation, it is now seen as “any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify that person.” This includes items such as photos, email addresses and medical information, as well as login information, IP addresses and vehicle identification numbers. Whether direct or indirect, any information that could assist someone in the identification process is considered “personal data.”
Many businesses assume that since they are not located in the EU, this regulation does not directly affect them, but that might be a shortsighted view. In reality, the regulation very plainly states that all entities offering goods or services to, or monitoring the behavior of, individuals in the EU will fall under the reach of GDPR.
So, what are the key aspects of which banks and businesses should be aware?
Demonstrated Compliance and Accountability
As with any regulation, strict compliance guidelines are a large part of GDPR. However, unlike other key government regulations, financial institutions and businesses are now required to further prove their compliance rather than just being able to simply claim to be following protocol. Specifically, they are expected to demonstrate this required level of compliance to their customers by way of documentation. If banks fail to do so, they risk the possibility of facing major monetary penalties, with fines as high as 4 percent of annual global turnover.
Accountability also remains a high concern in regard to GDPR. Financial institutions and businesses are required to keep record of all processing activities, and in some cases conduct inventory audits regarding that information. This process allows for more efficient retrieval of information when and if a customer has questions.
Additionally, a data protection officer must be appointed within a financial institution or business if it processes or monitors large amounts of data regularly. The appointed officer will have the necessary authority to fulfill the role and will head all data-processing tasks within the organization. If a business or financial institution processes high-risk information, it will be required to conduct an additional data protection impact assessment, which will ensure companies have a risk-based approach when it comes to the protection of data.
Data Privacy’s Role in Future Business Efforts
GDPR ensures that data privacy is now strongly considered during the product creation process for all financial institutions that might have a business interest in the EU. Moving forward, products should be designed with privacy as a main focus. In order to ensure that all financial institutions and businesses are following GDPR protocol, those outside of the EU must name a representative in the state where the data is being monitored or processed.
In regard to GDPR’s effect on customers, financial institutions are required to inform the customer about what personal data they are collecting, why they are collecting it, and for how long they plan to keep this information. Banks must also disclose with whom any personal data will be shared.
Customers should also be aware of the fact that they can request a copy of their personal data at any time, as well as request that any errors be corrected or forgotten. They also have the right to transfer data to another financial institution or business at any time. These changes will allow for the data held by institutions to be more firmly transparent to the customer.
Lastly, the process by which financial institutions and businesses go about collecting customer information is explicitly outlined within the regulation, which states that in order for data to be processed, legal justification must be obtained.
This can be executed in one of five ways, in that the data must:
- Be needed to fulfill a contract
- Meet compliance obligations
- Protect the customer’s “vital interests”
- Perform a task in the public’s interest
- Meet a legitimate need of the financial institution or business, unless the individual’s rights outweigh that of the institution
Furthermore, consent must be given to the bank before the data has been collected. And if the processing is to be done out of house, a written guarantee must be obtained stating that the outside company will follow GDPR standards and requirements. All contracts between the customer and institution should be up to GDPR code, and if there is any breach of the customer’s information, proper authorities must be contacted without delay and within up to 72 hours of the breach’s discovery.
Whether or not your financial institution falls under GDPR, there has never been a better time to begin investing in more advanced methods for protecting your customers’ data and privacy. As breaches and other data security-related events become more frequent, financial institutions that are able to show their customers that they have robust data- and cyber-security in place will not only retain customers but also attract new ones.
Keith Monson serves as CSI’s chief risk officer. For more information, visit www.csiweb.com.