One Year Left to Prepare for EU Data Regulations

By May 15, 2017CCG Insights

One Year Left to Prepare for EU Data RegulationsThousands of American companies including banks that do business with European customers need to reckon with EU’s General Data Protection Regulation, which goes into full effect a year from now.

The GDPR changes the handling of personal and corporate data particularly in terms of personally identifiable information. The regulation, slated for a May 25, 2018, rollout, already weighs heavily on the European business community, but come as a surprise to many U.S.-based enterprises.

Nevertheless, the financial services industry is beginning to evaluate how to tackle the incoming data protection regulation because many expect financial institutions become primary targets when GDPR finally comes into play. Financial institutions have a little over a year to come up with a comprehensive approach and plan for managing and securing European consumer data.

There is currently a data privacy shield framework that the U.S. Commerce Department allows for transferring data from Europe to U.S. based companies. That’s not going to help at all with this GDPR regulation; firms are going to have to comply with both.

The International Association of Information Technology Asset Managers identified the top five ways the new EU regulations affects any organization:

  • Data breaches. If a company experiences a data breach, it must report it within 72 hours of the company becoming aware of the incident.
  • Data protection officer requirement. The EU determined that an individual is necessary to ensure maintenance of data privacy and control at each company doing business in Europe.
  • Consent of those providing data. The data controller bears the burden of proof for the data subject’s consent for specified purposes.
  • Special handling of data related to Europeans. Any organization that handles personal information of EU citizens such as phone numbers, addresses or any other identifying information will be subject to the GDPR. In addition, any organization receiving the information third-hand will also be subject to the regulation.
  • Potential for hefty fines and court penalties. An organization faces fines for non-compliance and breaches by the member states to protect personally identifiable information.

The European commission says banks must have a representative, in each country where an accountholder lives. In addition, to having a registered agent, Edwards noted financial institutions must have a data protection officer and an EU-focused privacy policy for members living in Europe. The fines for not complying with GDPR are up to 20 million Euros (almost $22 million) per violation or up to 4% of the organization’s annual revenue, whichever is higher.

In a breach scenario involving those customers’ account information, the bank would have to inform the government of whatever country it is within 72 hours. Fines per breach per person are 10 million Euros (about $11 million) or up to 2% of the financial institution’s revenue.

GDPR not only goes into effect across all 28 EU nations but the United Kingdom plans to adopt GDPR despite Brexit, at least for now.

GDPR ensures there is one set of criteria to protect individuals and help companies understand compliance issues when it comes to personally identifiable information.

Every firm that processes or handles data from EU citizens must become aware of GDPR and completely understand the consequences it will have on business processes. Between its far-reaching scope and the penalty structure, the EU’s pending rules warrant serious consideration of what it will take to guarantee complete compliance, especially by American financial institutions.