Find Out How and When It Could Affect Your Institution
Two years ago, the European Union (EU) took an unprecedented step toward resolving the conflict between big data and privacy. Passage of the General Data Protection Regulation (GDPR) in April 2016 ushered in a new era for individual privacy rights but created a potential compliance nightmare for firms that handle data.
GDPR, with an effective date of May 25, 2018, has far-reaching implications. Companies in the EU have spent the past 24 months preparing for this date. However, even though companies in the United States could also be covered under GDPR, many financial institutions and other entities are unaware of—or uncertain about—their obligation to it.
Do you know where your institution stands when it comes to GDPR? Let’s look at the regulation to help you understand its potential impact on your institution.
Taking Data Security and Privacy to an Unprecedented Level
GDPR supersedes prior EU privacy laws that date back to the 1990s. According to the official GDPR website, “The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.”
The law attempts to achieve that goal in six overarching ways:
- “Data subject” driven: The individual is the key driver, and his or her locality in the EU invokes GDPR.
- Increased territorial scope: By focusing on EU data subjects, GDPR expands the territorial scope of previous EU laws, as it applies to all entities offering goods or services to those individuals.
- Data controllers and processors: GDPR applies to data controllers (controllers), which include financial institutions, as well as data processors (processors), which include all organizations that process data for controllers, such as a bank’s core processor.
- Broadly defined personal data: The GDPR FAQ says that, “personal data” is “Any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify that person.” This includes an individual’s “name, photo, email address, bank details, posts on social networking sites, medical information, or a computer IP address.” New York University School of Law’s primer on GDPR delves deeper into this definition: “information such as log-in information, IP addresses, and vehicle identification numbers, though not enabling direct identification of individuals, allow for identification of individuals indirectly and are therefore considered to be personal data.”
- Demonstrated compliance: GDPR expects controllers and processors to “demonstrate” their compliance. Steve Ehrlich, lead analyst for corporate advisory firm Spitzberg Partners, LLC, explains this in American Banker: “Unlike some U.S. regulations, GDPR is not a law that banks can just say they substantially comply with,” he says, “because compliance for GDPR needs to be demonstrated through documentation.”
- Substantial monetary penalties: Non-compliance can result in large monetary penalties ranging from 2 percent of annual global turnover to up to 4 percent of the same or €20 million.
Security and Privacy Principles of GDPR
In passing GDPR, the EU is the first governmental body to truly acknowledge how quickly the Internet is changing the conversation about data security and personal privacy. It is increasingly clear that breaches are the collateral damage that results from growing amounts of data being uploaded to and/or shared on the cloud from all sorts of devices.
At its core, GDPR establishes a set of principles to protect that data and the corresponding privacy of its owners. These principles can be sorted into three distinct categories …
For an in-depth exploration of the three principles of GDPR, and a quick test to analyze and determine your GDPR liability, we are publishing an upcoming GDPR white paper. We’ll notify you once it’s ready for download.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.