Ready or not, U.S. financial services companies with international operations face new European data privacy rules that take effect on May 25, 2018. Will they be in full compliance with the General Data Protection Regulation (GDPR) on Day 1?
Probably not, according to reports from various surveys and industry conferences. Consequently, the focus shifts back to the European regulators: How strictly will they hold U.S. companies to the deadline?
The current consensus view is that U.S. banks may be on relatively safe ground—for now. However, that is only if they have at least made progress on this complex compliance project, with policies and detailed plans in place; good faith efforts underway to implement them; and staff training in the works.
Notwithstanding, even at this late date, however, financial services companies are still struggling with the fundamentals: What is the GDPR? Who must comply? And how to go about complying?
Many are particularly challenged to understand how their third-party vendors are complying.
Data privacy has always been more closely regulated in Europe than in the U.S. Since 1995, this has taken the form of the European Union’s (EU’s) Data Protection Directive. Growing internet use, cloud computing, and social media have overtaken the directive, which was also subject to various interpretations in legislation among the E.U.’s 28 member states. (Going forward, the 1995 directive will now apply primarily in the context of law enforcement, crime prevention, and anti-terrorism efforts.)
Because it is a regulation, rather than a directive, the GDPR does not require national legislation, even as it aims to harmonize and strengthen data privacy and security protections for all E.U. citizens. Importantly, for U.S. companies, these protections extend to cover any of their business that may involve processing European citizens’ data—no matter where in the world, as described in more detail below.
It is worth underscoring that the rule applies even in the absence of a physical presence in the E.U.
The high stakes for non-compliance have garnered significant media attention since the GDPR was adopted by the E.U. Parliament in April 2016. Specifically, an organization can be fined up to 4% of annual global revenue, or €20 million ($25 million)—whichever is higher.
New and strengthened obligations in the GDPR, some of which are still evolving, include the following:
Companies covered. The GDPR provides specific rules regarding data “controllers” (e.g., banks, whose control lies in deciding the purpose and means of processing personal data) and “processors” (e.g., third-party vendors, such as mobile banking platforms, that handle the actual processing).
While third-parties will have greater liability than they had in the past, controllers still retain primary responsibility for personal data protection (including in their selection and management of compliant processors).
Types of information. Personal information that is subject to the GDPR includes any personal data that can be used directly or indirectly to identify a customer or prospect—referred to as “the data subject.” The European Commission lists examples including names, photos, email addresses, bank details, posts on social networking websites, and the addresses of computers and other devices.
Definition of processing. This definition is very broad. For example, just storing personal data is considered processing, as are such activities as accessing, collecting, recording, adapting, retrieving, and analyzing. All must be done securely and within the rights of the customer. Data processing innovations must also be assessed in advance of their use for their potential impact on the protection of personal data.
Customer consent. The GDPR will not be satisfied by today’s common “opt-out” consent approaches, which presume agreement to use personal data unless the customer explicitly declines.
Rather, “a statement or clear affirmative action” by the customer is required. Nor can consent be bundled into a long, complicated agreement covering other matters. And, it must not constitute a condition for service.
The purpose for collecting the data should be explicit and limited; consent is not open-ended, covering myriad types of processing or lasting an unspecified length of time. Consent should also be easy to withdraw, with the data then erased (i.e., “the right to be forgotten”).
Additionally, customers should be given access to any of their personal data that is being processed, upon request, along with the reason for processing it, and they should have the right to transfer the data between service providers.
Data protection by design. The regulation mandates that data protection safeguards should be built into products and services from the earliest stage of development. Additionally, “privacy-friendly techniques such as pseudonymization will be encouraged, to reap the benefits of big data innovation while protecting privacy,” the European Commission has said. (Pseudonymization, by the way, is a process by which identifying fields in a data record are replaced by one or more artificial identifiers.)
Notification of data breaches. Security breaches that may pose a risk to European citizens must be notified within 72 hours to a designated data protection authority (DPA), and they must be reported to affected individuals “without undue delay.” Deliberation among Europe’s governing bodies continues over the details of a one-stop-shop approach under which businesses could deal directly with a single DPA—not 28 of them.
Data protection officers and record-keeping. Expert data protection officers (DPOs) must be appointed and sufficiently resourced by organizations that engage in large-scale systematic monitoring. DPOs should report to top management. Smaller organizations may be exempt from this DPO requirement (among others), unless data processing is their core business.
The GDPR includes explicit provisions for documenting processing activities, their purpose, sharing arrangements, and plans for retention. These may have to be made available to a DPA upon request.
Considerations for U.S. companies
Of course, most U.S. financial services companies already have data privacy policies and procedures in place, in compliance with federal and state regulations. Consequently, at this point in the two-year GDPR transition, the biggest U.S. banks should already have the technology in place to handle GDPR requirements. Their compliance teams should have sufficient flexibility to handle changes as the transition proceeds, given adequate notice.
As such, banks can, in part, apply an established playbook to layer GDPR over their current range of federal and state compliance practices for data privacy, fair lending, financial crime, and other regulatory matters.
Yet it is complicated, and just one example is found in the different windows for notifying authorities in U.S. states (five to 30 days, in some cases) and Europe (72 hours).
Another difference is that while many U.S. companies today conduct post-mortem analyses after data breaches, these are not required. However, they will be under the GDPR, and this is another area in which the E.U. is taking best practice and effectively codifying it.
Thus, one jurisdiction’s regulation does not supplant the other. In the end, a single U.S. company will have multiple laws with which to comply.
The territorial scope of the GDPR has also been cause for some complication. For example, the U.S. legal regime is not considered to have adequate protections to ensure European citizens’ privacy, according to a GDPR e-book published by the International Association of Privacy Professionals. Therefore, E.U.-U.S. data transfers become subject to such mechanisms as standard contractual clauses or binding corporate rules.
GDPR compliance examinations may commence in some form or other by the end of this year. Next year, European regulators will have learned enough during their reviews to possibly issue further guidance addressing unanswered questions or ambiguities surrounding the initial, practical implementation of the rule—or even to correct potential flaws in the current regulation.
Between now and then, U.S. financial services companies are expected to become much more aligned with the GDPR, and best practices will also help them address similar regulations arising in other countries around the world. This timeframe and iterative approach constitute a familiar pattern to U.S. bankers, who have experienced a number of regulatory overhauls in the past decade since the global financial crisis.
In summary, GDPR compliance is particularly complicated, and the stakes are unusually high. There is the risk that underestimating the challenge or letting too much time elapse before full compliance could lead to a damaging barrage of fines, remediation expenses, and reputational harm to their brand. Due haste must be used to deal with any unfinished GDPR tasks.
About the author
Agnes Bundy Scanlan, a Senior Advisor with Treliant, has a long and distinguished career in global regulation, risk management, and compliance. Her experience includes the creation, development, and execution of numerous global compliance programs for some of the country’s largest financial institutions. Most recently, she was the Consumer Financial Protection Bureau’s (CFPB’s) Supervision Regional Director for the Northeast.