Thousands of American companies including banks that do business with European customers need to reckon with EU’s General Data Protection Regulation, which goes into full effect a year from now.
The GDPR changes the handling of personal and corporate data particularly in terms of personally identifiable information. The regulation, slated for a May 25, 2018, rollout, already weighs heavily on the European business community, but come as a surprise to many U.S.-based enterprises.
Nevertheless, the financial services industry is beginning to evaluate how to tackle the incoming data protection regulation because many expect financial institutions become primary targets when GDPR finally comes into play. Financial institutions have a little over a year to come up with a comprehensive approach and plan for managing and securing European consumer data.
There is currently a data privacy shield framework that the U.S. Commerce Department allows for transferring data from Europe to U.S. based companies. That’s not going to help at all with this GDPR regulation; firms are going to have to comply with both.
The International Association of Information Technology Asset Managers identified the top five ways the new EU regulations affects any organization:
- Data breaches. If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident.
- Data protection officer requirement. The EU determined that an individual is necessary to ensure maintenance of data privacy and control at each company doing business in Europe.
- Consent of those providing data. The data controller bears the burden of proof for the data subject’s consent for specified purposes.
- Special handling of data related to Europeans. Any organization that handles personal information of EU citizens such as phone numbers, addresses or any other identifying information will be subject to the GDPR. In addition, any organization receiving the information third-hand will also be subject to the regulation.
- Potential for hefty fines and court penalties. An organization faces fines for non-compliance and breaches by the member states to protect personally identifiable information.
In a breach scenario involving those customers’ account information, the bank would have to inform the government of whatever country it is within 72 hours. Fines per breach per person are 10 million Euros (about $11 million) or up to 2% of the financial institution’s revenue.
GDPR not only goes into effect across all 28 EU nations but the United Kingdom plans to adopt GDPR despite Brexit, at least for now.
GDPR ensures there is one set of criteria to protect individuals and help companies understand compliance issues when it comes to personally identifiable information.
Every firm that processes or handles data from EU citizens must become aware of GDPR and completely understand the consequences it will have on business processes. Between its far-reaching scope and the penalty structure, the EU’s pending rules warrant serious consideration of what it will take to guarantee complete compliance, especially by American financial institutions.