Are You and Your Vendors Ready for GDPR?

Global network on Earth concept. 3D rendering elements of this image furnished by NASA

All may be relatively quiet on the regulatory front in the U.S., but this May new privacy regulations are taking effect in the European Union, which will likely impact even the most provincial U.S. financial institutions.

The E.U.’s General Data Protection Regulation (GDPR), approved in April 2016, is much broader than the U.S.’s most well-known privacy regulations, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPPA). GDPR will be implemented on May 25, 2018.  It protects any information that links to an individual, including names, email addresses, IP addresses, photos, social networking sites in addition to what Americans consider sensitive customer data. Breaches must be disclosed within 72 hours.

The bad news for U.S. institutions is that GDPR doesn’t just apply to E.U. members. It also applies to organizations outside the E.U. that offer goods or services or monitor the behavior of EU data subjects. Simply put, it applies to all companies processing and holding the personal data of subjects residing in the E.U. regardless of the company’s location. This includes both the controller of the data, which is responsible for storage, use and disclosure policies and procedures, and the processor, which houses the data for the controller.

The worse news is that fines are huge: up to four percent of gross revenues for the most egregious violations, including insufficient customer consent to process and two percent of gross revenues for violations like not having records in order or failing to promptly notify customers and authorities of a breach.

Don’t think this includes you? Think again. These strict privacy regulations can apply to financial institutions in the United States.


  • Customers, Clients & Members

    You may not do business overseas directly, but your customers might.

    • Clients or members with dual citizenship. If you have a client or member with dual citizenship, you can fall under this regulation.
    • Clients or members with customers in the E.U. If one of your clients or members has a website that sells products and ships them overseas, you may have E.U. individuals interacting with your institution.

    Vendors

    From global and internet banking to peer-to-peer payment and bill pay, your vendors may be conducting business operations or transactions with individuals in the E.U. If your vendor gets fined under the regulations, the financial damage could have a major impact on its ability to operate. It could also implicate your institution because you are responsible for the actions of your vendors taken in your name.

    Make sure your vendors are ready and limit liability with four key questions:

    1. Are consent forms updated? If a vendor conducts an overseas payment transaction for a U.S. business leveraging your financial institution, you need to ensure consent forms are updated and ready.
    2. Does the vendor have a data protection officer? This is required by GDPR for large scale processors and monitors of data.
    3. Does the vendor’s process for notification of breaches comply with GDPR? Notification of authorities and customers must occur within 72 hours, a big change for institutions operating in one of the many U.S. states with notification requirements that have much longer timeframes.
    4. Are agreements with vendors updated pursuant to GDPR? Make sure your vendor agreement includes provisions that address GDPR and any other new regulation that comes along.

    Taking the time to ask these questions can save you from potentially larger issues. Don’t assume GDPR doesn’t impact you.