By Monica C. Meinert
Customer data is a critical component of virtually every modern business—but a new European regulation is about to fundamentally change data privacy for companies worldwide.
Finalized in 2016 and touted by some as the biggest shakeup to data privacy since the creation of the internet, the General Data Protection Regulation—or GDPR—is a sweeping overhaul of how the European Union’s 28 member states will approach the protection and use of personal data by corporate entities. Importantly, its jurisdiction extends beyond the borders of Europe, allowing EU citizens and residents to pursue legal actions against companies outside the EU for violations.
Currently, EU data privacy rights are governed by the Data Protection Directive, which was adopted in 1995 and outlined key several principles for data protection. The GDPR takes data privacy regulation another step forward, explains Donna McPartland, counsel in the privacy, cybersecurity and data protection practice at Arent Fox LLP in Washington, D.C. “This regulation is even broader than [the Directive] from both a jurisdictional perspective and from what is covered materially.”
According to the European Commission, the GDPR applies to “a company or entity which processes the personal data as part of activities of one of its branches established in the EU, regardless of where the data is processed; or a company established outside the EU offering goods/services (paid for or for free) or monitoring the behavior of individuals in the EU.” The regulation defines “personal data” as anything that could identify an individual (referred to as a “data subject” by the regulation), either on its own or when combined with other pieces of data. That means that IP addresses, social media handles and myriad other pieces of information that an organization might collect fall under the scope of the rule.
“The premise is that the individual should have control over their data,” McPartland says. “They have the right to erasure—also known as the ‘right to be forgotten.’ Another new and important individual right under GDPR is the right to data portability,” which refers to a data subject’s right to request their data from a company and have that data transmitted to another data controller.
In addition, the GDPR grants individuals the right to access their data in a free, electronic format, and expands the notion of “privacy-by-design,” which calls for companies to include data protection measures when designing their systems.
With these broad parameters established—and with the price tag for GDPR violations maxing out at the higher of $20 million or 4 percent of annual global turnover—all banks with a web presence should check twice to verify whether they will be subject to GDPR compliance.
With an effective date of May 25, affected U.S. institutions should already be well on their way to making necessary changes and system upgrades. “GDPR introduces a lot of new requirements for impacted organizations, from changes in consent models and procedures to a more explicit demand for privacy-by-design,” says Stephanie Quaranta, research director at U.S.-based research and advisory firm Gartner. “Ensuring compliance with these requirements means not only implementing processes that meet the requirements, but making underlying changes in the way both privacy and the rest of the business operate.”
However, “though awareness—and anxiety—is high, the degree to which these businesses are prepared for the May deadline varies,” Quaranta adds. She predicts “that less than 50 percent of impacted businesses will be compliant by May 25.”
So how can banks determine if the GDPR applies?
“Larger, internationally active global banks already know that this applies to them,” notes ABA VP Denyette DePierro. “The difficulty is for smaller, U.S.-based institutions that may not realize it applies. Most banks assume that a rule that applies in the European Union would not apply to a bank in Nebraska that has no global footprint and no interactions with the EU.”
For banks that are uncertain, a good first step is to conduct a privacy risk assessment, McPartland advises. “They need to look at the data that they have for their customers, and see [how many] of their customers are in the EU and if they are regularly doing business with and/or marketing to them. That’s going to be an indicator as to whether or not this law applies to them.”
While the regulation covers EU data subjects, McPartland notes that the data subject must be within the EU when their data is collected. (This would suggest that EU citizens living in the United States would be beyond the scope of the rule. Conversely, a U.S. citizen living abroad in an EU country such as Spain would be covered by the regulation.)
Banks should also pay close attention to how they present themselves on the web and how they’re marketing, McPartland says. “Let’s say you’re doing target-based marketing, using IP addresses to monitor who is using your site and then providing marketing to those individuals. That monitoring activity could potentially implicate you if you are targeting and monitoring EU data subjects.”
In determining whether companies outside the EU would fall under the GDPR, the regulation notes that it should be ascertained whether the entity “envisages offering services to data subjects in one or more member states in the EU.” Offering goods and services to consumers using the language of an EU member state and providing payment options in currencies used by EU countries, for example, could signal that a company “envisages” transacting with EU citizens and residents.
Community banks may find additional clarity from the EU’s dedicated GDPR website, which offers the following example scenario: “Your company is a service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”
While this would seem to exempt many smaller, U.S.-focused institutions, if a bank concludes after a review that it does have obligations under the GDPR, it should take steps immediately to enhance data protection framework and be compliant with the regulation.
Of critical importance is having a strategy for how the company will deal with EU citizens’ data—whether that be to treat it separately from other customer data, or develop an enterprise-wide data strategy that is GDPR-compliant, Quaranta says. She recommends that banks construct a “data map” to help flag potential issues. “Compliance with most of the key GDPR provisions rests on a detailed understanding of where and how data enters the organization, where it’s sent, how it’s used and where it’s stored. There is no better tool for this than a comprehensive data map.”
Data mapping was one part of ANB Bank’s strategy for approaching GDPR compliance, says EVP Jeff Patterson. A $2.5 billion institution based in Colorado Springs, Colo., the bank operates in close proximity to popular travel destinations like Aspen and Telluride that attract visitors from around the globe, and Patterson notes that “there is some amount of European and foreign holdings there for real estate because people like to visit and ski.”
While ANB does not market to customers in EU countries and does not have a significant amount of customers transacting within the EU, the bank has already taken several steps to keep itself on the right side of GDPR compliance. Among them include enhancing privacy policies and disclosures for customers that access the bank’s website from EU countries; creating a data map; developing policies and procedures to respond to an EU citizen’s request to access or delete their data; and modifying the bank’s incident response procedures to ensure that EU citizens can be notified within 72 hours if their data has been involved in a breach—another requirement of the regulation.
Though the process was driven by a regulatory imperative, Patterson adds that there are strategic upsides. “Overall, I think this will help any bank that does it be more transparent about their digital data collection activities and understand them better,” he says. “It’s a good exercise to go through regardless of whether you think [GDPR] applies to you or not.”
Only time will tell exactly what kinds of enforcement actions U.S. banks and other businesses can expect to see under the new regulation. “Each country is going to be able to enforce it on behalf of their citizens,” DePierro notes. “So the way that it might be enforced in Ireland, for example, might be slightly different than how it will be enforced or interpreted in France.”
U.S. regulators thus far have not issued any formal guidance on the GDPR for banks based in the U.S., but DePierro encourages banks to talk to their regulators and primary examiners to see how they plan to approach it. The EU’s Article 29 Working Party—a body comprised of representatives from the data protection authority of each EU member state—has also issued guidance on a number of GDPR-related issues that may help shed some light on areas of confusion.
Ultimately, advance preparation will be key for banks looking to steer clear of enforcement actions, McPartland says. “They’re going to look at: What steps have you put in place to provide data privacy and protection? Do you have technical and organizational measures in place to protect the security of personal data? That’s why it’s important to be proactive and put GDPR-compliant measures in place, because you would have a stronger argument to counter significant penalties.”